Simple encryption method for email attachment

Discussion in 'Computer Security' started by Fred, Jan 24, 2006.

  1. Fred

    Fred Guest

    Ideally, I would like to find a program or other method to encrypt a file
    for sending by email where I can choose a key (5-10 letter word etc) which I
    can then give the receiving party by phone. Can anyone recommend a simple
    way to encrypt a file to be sent by email?

    Thanks.

    Fred
     
    Fred, Jan 24, 2006
    #1
    1. Advertisements

  2. Fred

    nemo_outis Guest

    Winrar
     
    nemo_outis, Jan 24, 2006
    #2
    1. Advertisements

  3. PGP does both "conventional encryption" where the file is encrypted to a
    pass phrase only, and a nifty feature called SDA or (S)elf (D)ecrypting
    (A)rchive where you sent the recipient a file containing everything they
    need to decrypt the file including the "executable program" itself. IOW,
    all they need is the pass phrase you'd supply over the phone, they
    wouldn't even have to install PGP if they didn't want to.

    Plus, PGP is widely used so it's more likely to interface with more email
    clients in easier ways, and you'll have an easier time getting help if
    you're having trouble understanding something. How ideal is that? ;)
     
    Borked Pseudo Mailed, Jan 24, 2006
    #3
  4. Fred

    TwistyCreek Guest

    Thought about suggesting something like that, but last I knew (ages ago)
    the "encryption" methods implemented in archivers were a little on the
    weak side. To be polite about it. It's certainly possible that's changed,
    but I still believe using the "proper tool" applies. Email integration
    would obviously make usage easier, and easier means it's less likely to be
    abused or ignored. ;)

    An aside.... can WinRAR or even the current version of WinZip generate
    the "SFX" archives that command line versions of PKZip did/do?
     
    TwistyCreek, Jan 24, 2006
    #4
  5. Fred

    nemo_outis Guest


    Winrar uses 128-bit AES which is plenty strong (older pkzip encryption is
    much weaker). And, yes, Winrar supports SFX (Warning: some email filters
    may reject executable attachments).

    Regards,
     
    nemo_outis, Jan 24, 2006
    #5
  6. I could probably debate the "plenty strong" part by pointing out that it's
    even easier to use an integrated solution (PGP email plugin) that doubles
    the bits by default and does the compression anyway, not to mention
    adds the element of more secure integrity checking and usable
    authentication, but I won't. <g>

    It's been a looooong while since I used any of them, thanks for the
    clarification. It was older (2.04g?) versions of PKZip I was thinking
    about. I even found a paper I wrote on the subject some 15 years ago. :)
    Good deal. I agree with the executable attachments warning. It's always a
    good idea to send a companion message to ANY message with a valuable
    attachment in it giving the recipient a heads up. That way they can let
    you know if the attachment doesn't show.
     
    Borked Pseudo Mailed, Jan 24, 2006
    #6
  7. Fred

    nemo_outis Guest


    The appeal of winrar is that it a program of widespread utility that is
    also quite serviceable for managing compressed and encrypted e-mail
    attachments (it is, for instance, a mainstay in using binary newsgroups).
    I agree that programs targeted at a specific application (e.g., pgp plugin
    for email) may be handier for that particular use, but that philosophy can
    lead to an inconvenient number of tools, each a one-trick pony.

    Winrar does compression as well as encryption (in fact, encryption is the
    addon). The rar format has a number of fillips including SFX and optional
    recovery protection (i.e., through adjustable redundancy), and (decidedly
    weak) authentication. The ability to store, not just individual files, but
    multiple files, or even entire directory trees, is very convenient. ...as
    is the ability to break an archive into multiple files of specified size
    (e.g., if sender or receiver email has, say, a 5-meg attachment limit per
    message).

    ....snip...

    Regards,
     
    nemo_outis, Jan 24, 2006
    #7
  8. Fred

    Dave Keays Guest

    Any comments on GPG with Enigmail? (The setup I have but haven't tested it
    thoroughly-- yet.
     
    Dave Keays, Jan 25, 2006
    #8
  9. Under Windows? There's some memory locking issues that weren't resolved
    last I knew. A potential for swapping sensitive data out to disk. And the
    Enigmail plugin isn't quite as functional as the PGP plugins generally
    are. But for the average Joe it's completely sufficient.

    I really like GnuGP, prefer it to PGP on all platforms in fact, but to
    some extent it's still a bit of a geek tool. PGP is a little more
    "refined" in the interface area, and probably a better choice for the
    casual users. Probably because it actually does incorporate a GUI rather
    than depend on third parties for the most part. That's got good points
    and bad points, but the bottom line is the more you use PGP/GnuPG the
    better off you are, so any bit of difficulty is a consideration. It's
    better to use a slightly less preferable but totally sufficient tool than
    it is to have the best tool in the world and not use it. ;)

    Most of that's just opinion (except for the memory thing I suppose), so
    take it for what it's worth.
     
    Borked Pseudo Mailed, Jan 25, 2006
    #9
  10. Fred

    Fred Guest

    Thanks, guys. How would I get winrar or pgp?

     
    Fred, Jan 25, 2006
    #10
  11. Fred

    cypher Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    WinRAR:
    www.rarlab.com
    but it's not free.

    Why not use 7zip?
    www.7-zip.org

    "7-Zip is free software distributed under the GNU LGPL"

    "The main features of 7z format:

    * Open architecture
    * High compression ratio
    * Strong AES-256 encryption
    * Ability of using any compression, conversion or encryption
    method
    * Supporting files with sizes up to 16000000000 GB
    * Unicode file names
    * Solid compressing
    * Archive headers compressing"

    It's free, it has so good or sometimes even better
    compression ratio than WinRAR, and uses AES 256:

    "7-Zip also supports encryption with AES-256 algorithm. This
    algorithm uses cipher key with length of 256 bits. To create
    that key 7-Zip uses derivation function based on SHA-256 hash
    algorithm. A key derivation function produces a derived key
    from text password defined by user. For increasing the cost
    of exhaustive search for passwords 7-Zip uses big number of
    iterations to produce cipher key from text password."

    If you want to use an archiver 7zip seems to be a better
    choice for you.

    You can buy PGP here:
    http://www.pgp.com/

    Or download GnuPG for free from here:
    http://www.gnupg.org/
    GPG is a command-line tool, if you would rather use something
    with GUI gpg4win is here:
    http://wald.intevation.org/projects/gpg4win/

    My recommendation-7zip or gpg4win (GnuPG if you like to work
    in command-line).

    cypher

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBQ9d2XiPnLg7nPH4AEQKIDQCfdSD+TblBREkX4G7jKrEh1EZ3wE8An35B
    8yKlf02t/vSR7runSjgUUXtZ
    =fiG2
    -----END PGP SIGNATURE-----
     
    cypher, Jan 25, 2006
    #11
  12. Fred

    Bob Furtaw Guest

    WinZip is fairly popular, easily accessable and easy to use. Why not use
    the encryption feature in it?

    Bob
     
    Bob Furtaw, Jan 25, 2006
    #12
  13. Fred

    Fred Guest

    Thanks. Are any of these setup so that I can enter my own password which is
    used for scrambling the bits and bites?
     
    Fred, Jan 26, 2006
    #13
  14. Fred

    cypher Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    After installing 7zip right click on the file and choose
    7zip/add to archive, in new window just enter password
    (additionally selecting "encrypt file names" is a good
    choice) , hit OK and that's all.

    In GPG for encrypting (symmetric):

    gpg -c -o encrypted_file file_for_encryption

    GPG will ask you for a passphrase and create encrypted output
    file named "encrypted_file" from "normal" (plaintext)
    unencrypted file named "file_for_encryption".

    For decryption type:

    gpg -d -o decrypted_file encrypted_file

    GPG will ask you for a passphrase and decrypt
    "encrypted_file".

    This is the easyiest way you can use GPG. It can much more
    than that, e.g. you can create digitall signatures and
    encrypt your messages using public key crypto. gpg4win
    installs a graphical interface for GPG so you don't have to
    type instructions.

    Regards,
    cypher

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBQ9ljmCPnLg7nPH4AEQKRsQCgwMrQE72R6MJJuFK86t+ma4V/QtwAnRz3
    ynEzp9fpeYDPtWntxKKlqvls
    =a2DB
    -----END PGP SIGNATURE-----
     
    cypher, Jan 27, 2006
    #14
  15. Fred

    cypher Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    After installing 7zip right click on the file and choose
    7zip/add to archive, in new window just enter password
    (additionally selecting "encrypt file names" is a good
    choice) , hit OK and that's all.

    In GPG for encrypting (symmetric):

    gpg -c -o encrypted_file file_for_encryption

    GPG will ask you for a passphrase and create encrypted output
    file named "encrypted_file" from "normal" (plaintext)
    unencrypted file named "file_for_encryption".

    For decryption type:

    gpg -d -o decrypted_file encrypted_file

    GPG will ask you for a passphrase and decrypt
    "encrypted_file".

    This is the easyiest way you can use GPG. It can much more
    than that, e.g. you can create digitall signatures and
    encrypt your messages using public key crypto. gpg4win
    installs a graphical interface for GPG so you don't have to
    type instructions.

    Regards,
    cypher

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBQ9ljmCPnLg7nPH4AEQKRsQCgwMrQE72R6MJJuFK86t+ma4V/QtwAnRz3
    ynEzp9fpeYDPtWntxKKlqvls
    =a2DB
    -----END PGP SIGNATURE-----
     
    cypher, Jan 27, 2006
    #15
  16. Fred

    Fred Guest

    All righty! Thanks, Cypher!

     
    Fred, Jan 27, 2006
    #16
  17. Fred

    Jeff B Guest

    Email filters is a *major* consideration.
    Many companies will discard attachments such as *.zip, *.rar for the
    reason of the exposure to executables.

    Using a straight encryption technique like the PGP family, the data is
    not an attachment, but inline text as shown in this thread

    IMO, use the tools for the purpose intended is straight forward and
    ususally simple to learn.

    Your milage may vary :)
     
    Jeff B, Jan 27, 2006
    #17
  18. Fred

    Fred Guest

    Thanks. Sounds good to me. Is there a 'beginners guide' to PGP where I get
    up to speed on it?
     
    Fred, Jan 29, 2006
    #18
  19. Fred

    Jeff B Guest

    google for: OpenSource PGP

     
    Jeff B, Jan 31, 2006
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.