Skip to content

Encrypting Emails (not w/Priv.ly) – Part 2

May 9, 2012

I posted earlier that a customer had asked me to encrypt emails related to our project together to help protect their confidential information.  After some setup challenges, things were working OK.  But as part of my research trying to get this working, I realized there were some significant challenges to the ‘security’ we had put in place.

The first concern I ran into is the weakness of the encryption algorithm (Triple-DES) which is a reasonably good algorithm, but reading articles on the web, folks are discussing some weaknesses in it.   From my reading, it’s OK for short term communication (if the encryption is broken months to years later no damage is done), but for really sensitive items where future increases in computer power / algorithms might break it years later, it could be a concern.  A security professional I spoke to mentioned it had been broken and really shouldn’t be used at all.  For general public use it might be OK, but if you have something worth going after – you shouldn’t even consider it.  His recommendation – AES.

The second concern I ran into was the potential for a Man in the Middle (MITM) attack .  Basically the question is how do I know that the key exchange I did with the customer really was with the customer, and not someone intercepting my traffic and then reencrypting / signing with his key.  For my case, it seems very unlikely, but it is something to consider as an attack of this type absolutely invalidates all I’m doing to protect the data in transit.  The approach is to compare the thumbprint’s of  our certificates.   That is planned for my next on site meeting.

Advertisements

Comments are closed.

%d bloggers like this: