http://www.wired.com/news/infostructure/0,1377,66324,00.html By Michelle Delio Jan. 20, 2005 Citibank is worried about you. PayPal is peeved and is about to pull the plug on your account unless you take action right now. EBay is perturbed about your latest auction purchase, Visa is fretting that someone may be up to no good with your credit card, and some bank named SunTrust needs your mother's maiden name immediately if not sooner. Plus, at least a dozen of your friends and colleagues have apparently sent e-mails promising you love, lust, a cool game or access to vital information if you'll just click on the attached file. Yes, it's just another happy day in your spam- and scam-packed inbox. Happily, help is available. Ciphire Mail, a new and soon-to-be-open-source application, aims to put an end to these sorts of annoyances with strong and user-friendly e-mail authentication and encryption. E-mail authentication -- confirmation that the stated sender actually sent the message in question -- could make many e-mail hassles fade away, since most scams and computer viruses rely on bogus sender information to lull recipients into a false sense of security. Encryption is also a good idea, given the increasing prevalence of snoopy software. The Ciphire Mail application, free for individual users, nonprofit organizations and the press, works in conjunction with all standard e-mail programs. It operates almost invisibly in the background, encrypting and decrypting e-mail missives and digitally signing each message to confirm its source. Ciphire Labs didn't develop new encryption algorithms or authentication methods for Ciphire Mail. The idea was just to make the best existing technology "way easier to use," said Laird Brown, chief strategist for the Zurich, Switzerland-based company. In close to a month of testing, Ciphire Mail performed almost perfectly on computers running Windows XP and Mac OS X version 10.3, with Outlook 2003, Eudora and the Thunderbird mail clients on the Windows box, and Eudora and Thunderbird on the Mac. Setup was a snap: Just download and install the client, choose which e-mail addresses you want to associate with Ciphire, enter a password, and the application sets itself up. Working with the program is just as simple. When two people using the Ciphire client exchange e-mails, the client intercepts e-mail right after the Send button is pressed, and before it leaves the computer. The recipient's security certificate is retrieved at the Ciphire Certificate Directory, security checks are performed, and then the message and any attachments are encrypted with the recipient's key. Incoming e-mail is also intercepted before it appears in a user's inbox, the message is decrypted (if necessary) and the sender is authenticated using the corresponding certificate from the Ciphire Certificate Directory. What Ciphire Mail is doing in the background is automatically managing each user's set of public and private cryptographic keys. The public key is sent to Ciphire's servers and the private one is stored on the user's machine. This allows two users to communicate using encryption without having to exchange private keys, as they must do using other e-mail encryption programs. No delays in sending or receiving e-mail were noticeable during testing. "The difference between Ciphire Mail and other technologies in our zone is the difference between using and learning how to use," Brown said. "And none of this has been done at the expense of security. If anything, we're more secure than the others." Every Ciphire certificate contains three different 2,048-bit public keys (RSA, DSA and ElGamal). Ciphire Mail encrypts all e-mails with two layers. One layer is RSA (with AES) and the other layer is ElGamal (with Twofish). If a message is sent to someone who doesn't use Ciphire Mail, the program simply signs the message, allowing the recipient to confirm that the message came from the apparent sender. All of the authentication, encryption and decryption chores were carried out flawlessly on both test machines. My only problems with Ciphire Mail were petty aggravations; one would have been avoided if I had read the manual, and the other issue will be addressed in a future release. The primary annoyance was having to enter a password to log into Ciphire Mail on every reboot of the computer. There's no option to have the program save the password and automatically login. While this makes sense from a security standpoint, it's also irritating when you know your machine is secure and protected from unauthorized physical or remote access. Brown said that automatic login is the feature most requested by Ciphire Mail users, and a "remember my password" feature will be added to a future version of the program. That's a good thing, as I also hated waiting the minute or so after booting my computer for Ciphire to load and request my password. Opening my e-mail client before Ciphire loaded caused mail transfer errors fixable only by rebooting the e-mail application. The only other problem I experienced was sparked by the password-entry issue. When performing some upgrades on my computer that involved a lot of rebooting, I uninstalled Cipher Mail to avoid the incessant requests for my password. I didn't realize I needed to first deactivate my account before uninstalling the application, and subsequently received several important encrypted e-mails, sent by other Ciphire users, that I couldn't read. Reinstalling the program as per Ciphire's help files and then forwarding the e-mails to myself didn't help -- I just received forwarded copies of gibberish. Eventually, I had to request that the senders send me unencrypted copies of their messages. It was my mistake -- deactivation is clearly explained in the manual -- but it would have been helpful if Ciphire also included a message about deactivating the account in the uninstall routine. But by and large, Ciphire Mail is flawless, doing what it says it will do with virtually no effort on the part of its users. So why give all this wonderfulness away for free? According to Brown, Ciphire Labs wants to "share the wealth" that it hopes will soon be generated by the commercial version of Ciphire Mail for enterprises, expected to be released in spring 2005. Ciphire Labs also intends to release the source code to Cipher Mail within the year, after the application is out of beta and the code is deemed stable. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Fri Jan 21 2005 - 02:05:38 PST