1. OCAU Merchandise now available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion here.
    Dismiss Notice

E-Mail Encryption...

Discussion in 'Business & Enterprise Computing' started by Nyarghnia, Oct 7, 2010.

  1. Nyarghnia

    Nyarghnia (Taking a Break)

    Joined:
    Aug 5, 2008
    Messages:
    1,274
    Hi All,

    I'm in a debate with the CIO of a large transaction provider who basically thinks i'm a dickhead..(it's a long list of people who think i'm a dickhead).

    They have a need to send e-mails in an encrypted format, we've got exchange 2003 (going to 2010 shortly).

    Now I'm not an 'expert' on MS Exchange but i'm pretty sure we could set up a fair dinkum purchased certificate, and then choose the 'encrypt mail' button when sending mail, instead.. we're stuck with this bloody CICSO webmail rubbish which is pissing me off big time.

    I'm assuming that you'd put in a passphrase that they would use to install it and whenever they got one of these encrypted e-mails it could be decrypted. I'm sure that there's a way to do this as the Exchange server level.

    So, what do you people do when you need to send e-mails which are encrypted?


    -NyarghNia
     
    Last edited: Oct 7, 2010
  2. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,984
    Location:
    Canberra
    Ironport offers it in their Mail filtering device.

    At Dept of Finance we had dedicated devices doing it (as well as filters not sending out any classified emails outside of the government protected network).

    Outlook plug as well to select the classification of each message.

    This was all with an Exchange 03 backend about 4 years ago.
     
  3. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,702
    Location:
    Brisbane
    You're thinking of S/MIME, which Outlook/Exchange support. The downside is everyone needs a public/private key pair, which means encryption will work within your organisation, but not to external parties if they don't also have S/MIME set up, and a way to securely share keys (without tampering).

    PGP shares the same issue - all parties who need to read the encrypted email need public/private key pairs, and the public keys need to be shared in a trusted fashion (i.e.: proven to not be tampered with).

    If you want to encrypt email out to external groups who have nothing in place, then you'll need the sort of system IronPort and others offer, where they store emails at a gateway somewhere, and people are forced to log in with pre-provided credentials to read the contents of the email via a HTTPS connection.
     
  4. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,984
    Location:
    Canberra
  5. OP
    OP
    Nyarghnia

    Nyarghnia (Taking a Break)

    Joined:
    Aug 5, 2008
    Messages:
    1,274
    Thanks for the info guys.

    -NyarghNia
     
  6. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,629
    Location:
    Canberra
    now that doesn't sound like a stupid government network that no know quite knows why they are on it(forced) except for the people maintaining it :lol:
     
  7. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,702
    Location:
    Brisbane
    Some places use mandatory TLS to "tick the box" for email crypto.

    There's obvious issues with that from a technical standpoint, but sometimes it's enough to cover compliance needs.
     
  8. azron

    azron Member

    Joined:
    Feb 27, 2004
    Messages:
    1,076
    Location:
    Melbourne
    Sophos Safeguard Mail Gateway does this.

    Messages which a triggered to be encrypted are sent to the user in a PDF file, with the original email within the PDF which has been AES encrypted.

    The recipient can nominate a password to decrypt the message (which happens if the receipient has never acccepted a message before). The sending MTA can specify a password, sent back to the original sender which can be conveyed via phone (hopefully not email). You can even integrate it with third party authentication systems.

    Let me know if you want any additional info.
     
  9. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,629
    Location:
    Canberra
    with the down side being having routers in your gateway that are inpath but you dont control and you dont know exactly what is and isn't being routed over it.
     
  10. narkotix

    narkotix Member

    Joined:
    Oct 8, 2003
    Messages:
    518
    easier said than done...its hard enough convincing govt about attestation....let alone data classification....let alone email classification/encryption!
     

Share This Page

Advertisement: