magazine resources subscribe about advertising

 

 

 








 CD Home < Web Techniques < 2001 < August  

End to End Email Protection

By John Mark Walker

For those unfamiliar with the world of encryption, Pretty Good Privacy (PGP) was developed to let people communicating via email encrypt messages to each other. If someone were to intercept one of those messages, he or she wouldn't be able to read its encrypted contents, but the intended recipient could—assuming that the sender was kind enough to share his or her key with the recipient. People sending encrypted email to each other share their keys either by sending them through email or by putting them on a public key server.

The National Security Agency employs tools like Echelon, a global network of highly sensitive listening posts, to observe all electronic communications, including email. With the emergence of such tools, it's becoming clear how useful tools like PGP are for protecting your email privacy. While not uncrackable, PGP certainly sets a higher barrier for unwanted lurkers who attempt to gain access to your email.

PGP Admin and Desktop Security for Windows
PGP Security
Contact vendor for pricing.
Pros: Easy to use and set up. Intuitive key management. Cons: No plug-ins included for some common mail readers—such as Netscape Mail.

PGP has emerged as a de facto standard in the world of encrypted mail. There are multiple versions of PGP, but only the one sold by PGP Security, a division of Network Associates, can call itself PGP and be used in commercial networks. I've used PGP Admin and Desktop Security for a variety of networks, and I tested the Windows version for this review. A Macintosh version is available as well.

The Admin install is very straightforward. Be sure to install Desktop Security first, however. The PGP Admin tool lets administrators centrally manage all PGP options for Desktop users on a network. One way it accomplishes this task is by allowing the administrator to create custom PGP Desktop installers with custom settings particular to that network. This permits individual users to simply download the executable and install PGP Desktop without having to tweak the installation settings. You can also do this by updating the network PGP options via LDAP. Desktop users may then retrieve global PGP settings from the LDAP server.

Once the Desktop client is installed, the software asks a few fairly simple questions, such as whether you already have a key you'd like to use. In the process, it becomes clear that this product lets you do much more than encrypt and decrypt email. For example, there's a pop-up window that asks whether you wish to Internet Protocol Security (IPSEC)-enable your networking devices. (IPSEC is the encrypted version of the IP protocol.) This would permit all network traffic between your machine, and any other IPSEC device with which you wish to communicate, to be encrypted. It's particularly useful for setting up a VPN.

The product's other features are a personal firewall, from which you may select the protocols you let access your machine, and PGPDisk tool, which allows the user to set up encrypted folders or disks.

PGP also ships with various plug-ins with which you can encrypt messages using certain mail readers. I was disappointed that there was no Netscape Messenger plug-in, even though there were plug-ins for ICQ, Outlook, and Eudora. Luckily, if you use an email client that isn't supported by the default PGP plug-ins, you can still use PGP to encrypt and decrypt email. There are, however, plug-ins that you may download for other email clients at www.pgpi.org.

After the obligatory Windows reboot, a padlock icon shows up in the system tray. Clicking on the icon produces a menu. From the menu, you can choose to manage your keys or set general options, among other things. You can import a key you receive from someone else or create a new one, but bear in mind that having multiple key pairs for yourself can create confusion for email recipients, especially if they don't have both public keys for your key pairs. The PGPKeys tool lets you manage your keys. Opening this tool produces a window that displays all current keys. From here, it only takes a couple of clicks to import a key or begin creating a new one.

The workings of a key are quite simple, regardless of whether you're using a supported email client. I used a recent nightly snapshot of Mozilla, with no plug-in support from PGP. To encrypt a message, you simply type the email message, click on the padlock icon in the system tray, and choose Current Window, Encrypt, and Sign. PGP Admin has other options for decrypting messages, signing only, and encrypting only as well. The same options are also available for the clipboard contents. After PGP has encrypted the message, simply click on the send button, and the message is off on its merry, illegible way until it finds someone with the correct decryption key.

To decrypt other people's mail, the product works basically the same. You click on the window to decrypt, and then click on the padlock in the system tray and choose the appropriate option. If you use the same methods described above for encrypting and decrypting, it's easy to encrypt practically any piece of text on your machine. This is an excellent way to keep private all of those files you don't want anyone else to see.

However, from a security point of view, I'm concerned that the Admin tool may create a single point of failure. For example, if the LDAP server—from which users obtain all security settings—is ever compromised by an intruder, instantly every desktop on your LAN becomes a script kiddie's playground. Obviously, good security measures will prevent that from ever happening, but it is something to keep in mind. After all, if intruders can gain access to Microsoft's entire internal network, chances are that they could access yours.

As for the client product, if you don't mind the lack of plug-ins for some email readers, which is a simple problem to solve, as I pointed out—this could be a good solution. The other features are welcome add-ons, though not absolutely necessary.

In summary, PGP Admin and Desktop Security form a complete security package. The features and ease of use make this a satisfactory addition to anyone's desktop, or to any administrator's security toolkit.


John Mark works as foundry manager for SourceForge.net, one of many Web sites that comprise the Open Source Developers Network, a division of VALinux Systems. You can reach him at jmwalker@valinux.com.




Copyright © 2003 CMP Media LLC