Encryption of Computer Files and E-mail
By Michael Ross
This article was published by ComputorEdge, issue #2249, 2004-12-03, as a feature article, in both their print edition (on pages 28 and 30) and their website.
Everyone has secrets, and most of those secrets need to be communicated in some manner — such as military orders from headquarters to forward units, national government messages to foreign service personnel overseas, and heartfelt sentiments between lovers. Even secrets that simply need to be recorded — without communication to anyone else — should be safeguarded. An everyday example would be the confidential financial records that must, by law, be securely stored and protected by various types of organizations.
But as soon as secret information is written down or, more commonly now, stored in a computer file, then it is far more vulnerable to being discovered by someone for whom it was not intended. That is why so many governments, corporations, and individuals try to protect their sensitive information using encryption, which is the use of one or more ciphers or codes to convert the original message (the "plaintext") into text (the "ciphertext") that can only be read by those who know the encryption method and any keys utilized.
The field of encryption (cryptology) developed into a race between the invention of ever more sophisticated ciphers (cryptography) and attempts to unravel the enemy's ciphers (cryptanalysis) — a battle between the code makers and the code breakers. Often prompted by the necessities of war and diplomacy, people created increasingly complex encryption systems, such as the Caesar Cipher in the time of the Roman Empire, England's Playfair Cipher invented in 1854, and Germany's "Enigma" and Japan's "Purple" used during World War II.
Encryption methods are essentially symmetric or asymmetric. Symmetric encryption involves one secret key known by both sender and receiver. The strength of a symmetric system is largely a function of the key size useable. For instance, the modern Advanced Encryption Standard (AES) can utilize up to 256 bits, making it much stronger than Data Encryption Standard (DES), with a 56-bit key. The smaller the symmetric method's key, the more vulnerable it is to key exhaustion using massive parallel computations.
In asymmetric encryption, the sender uses a "public key" to scramble the message, and the reader uses a "private key" to decode the message. In basic terms, its strength relies upon the difficulty of factoring tremendously large numbers. Naturally, it too can be a target of computer analysis.
Nowadays, there are four symmetric key algorithms approved by the Federal Information Processing Standard (FIPS): AES, DES, Triple-DES, and Skipjack. The National Institute of Standards and Technology (NIST), publisher of FIPS, recommends AES. Yet despite this progress from the simplest ciphers, most if not all of these methods are crackable by the U.S. government's National Security Agency (NSA) — keeper of our codes, and breaker of the foes'.
Fortunately, for the purposes of safeguarding your computer files and messages, you do not need to become an expert in the arcane and mathematically challenging world of cryptography. You only need some recommendations for reliable encryption systems designed to protect digital data in two forms: computer files and e-mail messages.
If you choose AES for your encryption needs, then you would be hard pressed to find a better AES application than File2File. It is available for free from Cryptomathic, and runs on Windows XP, 2000, NT, Me, and 98. During installation, it gets added as an extension to Windows Explorer. To encrypt a file, or several files, or a directory (including all subdirectories and their files), simply right-click on the top-level files or directory, and choose "Encrypt" from the "File2File" menu option.
Over the years, I have tested countless AES applications, and none have combined the most critical features of encryption software as well as File2File does. It deletes the original files not only from the hard drive, but from the disk cache as well, for extra security. It can create an executable file, like an archive, so that the recipient of your encrypted data is not required to have File2File installed in order to decrypt the file that you send to them.
If you want strong file encryption, but have an even stronger interest in seeing exactly how the magic is being done — for examining or even modifying the code — then you will want to choose PGP (Pretty Good Privacy) instead of AES, because most if not all PGP applications are open source projects. This means that not only can you download a "binary package" (i.e., a product ready to run on your computer), but you can also download all of the source code. One well-regarded example is GNU Privacy Guard, a.k.a. GnuPG and GPG; it is free.
Perhaps you would like the level of protection offered by PGP, but would like to incorporate it into a computer application or website that you are creating, without worrying about the hassles of complying with patents or, even more scary, writing your own code. Fortunately, GPG is a complete replacement for PGP. But because it does not use the IDEA algorithm, which is patented, it can be used without any restrictions.
Many Internet users probably write more text in e-mail messages than text saved in files on their computers' hard drives. For these folks, being able to encrypt their confidential communications could be especially valuable. There are at least two solutions to this problem. They could save each message in a text file or in a word processor document, encrypt it using a utility such as File2File, and then attach it to an e-mail message. The message text of the e-mail would of course not contain any confidential information.
But this approach could quickly prove cumbersome, particularly if one or both parties does not feel comfortable encrypting files on their computer — given the danger of accidentally encrypting a critical file needed by the operating system or an application, or forgetting the password. In addition, one or both e-mail accounts might have limitations on receiving attachments, particularly executable ones such as File2File archives. In this case, it would be worth the trouble to get e-mail accounts with a service that provides end-to-end encryption of every e-mail's contents.
The best-known example of this is Hushmail, which is the Internet's premier secure e-mail provider. It utilizes 2048-bit encryption, in addition to spam blocking, white lists, and challenge-response verification. Hushmail allows access to download your messages into any IMAP-capable e-mail client on your computer. In addition, it allows retrieval of e-mail messages from external POP3 accounts.
Using one or several of the aforementioned encryption methods will go a long way towards keeping the secrets on your computer, secret. However, it is critical that you use a password that would be impossible for a stranger to guess, but unlikely for you to forget. Otherwise, all of your encryption efforts could turn out to be the digital equivalent of paper shredding. As a consequence, the secrets that you had hoped to protect would end up becoming more secret than you had bargained for.
Copyright © 2004 Michael J. Ross. All rights reserved.