Encrytping email

Factual Questions
1

How do I get email sent so it is encrypted all the way from sender to receiver? I know that, for instance, Gmail can be set to https, but this only is effective from the sender’s PC to the gmail server.

I am writing an article about HIPAA, and I need to know how the average, one or two person doctor’s office can send encrypted email.

I understand the basics of TLS, advanced encryption standard, etc. I am just not finding any simple way to implement point to point encryption.

Thanks and regards,
Adrian

2

I think one “common” although not really “low tech” (meaning grandma might have trouble with it) is to use PGP. There are a few different PGP plugins for desktop email clients, as well as browser plugins that let you conveniently use it with webmail.

You don’t need a plugin at all though, if you have standalone PGP software on your PC you can follow this approach.

You could also put the files in an archive and then find an acceptable way to encrypt the file. I believe HIPAA standards don’t specify a specific strength of encryption, but I believe most companies dealing with HIPAA default to 128 bit or stronger encryption of files.

I know several companies that work with HIPAA data that don’t email it at all, instead they use various encrypted FTP techniques.

3

If you’ve never read about Alice and Bob (which you will if you read much about IT security), PGP has one big wrinkle is that for it to work both me and the recipient have to use PGP encryption. If I’m sending an encrypted message to John, and I want John and only John to receive it, when encrypting my message to John I will encrypt it with his public key. That means only the person(s) with John’s private key can decrypt it. But that also means to send a secure message to John he must have shared with me his public key prior to the communication.

That’s fine, and in fact if you read about PGP (or public key cryptography in general) it is stressed that you don’t have to worry about the safety of your public key (it’s public, imagine that anyone could get it), but if someone has your private key then they can decrypt any of confidential correspondence intended for you.

PGP and public key cryptography aren’t wholly synonymous, PGP uses public key crypography, but it also includes a certificate system with various techniques for building “webs of trust”, this aspect of PGP isn’t about making sure message are encrypted (public key cryptography by itself does this quite well), but about making sure that the person sending you a message is actually the person sending it and not an impostor. This actually is a major security feature, imagine I’m working for the CIA and a few years back, I impersonate an al-Qaeda leader by using his public key to encrypt a message and send it to a known underling. In the message I ask an underling for sensitive information and/or give him orders to do something that he may not realize, but is against the interests of al-Qaeda–without being able to verify I am who I say I am, he may do what I say even though I’m not a terrorist leader.

With a properly formed web of trust this is a lot more difficult. (And FWIW, I believe al-Qaeda and other terrorist groups have actually been found to have used PGP.)

4

So basically, the sender and anyone that he/she wants to send to has to have the same software, whether is its a Thunderbird plugin or third-party software.

Do these handle the keys internally somehow? Or do me and the receiver have to generate a public and private key and share them, separately from the email program?

Thanks,
Adrian

5

In my experience (onsite tech for small businesses including many MD’s, dentists, an orthodontist, and a smattering of chiropractors) they dont. They do not tend to move patient data electronically via email. One asked about it, I setup axecrypt for him and showed him how to use it to encrypt an attachment and a set of instructions for the reciever to decrypt it (including, please call me for the decryption code when you recieve this)

HIPPA does not have an encyption strength requirement, only a requirement that patient data sent electronically use some form of encryption.

6

PGP is a standardized thing, I don’t think you actually have to have the exact same software. I have Gpg4Win on my PC, and it can generate private/public keys and certificates. I believe any standard PGP application can take a public key I generate with Gpg4Win and use it to encrypt stuff and send it back to me.

I don’t know of any applications that handle this intuitively but they may be out there these days. With my setup, if I want to exchange encrypted emails with someone I need to manually generate a public key for myself (actually I only need to do this once when I setup the software.) I send that public key to anyone I want to be able to send me encrypted documents.

These keys are just plain text, an example of one:


mQENBE/rrR0BCADAy2ZVwYbp0lzn04MWJvYqmZWPPRdrv4KIkjhycvev5ohMS3vh
AdiHudpFTTuLaPjoxJdzb89CRPsER7k9J0oh/Ug4fnFWg6eqnK3RW9+ydes7Pknw
bphx3QBQQS4lmd4qEa6CdjK42URANbqXwoQJgug5IoNOG1p+GlYPFxZGyiWbX5i+
TLP33tOmU78w00ZvHwKg7WvmQpR77MRNzg5vJ4E0Au1FG3VpFR7sXUtkD5Cz67lS
tVkp3NbJONV8aHGET/9dKR/mKA+NRfitxIQ40sGOJfE/ddohk17T5iNK5xkkeofe
CLAnj77S3O00DeWQmbmGp9JjKntm/dmh7Al9ABEBAAG0KEpvaG4gU21pdGggKFRl
bGVvKSA8YWxha2F6aGFtQHlhaG9vLmNvbT6JATgEEwECACIFAk/rrR0CGw8GCwkI
BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJED98gYXBSe2Cgx0H/1qVwJMXotcXfTG7
/H7+IwgaaVf4ogxF3Pi0Bx9nnU0C3L8+EFTkHVjHUMfxcVBt0Z3g6yg1rEypu7qc
Big5gMQv0o3o/OMQZDGkWYvwIS3QKBz4dr7XuarQzEb+iw2m/399Ky009RNNGzaP
r8G/seCGfSWKZ3Cdek3yb+87GkbQWBi9ltKkAbVhB/dTJ6LwKtx5gCgCqxT5Sfnk
zVdqyEaA6NJnSboh8ncqe+YdU9VNEo2evYihe1S6rWx3Xqxz5Keq3pzzPzW4hXt5
MSLekJ2tHU07jlm1mX4jl5f60KaaLGtErMycJ9xOwOm1zn15NrsIqg7N3CCeIFqe
Nsf6VxE=
=4uy0

The secret key isn’t in quite a text form like that (it’s got some strange characters that won’t be recognized by a standard text editor for example), but the program I’m using uses the “OpenPGP” standard. I believe any program using that standard could use the keys I’ve created.

PGP isn’t really hard to use, but it’s annoying to use. Even the plugins require a bit of manual usage every time you send an email. Additionally the whole pre-staging of it makes it awkward for a lot of purposes, I believe that is why PGP isn’t used everywhere. Where it is used though, it is exceptionally difficult to break. I don’t know that it has ever been broken in the wild, and while earlier standards had “theoretical vulnerabilities” I don’t even think those have ever been successfully exploited. They are essentially invulnerable to standard cryptography, so aside from some other method to steal someone’s private key (which would be bypassing the encryption not actually breaking it) it’s fairly bullet proof.

7

Thanks, drachillix and Martin. Unfortunately, the person requesting the article wants ways to send documents by email. I go into FTP and just encrypting/decrypting at each end anyway.

8

I hope I didn’t give the impression PGP can only encrypt emails, that’s probably its most common use case but you can encrypt any file with PGP. It can be used even to just encrypt files that will stay on a hard drive just to keep them “secure.”

One other big downside is, even with a powerful machine, PGP encryption and decryption is resource intensive. It’s nothing to encrypt even a big text document, but encrypt say, a .zip file containing 2-3 GB in files and it will take a long time to do the encryption, and insanely long to do the decryption. I’ve encrypted a few large .zip archives before just playing around with the software. I’ve never decrypted one, it always locks up my machine or takes so long I just kill the process. So that’s also another reason you probably don’t see a huge usage of PGP.

9

OK, so each person generates a public key using their software and sends it to the other person. Then each person’s PGP software handles the rest.

To send an email. I assume, you would type it or copy into a field in your plugin, then tell the plugin to encrypt and send it. The person at the other end would (or at least might) then have to manually decrypt it

10

A generates his pair Apub, Apriv; B generates Bpub, Bpriv
A sends B his Apub; B sens A his Bpub (This step is liable to intercept, so the value of any “pub” could be widely known.)

A codes his mesage to B using Bpub, which only B with Bpriv can decode.
(Note B has no proof that A sent the item. Only that someone with the public key Bpub did.)
To verify, B replies and asks for verification from A with a message send using Apub. (Got message with codeword “walk” my new cw is “Quack”)
Theoretically, only A can decode that message. He uses Apriv.
A has to reply(Bpub) to B (using Bpriv) and this verifies that he received the message. (got verification. Codes “walk” and “quack”)

Note the last 2 replies need to contain information that could ONLY come from the coded message, so A and B both know the messages are being decoded and read. “I got your message” is easy to fake. "Your codes in the message were 'walk’and ‘quack’ " requires a key.

11

Use Ziptr - it encrypts files and messages on your computer, in and of the transmission channel, and on your recipient’s computer. It’s bi-directional, 256-bit AES encryption. And it’s free for individuals www.ziptr.com

12

Or don’t.

To begin with, nobody is using Ziptr. That means nobody knows how strong it is, because any flaws haven’t been discovered yet.

Secondly, the advertising material claims email can’t handle large files, which is a lie, and that it can’t be HIPAA-compilant, which is also (apparently) a lie. Lies are not needed when you have a good product.

It simply smells. Smells are not good when dealing with encryption software.

13

:smack:

When I have sensitive information to email, I make a PDF and use Adobe’s Security>Encrypt with Password option. I then send it as an attachment thinking that’s all I needed to do. From the thread, this sounds like it’s unsecure.

14

Depends – do you send the password in plaintext along with the attachment?

Depending on how good Adobe’s encryption is, what you’re doing is probably fine, except you have to get the password to the other person somehow. You can’t email it, because that defeats the whole point, so you’re stuck calling or texting or some other archaic form of communication. I also suspect that your passwords are typically short and easy to brute force, and that Adobe’s encryption isn’t actually all that good, but any encryption is better than nothing.

PGP is much better, because you know that your recipient already has everything he needs to decrypt the email as soon as you send it. The downside is that before you can send it, you have to get his public key, as has been outlined above. That means that if I want to send you a file, you have to email me first. We need an established email relationship, in other words.

The DoD solves this problem by having a massive central repository for public certificates. Someone can select my name from the hundreds of thousands of names in the Air Force directory, and send me an encrypted email. It’s actually a fantastic system, when it works. I assume that other organizations and companies are starting to follow suit.

The civilian email system has no such central register, by design, so we’re a long way off from having ubiquitous encrypted emails. It’s one reason why companies like Microsoft, Apple, Google, and Facebook are all vying to become the One True Holder of your Online Identity. For security to advance, something like that has to happen, whether privacy advocates like it or not. (straying into IMO territory, sorry)

15

Passwords aren’t sent via open text. Instead, I’ll tell them how to reconstruct it. How that goes depends on how well I know the client, which means it could range from “your dog’s name followed by the contents of cell XY (from an earlier file)” to “please call for the password to open this document” with a lot of in-between.

I don’t know how to answer the “how good Adobe’s encryption is” question, except to say that you can set it to either 128- or 256-bit AES. Does that speak to the question?

16

I believe there are a number of public keyservers for OpenPGP.

I use Enigmail, an extension for the Thunderbird email client that makes it work with GnuPG, so you can exchange secure emails with anyone using any OpenPGP-based system.

To send an encrypted email with this setup, compose the email in Thunderbird as usual and use the OpenPGP menu item (or toolbar button) to check the “Encrypt Message” option for that message.

When you go to send the email, and the recipient’s key is already in your keychain, Enigmail just asks for confirmation that it’s picked the right key, and the email goes out. If Enigmail can’t find a key that matches the recipient’s email address, it shows various options such as retrieving the key from a public keyserver. You can also load the key in advance, from a keyserver, a file, a web site, an incoming email, the clipboard, etc.

However you get the key, you’ll likely want to verify that it’s legit (unless you met the recipient in person, perhaps). Verifying that a key isn’t a fake can be done in various ways. The key may be signed by people you already trust (i.e. people whose keys you’ve already accepted), or by someone they trust in turn, etc. Or you could call up the recipient and confirm the key signature over the phone, for instance.

Receiving encrypted emails is similarly easy. When you open one (or click the Decrypt button), Enigmail asks for your passphrase, offering to remember it for a period of time if you want, then shows the decrypted message, same as any other email.

It all works pretty seamlessly.

This article suggests that in Acrobat 9, the longer key is easier (!) to crack. Seems like it’s particularly important to use long passwords/passphrases with it.

17

If I’m reading the article correctly, it’s saying that the encryption is fine but the way they implemented the password mechanism in the new version allows absurdly more brute force attempts per second.

So, IF the encryption itself is strong, and IF the password is sufficiently complicated (e.g. CorrectHorseBatteryStaple936!), then I can unclench my buttocks and could possibly offer an answer to the OP—if emailing a patient that has been to the office, generate a long, complex password at the time of visit and hand them a printout of it (saving a copy in the office for when it’s time to email). If there’s no patient presence, phone or similar contact will transfer the password.

Of course, given the relative level of my knowledge versus others in this thread, the likelihood of this being a solution is very small.

18

Derleth - you are right to be skeptical of any security product. That’s why we’ve worked with 3rd party sources to validate Ziptr’s SSAE 16 and HIPAA compliant technology - more here Ziptr.com is for sale | HugeDomains and we encourage any questions/inquiries.

19

Most doctor offices, billing services, hospitals seem to use some commercial email encryption product that allows on - demand or passive (based on content checking) email encryption via a hosted product like “zix mail”.

You send an email and use encrypt option or put a keyword (like SECURE) in the subject line and the recipient gets a link to an SSL website where they can read or respond to the message. No PHI gets sent to them, just the link, they have to pick a password and log in to the secure website.

The automatic encryption occurs if the software senses PHI in the outbound data. You can set up certain triggers, such as look for NN-NN-NNNN.

20

But what if the speech pathologist’s patient doesn’t stutter?