FOR

Encryption plug-ins for popular email clients such as Microsoft Outlook, Outlook Express and Pegasus Mail, have been around for several years and, in recent years, online crypto-mail services such as Invisimail (www.invisimail.com) have appeared.

ShyFile takes the technology several steps further, allowing email users to 'wrap' their messages in a Javascript wrapper that encrypts (and decrypts) them using an encryption password of between 192- and 6,144-bits. Javascript-encoded email is still a relatively new experience for many users, with only a few online banks, most notably Europe's First-e using the technology for messaging statements each month to its French, German, English and Spanish customers.

First-e, a French/Irish banking group, is arguably the most security-conscious of the online banks, having hired a raft of security experts to devise its security systems when it launched last year. ShyFile, although working to different - and, incredibly, stronger, encryption standards than First-e's proprietary email statement system, uses similar principals. The ShyFile system is actually more user-friendly than that seen on the First-e online statements-by-email, as recipients do not have to move their mouse over the encrypted email for it to be decrypted.

It's highly unlikely that that the ShyFile encryption system, which was developed by the German software house Consens, could be compromised, but the company is still only offering $1,000 to anyone that can break an encrypted message on its web site. The closing date for the competition is July, 2011 so would-be crackers have plenty of time to test their crypto-skills.

Given the developments in computing power over the last decade, in fact, it's likely that a brute force system to crack a ShyFile-encoded message could be developed in the next decade. However, society will probably have moved on from problems such as email surveillance by then. That, however, is the premise for future generations.

ShyFile, though, is being viewed in the light of technology in 2001, not 2011. It works and works well. It does have its shortcomings, however. For one thing, the Windows 95/98/ME program is a cumbersome 1.7 megabytes big and takes a finite length of time to execute and encrypt a text-based email. On a slower laptop, such an Intel Celeron 550 unit that this writer tested the package on, it takes several seconds to execute. On a desktop 850 Pentium III, the response time was still around a couple of seconds, adding to the tedium of encrypting a message.

We think the package could be made more user-friendly, possibly by re-coding the software to execute as an add-on to an existing email client - as many other crypto-plug-ins already do, although not using Javascript wrappers as ShyFile does.

Documentation is excellent for this budget package, and most users will be able to run the software on installation, based on the excellent explanations about how the application works from the company's web site.

One of the most interesting aspects of the package is that in the process of encoding, ShyFile mixes up the user's text with randomly created junk data. The junk data is created by an exclusively developed random-generator and not by the internal Windows' random-generator to avoid any discussions whether the Windows' generator is as random as it should. This means that even if two identical messages are encoded using the software, and using exactly the same key, then major elements of the resultant encoded data stream, which is wrapped in an html wrapper, will be different.

Since many companies make use of automatic 'electronic signatures' at the foot of their messages, this is a potential major problem for some lesser encryption systems. Also, unlike some plug-in encryption modules for email clients, ShyFile has no master key. This has both pluses and minuses - unless recipients of a ShyFile-d email have the relevant keys, they cannot decrypt the message, come what may. On the other hand, if the sender has lost or forgotten the key for an encrypted message, then the content of the message is gone forever.

Because ShyFile produces an html wrapper, the package may also be used to create a private web site that requires a password for one or more web pages. This could be useful, for example, if a company wanted to restrict access to all or part of its web site to specific users - handy for a company supplying products to the trade, and not wishing to reveal its retail profit margins to the general public. The prospect of having to ask users to tap in a decryption key of between 32 and 1,024 characters to access the web site, though, may put some users off, so we think that ShyFile works best as an email encryption package.

In use, the package will work with just about any regular email client with cut-and-paste options. Users execute the ShyFile package and paste in the required text to be encrypted into the software's window, or load the text from the PC's hard drive. After that, it's a click and encrypt option - using the appropriate keys - to encrypt the text, which can then be saved out as a self-contained email attachment.

As it stands, ShyFile does not support binary files, but, by using a UU-encode applet, it is possible to encode binary files as text, and then use ShyFile to encrypt the data. Recipients of the files will have to UU-decode the file, however, making the complete task less than elegant, which obviates the reason for using this application in the first place.

The package is now into version 3.2, solving some of the bugs that affected earlier editions. Although Consens has priced the package quite modestly, there is also a freeware version of the software available on the its web site. This is limited to 15 sessions in version 3.2, but gives users a flavour of how well the package works.
 

SC On-Line
SC Magazine
www.scmagazine.com