Archive for category General

OpenPGP, PGP and GPG: What is the difference?

Posted by on Thursday, 18 July, 2013

With privacy capabilities of encryption methods such as PGP (Pretty Good Privacy), data security can be heightened and privacy can be achieved.  There are various approaches, however, and various elements of comparison for each of these acronyms.  This article will explore the differences between PGP, OpenPGP, and GPG (GNU Privacy Guard), offering brief histories of their creations and summaries of their capabilities.

PGP (Pretty Good Privacy)

The company, PGP Inc., owned the rights to the original PGP encryption software.  This software was developed by Phil Zimmermann & Associates, LLC and released in 1991 to ensure the security of files that were posted on pre-internet bulletin boards.  From 1997 until 2010, the software changed hands several times until it was acquired by Symantec Corp., who continues to develop the PGP brand.

PGP encryption uses a combination of encryption methodologies such as hashing, data compression, symmetric-key cryptography and public key cryptography to keep data secure.  This process can be used to encrypt text files, emails, data files, directories and disk partitions.

OpenPGP

Automate OpenPGP EncryptionZimmerman, one of the original PGP developers, soon began work on an open-source version of PGP encryption that employed encryption algorithms that had no licensing issues.

In 1997 he submitted an open-source PGP (OpenPGP) standards proposal to the IETF (Internet Engineering Task Force), to allow PGP standards-compliant encryption vendors to provide solutions that were compatible with other OpenPGP-compliant software vendors.   This strategy created an open and competitive environment for PGP encryption tools to thrive.

Today,  OpenPGP is a standard of PGP that is open-source for public use, and the term can be used to describe any program that supports the OpenPGP system.

GPG (GNU Privacy Guard)

GnuPGP was developed by Werner Koch and released in 1999 as an alternative to what is now Symantec’s software suite of encryption tools.  It is available as a free software download, and is based on the OpenPGP standards established by the IETF so that it would be interoperable with Symantec’s PGP tools as well as OpenPGP standards. Therefore, GPG can open and unencrypt any PGP and OpenPGP standards file.

GPG provides a graphic user interface when integrating into email and program systems such as Linux.  Some software solutions for encryption utilize GPG coding, while others encrypt using command line functions in a menu-based Perl script.

A variety of popular solutions have developed their PGP encryption products following the OpenPGP standards.  Some of these products include GoAnywhere OpenPGP Studio and GoAnywhere Director.

Summary

OpenPGP is the IETF-approved standard that describes encryption technologies that use processes that are interoperable with PGP.  PGP is a proprietary encryption solution, and the rights to its software are owned by Symantec.  GPG is another popular solution that follows the OpenPGP standards to provide an interface for end users to easily encrypt their files.

As the need to encrypt and protect data becomes ever more critical, organizations will continue to develop software based on these three systems.

 

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Top 4 Email Security Challenges and How to Solve Them

Posted by on Monday, 29 October, 2012

Sending information to others via email has become one of the easiest and most ubiquitous ways of sharing data.  However, there are some important caveats to sharing files this way, as explained by Bob Luebbe, Chief Architect of Linoma Software in a recent webinar entitled, “Ad-Hoc File Transfers Using GoAnywhere Secure Mail.”

Challenges

There are four big challenges that companies need to be aware of when transmitting files using email.

  1. Email is sent “in the clear” meaning that it is not encrypted, therefore can potentially be read by anyone seeing the traffic being sent across an internal network or the Internet.
  2. Large files are most often not permitted by the email provider or the company email server. There is a good reason for this as disk space is very quickly consumed by unlimited use of email attachments and especially when “cc:” is used to send to multiple recipients.
  3. Some file types may not be permitted.  The reason that some file types are restricted, especially on company email servers, is to protect additional attacks from virus and spyware programs that are disguised behind the .zip, .exe, or .dat file types.
  4. There are no good audit trails for the email transaction.  Many companies are required under compliance regulations and other constraints to provide a detailed record of where their information is going, where it changed hands along the way, and whether it arrived at the intended destination. With email systems, this capability is either difficult to use or is non-existent.

Secure Options

Again, the most critical reason for not sending information via email is that it is not secured.  This can be addressed in several ways including these four common encryption methods.

  1. PGP – Using OpenPGP to first encrypt the file before attaching it to an email can be used to send the file securely.  This does not encrypt the body content of the email itself, just the file that is attached.  The recipient needs to create a Public Key and get it to the sender before sending the encrypted file as this key will be needed to decrypt the file. Of course, the recipient must also have the OpenPGP software and the training to create these kinds of electronic keys.  Then the sender would need to install and encrypt the file using this specific recipient’s Public Key. Finally, the recipient would need to decrypt the file with their corresponding Private Key.  This method cannot be used to send files to multiple recipients.  Most users do not have the knowledge to perform this kind of secure file exchange and will usually resort to finding other easier though non-secure methods.
  2. Zip – Compressing the file using some freely available zip software can be used to secure the file as long as it has encryption capabilities such as AES included. After the file is zipped and assigned a password, it can be attached to an email and sent. The password would need to be sent separately perhaps by phone call or another separate email.  The recipient would also need to have software with the same encryption capability to decrypt and unzip the file.  A downside of this method is many corporate email systems block .zip attachments for security reasons.
  3. S/MIME –This encryption method requires that both the sender and the recipient email systems support S/MIME communications. The sender will need to create a certificate and send it to the recipient. The recipient would then need to know how to import the certificate into their email client.  Once the certificate is in place, a secured email can be sent, received and decrypted.
  4. Secure FTP – This method does not use email for sending the file but encrypts the file and sends it directly across a network or the Internet using secure file transfer protocols. The sender needs to have a secure FTP client installed and the recipient needs to have a Secure FTP server setup.  The recipient needs to set up a user ID and password for the sender.  The sender can then log in with their secure FTP client and transmit the file.

While each of these methods certainly allows the sender to assure that the file is secure, it doesn’t address some of the other challenges of file types being blocked and audit trails being easily obtained.  The inconvenience of using these methods prevents their widespread use and make users reliant upon experts to implement, which explains why much of the data flowing in and out of our network is still unsecured.

Solution

There are solutions available that combine the ease of using email together with the option to secure both the file and the text of the email. These solutions are generally referred to as secure mail or secure ad-hoc file transfer.

Secure email uses the common Outlook email client in the form of an add-on utility and/or web client using secure HTTPS protocols.  The sender simply creates the email using the email client with which they are already familiar, while the add-on feature provides a separate “Send” button that’s designated for sending the file using secure methods. Done. It’s a very simple one-button solution.  The recipient gets the email with a link that redirects them to an HTTPS-secured web page with the files available to download.  There are no certificates, electronic keys, or additional software combinations required for the sender or the recipient. Any files remain on the sender’s secured network and there are no file size limitations.  A very detailed and easily accessible audit log is kept for every single secured email transaction. As Bob Luebbe puts it in the webinar, “it’s as easy as pie.”

To listen to the whole webinar on secure mail, click here.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

GoAnywhere Director Version 4.0 Released

Posted by on Tuesday, 3 January, 2012

There’s no better way to kick off the new year than with a new release of Linoma Software’s GoAnywhere™ Director, our popular managed file transfer software.

managed file transfer, secure file transferGoAnywhere Director is the flagship component of the GoAnywhere managed file transfer suite, and it’s used by thousands of enterprise customers who need to initiate secure file transfers as part of their daily workflow.

Whether exchanging data with trading partners, vendors, customers, or even other servers, GoAnywhere Director is the preferred solution for our clients in both the IBM Power Systems environment as well as Linux, Windows, Solaris and others because it simplifies, automates and secures file transfers efficiently, while still remaining affordable.

Director 4.0 has added a variety of features to improve the user experience, including enhanced job controls, custom add-ons, new options for holiday calendars for scheduling, and more than 30 additional advanced functions.

For more details, check out our latest announcement, or dig deeper by reviewing the software release notes.

If you’ve been considering a different solution for handling your secure file transfers, we invite you to begin 2012 by investigating GoAnywhere.  Learn more about our managed file transfer solution, or simply request a free trial.

Susan Baird

Susan is the Marketing Manager at Linoma Software, helping promote our secure file transfer and encryption solutions. Her specialty is content creation and social media marketing.

More Posts - Website - Twitter - Facebook - LinkedIn - Pinterest - Google Plus

Managed File Transfer Solution Now on Video

Posted by on Wednesday, 17 August, 2011

We’re always looking for new ways to illustrate the power and versatility of our GoAnywhere suite of secure file transfer and encryption solutions.  Very simply, GoAnywhere helps you streamline, encrypt and automate your file transfer processes to save time and money while meeting ever-growing compliance requirements.

Still, we find it’s sometimes challenging to quickly explain the power and convenience of our managed file transfer software, so we’re excited to introduce some brand new videos to showcase the flexibility and control GoAnywhere clients have.

GoAnywhere secure file transfer software solution

GoAnywhere’s suite of secure file transfer solutions helps you manage all of your organization’s inbound and outbound file transfers — both internally as well as with external trading partners.

With support for virtually any platform and protocol, including FTP, FTPS, SFTP, HTTP/S, AS2, SMTP and ZIP, GoAnywhere puts local control of the entire process into one intuitive dashboard.  GoAnywhere eliminates the need for custom scripts, generates detailed audit logs, and provides a rich catalog of features for comprehensive management, all without additional hardware or specialized skills.

If you’d like to test drive a free trial, let us know.  We’d also love to hear what you think of our videos!

Susan Baird

Susan is the Marketing Manager at Linoma Software, helping promote our secure file transfer and encryption solutions. Her specialty is content creation and social media marketing.

More Posts - Website - Twitter - Facebook - LinkedIn - Pinterest - Google Plus

Citigroup Breach Triggers Congressional Response

Posted by on Monday, 11 July, 2011

The data breach at Citigroup in May – a breach which reportedly exposed an estimated 200,000 customer accounts – has motivated members of the U.S. Congress to re-introduce legislation to penalize the very organizations that have been victimized by hackers.  What are the next steps your company should take?

New bills to protect consumers’ personal dataLinoma Software Managed File Transfer Solutions

Two bills are proposed by both House and Senate legislators.

First, Sen. Patrick Leahy (D-Vt.) has introduced the Personal Data Privacy and Security Act of 2011.  The new bill provides:

  • Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data;
  • A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security; and
  • A requirement that the government ensure sensitive data is protected when the government hires  third-party contractors.

This act would also require, under threat of fine or imprisonment, that businesses and agencies notify affected individuals of a security breach by mail, telephone or email  “without unreasonable delay.” Media notices would be required for breaches involving 5,000 or more people.  The FBI and the Secret Service would need to be notified if the breach affects 10,000 or more people, compromises databases containing the information of one million or more people, or impacts federal databases or law enforcement.

But that’s not the only security bill that has businesses concerned.

In the House, Rep. Mary Bono Mack (R-Ca) is holding hearings in preparation of a bill she’s named The SAFE (Secure and Fortify) Data Act that would also require “reasonable security policies and procedures” to protect consumers and enable disclosures to victims and the Federal Trade Commission within 48 hours of a data breach.

Companies no longer viewed as the victims

All this sounds good from the consumer’s point of view. But what about the expense – and potential Linoma Software GoAnywhere Managed File Transfer Solutionpenalties – suffered by the “owners” of the data: the businesses themselves?

While these bills may address the public’s interest for notification — and indeed they would bring some semblance of a national standard – they also represent an interesting shift in the liabilities that companies will face.  How is that?

Though we currently have no federal data breach notification law, federal policies now view the companies that experience a data breach as the victims of crime. However, under the proposed legislative bills, companies that do not act quickly to appropriately secure the personal data of customers – or fail to report a data breach in a reasonable amount of time – would not only suffer the theft of data, but also be held liable for its loss.

This is a significant shift. Companies are now being viewed not as the owners of consumer data, but merely guardians and trustees whose job it is to protect that data or face criminal penalties. And the message is clear: if companies won’t take adequate precautions to secure the sensitive data of our customers, they’ll pay a hefty price.

Where does your company stand?

In a world in which diligent hackers have the power break into seemingly secure networks and systems, what can your company do?

The challenge is first to determine exactly what qualifies as adequate precautions.

GoAnywhere Secure Managed File Transfer A review of the HIPAA HITECH security provisions that took effect last year provides some insight about what the government considers adequate protection.

HITECH strongly recommends the use of encryption technology. Encryption is a good place for your company to start, especially when dealing with the data your company stores on its servers.  If sensitive data itself is kept securely encrypted, a data breach doesn’t expose the content of the information itself.

Secure managed file transfer protocols – which send data using encryption – is the second place to focus attention.

If data is encrypted when it is being securely transmitted between business partners, the value of that data should it be breached – through hacking, theft, or other malicious actions – is worthless.  Encryption and secure managed file transfers can dramatically minimize the holes of technical breaches, significantly reducing an organization’s liability.

Preventing exposure

The Citigroup data breach has rekindled the momentum for a nationwide, cross-industry data breach reporting standard. This standard will not to eliminate the physical breaches themselves. What’s needed is legislation to encourage companies secure the underlying data that is the target of the hackers.

Isn’t it time for your company to take a serious look at its liabilities and to investigate how encryption and managed file transfers can close these important security holes?

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website