On 2019-07-18 at 12:13 +1000, raf wrote: > At work, when a client insists on email, and I (or the law) > insist on encryption, I provide them with instructions for > installing 7-zip and send them an AES-256 encrypted zip or 7z > file as an attachment. It's the simplest thing I could think > of that I thought most people could cope with.
Encrypted zip files have several factors that make it a beautiful solution for sending encrypted messages to occasional users that don't care much about it: a) zip is a file format supported out-of-the-box by pretty much every system, and that users are comfortable with. Whereas you would be seen as a weirdo if you sent them a .gpg or other new file that needed a special program, you would likely be asked to just sent it "normally" (ie. unencrypted). b) The format itself supports secure encryption (aes128/256). c) If their client doesn't support AES-Encryption, their client will show that *their program* can't cope with it. This places the onus on the receiver (their zip decompresser isn't "new enough"), rather than the sender (see a). Nevertheless, it has a number of potential problems: * As pointed out by Stefan Claas, you need to exchange the encryption keys. The zip file is just an encryption primitive, so key distribution may become a problem. (raf, may I ask how you are dealing with it? As they are clients, are you providing a set of keys in advance when personally visiting them? Are you providing the key for the new message?) * 7-Zip before 19.00 use a bad PRNG to fill a half-size IV https://threadreaderapp.com/thread/1087848040583626753.html * A naive user trying to reply would easily end up using PKWARE encryption (and reusing the password) Kind regards _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
