Appendix D: Security issues with the transmission of sensitive documents via e-mail

Introduction

Several clients have requested the ability to copy and paste image directly into email. While this functionality does exist in DataBridge2, this is not a secure way to transmit data, and is not recommend for the following reasons:

• When a file is copied from DataBridge2 it is converted to a bitmap and stored on the clipboard. Bitmap is a common image format that is supported by almost every word processing application on the planet. However, bitmap is not a compressed format so the resulting file could be as much as 400 times larger that the original tiff image. During testing a 22.8 KB document ballooned to 10.9MB. Most e-mail systems will cut off e-mails larger than 2 MB. The best way to beat the size issue is to use the "Save As" command to save the image in the compressed tiff format, and then attach the image(s) to your message.
• Most e-mail systems are set up to send email over unencrypted connections. This means that during the upload or download process, the e-mail and attachments could be intercepted. Sending email only with in the corporate network, or using an encrypted connection should alleviate some of the risk. Even this method is not 100% secure, and is not recommended

Recommendations

The best way to transmit a document to another user via email is by saving the document in a secure format or by encrypting the document. This requires a little more effort on the part of the sender and receiver, but will provide 99.9% security of the documents being transmitted. There are a couple of ways to accomplish this, all of which require third-party software.

• Saving to a secure format.
  The secure format we are talking about is an Adobe Acrobat PDF. Acrobat allows users to set a password and encrypt the document such that a person viewing it will need to enter a password first. Acrobat also gives the user complete control over what the person receiving the document can do with it. You can choose to disable editing, commenting and printing. This functionality is included in Adobe Acrobat 5 and Acrobat 6. This is the full version, not the free reader available on the website.
  It is also important to note that with enough time and computing power any encryption can be broken. When saving your documents always choose the 128-bit encryption or better. Documents intercepted with a lower level of encryption could be easily cracked. In the case of 40-bit RC4, a single programmer responding to Netscape's key challenge broke it in 8 days on a single computer.
  http://www.petting-zoo.net/~deadbeef/archive/828.html
  
• Encrypting the document.
  There are several third party applications that encrypt files and email attachments. There is a learning curve, but it is very secure. PGP and Abi-Coder are two examples of encryption packages. PGP actually integrates with your email client to encrypt all attachments with a variety of encryption algorithms including 4096-bit RSA encryption. You can find more information about PGP here:
  http://www.pgp.com/index.html
  Abi-coder is a similar product, but is free. It does use a lower level of encryption than PGP, but its 448-bit Blowfish algorithm is more than adequate for securing documents. The free version does not have email integration. You can find more about Abi-coder here:
  http://www.abisoft.net/bd.html

Last Updated: April 28, 2004