$49 app can put your files under lock and key

$49 app can put your files under lock and key

By John Breeden II

GCN Staff

Have you ever seen an air courier with a briefcase handcuffed to his arm? CryptoGram is a lot like that.

It locks down e-mail attachments and File Transfer Protocol files so only users with the correct keys can see inside. Others see unintelligible garbage, if they can get the files open at all.

Although a handy tool, CryptoGram has poor documentation. The manual seems almost encrypted, it's so difficult to read in spots. The diagrams are downright illegible.

Fortunately, the program is simple to use: Select a file and right-click on it. The back-end engine does 168-bit Triple Data Encryption Standard encryption. Other security elements in the program hamper use of code-breaking systems, a factor that influenced my favorable grade.

After CryptoGram counts three improper decryption entries, it doubles the amount of time before it will recognize each new attempt.

At first this is hardly noticeable because the interval is only a few seconds. But as math students know, doubling and redoubling numbers quickly makes them astronomical.

There's a fable about the man who invented the game of checkers to amuse a powerful king. As his reward, the inventor asked for only a single grain of rice for the first square of the game, two for the second, double again for the third and so on for all 64 squares.

The king readily agreed, not imagining that by the 64th square, he would owe quintillions of grains of rice. He learned his math lesson the hard way, and so would a code breaker. Pretty soon, he would be waiting years between hack attempts.

CryptoGram's interface is quite good and flexible. You create the crypto keys on floppy disks for distribution to your authorized users. There could be one key for all department heads and another for all program officials, for example. If only the program officials were allowed to open a particular document, it would be encrypted for their key.

Each token, generally a floppy disk, is password-protected, which reduces worry about lost tokens.

Tokens, however, can be dispensed with altogether. The recipient of an encrypted file does not need to have the program installed because there is a self-extracting file option.

To make a self-extracting file, the sender creates a pass phrase, which must be at least 10 characters long and can be a maximum of 100 characters. The phrase might be something such as '13 eggs make a Baker's dozen,' which combines case-sensitive capitalization and numbers, or something simpler, such as 'I enjoy hamburgers.'

Box Score

Personal and group encryption tool

SpartaCom Inc.; Tucson, Ariz.;

tel. 520-670-7100; www.spartacom.com

Price: $49

+ Triple DES encryption

+ Recipients need not have CryptoGram software

- Poor user manual

- Automatic log-out tied to unsecured screen saver

Real-life requirements:
Win9x or NT 4.0, 32M of RAM, 3M of free storage, CD-ROM drive for installation

The sender transmits the pass phrase to the recipient by a separate route. After the recipient gets the attachment and follows an automatic prompt to enter the decryption phrase, the attachment will open as usual. But if the phrase isn't entered exactly, an error message will appear and the attachment will remain encrypted. The same time-doubling feature after three errors applies here, too.

A final feather in CryptoGram's cap is that it can be set to encrypt automatically any data dropped into encrypted folders or any e-mail prior to transmission.

In my tests, this did not appreciably lengthen the time it took to send 100 encrypted 14M files.

Opens a hole

The program also can invalidate a user's log-in after a certain period of inactivity. Subsequently, the user will be locked out even if the proper token is presented and must then enter a password.

Unfortunately, this automatic log-out feature is tied to the Microsoft Windows screen saver and presents a small vulnerability.

Whatever activation interval the user has chosen for the screen saver is the maximum inactivity allowed. But Windows screen saver controls are unprotected, and a data thief could just watch for an opportunity to turn off the screen saver, then wait for a period of unattended use to take over the system.

The burden falls on the user to log out when leaving the computer. It's possible that many people would come to trust CryptoGram's timed log-out and not realize that the controls are unprotected.

CryptoGram is a surprisingly useful program for the price of $49. For users working over insecure communications networks, it's a good shield. An enterprise edition of CryptoGram has a centralized key generation tool and a key recovery mechanism.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above