Tuesday, February 17, 2009

Secure File Transfer Using Off The Shelf Tools

OK, this is for those of you who are sending financial, health, or other critical information across the Internet to a 3rd party who we want to be able to read it. We don't want anyone in between reading it as it's private information.

We all know that E-Mail is as open as a post card. What most don't realize is that web pages and other Internet file transfers also occur mostly in the clear. A notable exception is Secure HTTP (actually it's HTTP over Secure Sockets Layer, but that's too hard) - HTTPS (port 443) uses certificates and encrypted communications to prevent eavesdropping. However, e-mail and most file transfers happen outside of HTTPS and are subject to all kinds of eavesdropping, even tampering.

So we have to encrypt our own files before sending them over this medium. All sorts of complicated encryption schemes have been devised for secure communications, but they take the position of trust no one, not even each other. This is a bit too paranoid, and should be reserved for matters of national security or the most sensitive of business transactions - we will simply trust that we know the person on the other end of the phone and that they can keep a secret, in this case, a password for a password protected Zip file.

There are numerous "Zip Password Recovery" applications available. I haven't tried them, but I'm willing to bet that they work reasonably well against the standard Zip password protection. However, 7-Zip (FREE, Open-Source) offers not just the standard Zip password protection, but AES-256 encryption - one of the best encryptions going. AES-256 takes a supercomputer to break, and even then it would take decades.

Using 7-Zip, create a new archive, go into its options, and note the Password section in the bottom right of the properties screen. Select AES256 and enter a password. Call your intended recipient, tell them the password, then send the newly zipped and encrypted file in any manner you desire.