My ramblings on the stuff that holds it all together
Encrypting Documents in-Transit – is WinZip Enough?
I’ve looked at this topic a number of times as we often have requirements to send sensitive files around – lots of customers send them to me via email/FTP or on CD within encrypted WinZip files as this is what they find easiest as it’s pretty ubiquitous rather than having to agree a compatible encryption app/protocol and have it “blessed” by a security dept/PC build team – Dave Whitelegg has posted a useful article here outlining the practical limits of this approach and suggested password lengths.
Obviously if you have information that is worth an attacker spending several weeks brute-forcing then I would suggest maybe you shouldn’t be sending it electronically or even holding it at all; as I’m sure there would be quicker ways for an attacker to find this information once its in it’s unencrypted form at either end, social engineering/bribery etc.
And of course – if you do have to persist in the encrypted WinZip approach maybe rename the files held within for a bit of security by obscurity – “Board of directors – salary review.xls” is probably a lot more tantalizing to an attacker than “Photocopier Toner Audit.xls” or “AACD12323.DAT” or place a .zip file within another .zip file as you can see the table of contents with in the .zip regardless of its encryption state.
Our very own marvelous HMRC could do with reading this article being as it seems to be data breach disclosure month!
keep up the good work Dave!