How does CSE EXACTLY work ?

[Guest]

[clig]

Hi !

I never used CSE yet, however it looks interesting. It is also free, which makes it a good deal. (And of course in the long run, in case I will open an office, I might stick to your product using a non-free version...)

However:

I would like to know the exact mechanism how CSE works regarding the exchange and creation of the certificates / keys especially. E.g. I write an email, what exactly happenes from the sending to the receiving of it ?
(In more detail than on your webpage herehttp://www.secure-email.comodo.com/overview.html)

Where can I get this info ?

Thank you,

P.S.: How does it exactly work, that someone unauthorised intercepting or receiving an email cannot read it or its attchments ?

[Melih]

If you are sending to someone who has a digital certificate: then the message is encrypted and digitally signed (noone can read it but the recipient and noone can modify it as recipient will know its modified)

If you are sending it to someone who hasn't got a digital certificate: it has two modes.. just sends it digitall signed, which means people can still intercept and read it, but they can't modify the message. (eg: digitally signed)..or
in the 2nd mode where u can ask it to be encrypted: It uses our patent pending solution where we create a certificate for the recipient and the email is encrypted and digitally signed for the recipient (noone can read it but the recipient and noone can modify it as recipient will know its modified).

hope this simple explanation clarifies it for you.
thanks
Melih

[clig]

Thank you for your response Melih:
However,  we would be thankful for some precisement:
Therefore the specific hypothetical scenario:

User A has a mail address UserA[at]yahoo.com
And
User B, mail address UserB[at]yahoo.com

Lets assume User A wants to write a securely encrypted and digitally signed email to user B:
User A therefore has got a free digital certificate (private person) from COMODO, using CSE.
User A writes the E-Mail, adds userB as the recipient. Mail is encrypted and digitally signed by CSE using User B's public key for encrypting the message to User B and then sent using Thunderbird.

Scenario All OK:
User B receives the encrypted and digitally signed message from user A (in Mozilla Thunderbird).
How does User B's CSE know the “decryption” code for the message ?
Where is the decryption code stored ?
And how does User B's CSE know that the message originates really from User A and not from somebody else ?( Especially if User B receives a digitally signed and encrypted message from User A for the first time)

And the final general question:
What encryption method is used ?


Sorry for the amount of questions, but we want to understand exactly what we might be using in future...
Thank you !

[Comodo_Shane]

Identities are assured by the user of de facto industry standard PKI, with digital certificate and a trusted 3rd party (Comodo).  For more info on PKI, please see here for more details:
http://en.wikipedia.org/wiki/Public_key_infrastructure

E-mails are sent using S/MIME, please see here for more details:
http://en.wikipedia.org/wiki/Smime

Encryption is carried out using ‘public key encryption’ aka asymmetric encryption.  For more information, please see here:
http://en.wikipedia.org/wiki/Public-key_cryptography

As Melih said there are a few scenarios.

1)   If A already has B’s digital certificate.
2)   When A doesn’t have B’s digital certificate.


- 1) If A already has B’s digital certificate.
In this case CSE simply uses S/MIME encryption and PKI above.

- 1) If A already has B’s digital certificate.
If A doesn’t already have B’s certificate, CSE has a few options for B to read this mail, all determined by A using our patent pending single user certificate system and our server.  A sends the e-mail using this system, setting which options from the list below B can use to read it. 

i)   B must install CSE to read the mail.  This is our recommend method and is fully secure.
ii)   B can forward the mail to our web reader, and read the mail by supplying a password which A agreed with B in advance, e.g. by telephone or letter. Not as secure as i)
iii)   B can forward the mail to our web reader but does not need to supply a password.  Not as secure as ii)

As I said, A the sender decides which of the options are avaible to B.  Hope this answers your questions.

Regards,
Shane.

[clig]

Excellent, thank you !
Now I will study what you gave me ...

[J2897]

I was going to try CSE a while ago (Months). But what put me off is, I think Comodo would be able to Decrypt my Emails.

As far as I'm aware, it would be almost the same as Two People (A & B) sending Secure Gmail's to each other; accessing their Web Mail Page using https. (Staff at Google would be able to Decrypt my Emails.)

I think this could be the Second main reason why a lot of people simply don't bother Encrypting. If a Company can easily Decrypt your Email, whether it is Comodo, Google, or your ISP who can Decrypt them, then why bother?

Is it possible to Encrypt Emails without a Digital Certificate from a Certificate Authority? (This would take the power away from Comodo, Google, or the ISP, and give it completely to the User.)

If this is feasible, would this be possible in CSE?

I don't know much about Certificates, but how about CSE being able to generate randomized Self Signed Certificates so that the Emails can never be Decrypted by ANYONE but the User? (And the recipient of course.)

If you find it difficult to understand this Post, its because I'm talking about a Subject I am not familiar with.

Thanks. 

[Melih]

I was going to try CSE a while ago (Months). But what put me off is, I think Comodo would be able to Decrypt my Emails.

As far as I'm aware, it would be almost the same as Two People (A & B) sending Secure Gmail's to each other; accessing their Web Mail Page using https. (Staff at Google would be able to Decrypt my Emails.)

I think this could be the Second main reason why a lot of people simply don't bother Encrypting. If a Company can easily Decrypt your Email, whether it is Comodo, Google, or your ISP who can Decrypt them, then why bother?

Is it possible to Encrypt Emails without a Digital Certificate from a Certificate Authority? (This would take the power away from Comodo, Google, or the ISP, and give it completely to the User.)

If this is feasible, would this be possible in CSE?

I don't know much about Certificates, but how about CSE being able to generate randomized Self Signed Certificates so that the Emails can never be Decrypted by ANYONE but the User? (And the recipient of course.)

If you find it difficult to understand this Post, its because I'm talking about a Subject I am not familiar with.

Thanks. 

Comodo does not read, cannot read your emails when you are using digital certificates. You own the your private key in your PC, Comodo has no access to it.

Melih

[J2897]

Thanks Melih! 

Comodo does not read, cannot read your emails when you are using digital certificates.

I didn't think that Comodo read the Emails (same for Google). I did think Comodo 'could' read the Emails (same for Google) if they wanted to though, because:

- 1) If A doesn't already have B’s digital certificate.

iii)   B can forward the mail to our web reader but does not need to supply a password.

My feeling is that, in all of the scenarios, Comodo 'could' Decrypt the Email if they had access to it (even if it was Password Protected).

Analogy:

If a Lock Smith produces a Key (Private Key), they 'could' keep a Copy of that Key. 

If the User creates their own Key instead (out of Random Numbers), surely that would be much more Secure? 

Again, I am talking about a Subject I am not familiar with (Digital Certificates). I just wanted to put my point across, because there could be many in the same state of thought.

Thanks.

[Endymion]

If the User creates their own Key instead (out of Random Numbers), surely that would be much more Secure? 

I'm not an expert either but AFAIK using CSE users already create their keys locally.

IIRC is it not as simple as using any number as only prime numbers could be used to generate a primary key.

[J2897]

I think what I am really trying to say, after reading 'this', is that I would like to Generate my own Public & Private Key's, but without sending my Public Key to a CA (Certificate Authority).

I don't think anyone would be able to Decrypt my Emails (apart from the recipient) that way.

[Endymion]

I think what I am really trying to say, after reading 'this', is that I would like to Generate my own Public & Private Key's, but without sending my Public Key to a CA (Certificate Authority).

I don't think anyone would be able to Decrypt my Emails (apart from the recipient) that way.

As already posted if both users got CSE even decryption will be carried locally.

Anyhow I got the impression that what you actually trying to say is that CSE is insecure through analogies and feelings...


Besides:

Comodo does not read, cannot read your emails when you are using digital certificates. You own the your private key in your PC, Comodo has no access to it.

Melih

[xiuhcoatl]

I think what I am really trying to say, after reading 'this', is that I would like to Generate my own Public & Private Key's, but without sending my Public Key to a CA (Certificate Authority).

I don't think anyone would be able to Decrypt my Emails (apart from the recipient) that way.

Some of the very early versions of PGP operated that way.  I do not know if you can find software that works in that way now.  Possibly OPGP or GnuPG but then you must get you Key signed by other users of the same in order to verify the identity of your key and your key still ends up public.

read this
http://en.wikipedia.org/wiki/Public-key_cryptography

but as has been said with current public key encryption no one can decrypt your message except the recipient with out significant computing power and a lot of time.  

I prefer CSE

[J2897]

... no one can decrypt your message except the recipient...

Comodo can.

There must be a better way possible IMHO. In a Two Way conversation, there should only be Two People with access to the Public Key (A & B). Not Three (A, B & C).

Thanks for your help though. 

[xiuhcoatl]

the public key does not permit decryption it is used to encrypt the message.  there are no back doors installed in CSE.   If you do not want to believe what you are being told so be it. 


sorry, we could not help you
X

[J2897]

 

Ah' NOW I GOT YOU! 

The PRIVATE KEY is Generated on the USERS PC.
(The User is me; the person installing CSE.)

The PUBLIC KEY can ONLY be used to ENCRYPT THE MESSGE.

The PRIVATE KEY can ONLY be used to DECRYPT THE MESSAGE.

If only everyone else knew this...

Thank you! 

I was under the impression that you could also do it the other way around; use the Private Key to Encrypt, and use the Public Key to Decrypt. This however is False! 

Just one more question:

In these Two scenario's, was the Email simply signed with Comodo's own PUBLIC KEY?..
(And then Decrypted with Comodo's own PRIVATE KEY when 'B' goes to view it Online with Comodo's Web Reader?)

- 1) If A doesn't already have B’s digital certificate.

ii)   B can forward the mail to our web reader, and read the mail by supplying a password which A agreed with B in advance, e.g. by telephone or letter. Not as secure as i)
iii)   B can forward the mail to our web reader but does not need to supply a password.  Not as secure as ii)

Note:

Where I say, "Comodo's own * KEY", I am NOT referring to the Key's in the Digital Certificate that the User gets Free with CSE!

I am referring to Comodo's OWN key!

[Tags:]