This document contains the following topics:

• Maintenance Pack description
• Prerequisites
• Installing the Maintenance Pack
• Removing the Maintenance Pack
• Files included in this Maintenance Pack

This Maintenance Pack will improve your CompanyCRYPT to build level 572. It includes all previous Maintenance Packs since the release of the initial v1.4.0 (Build 537)

This maintenance pack mainly focuses on fixing problems that have been discovered after the release of version 1.4.0

• User-Controlled-Encryption - Outlook parameter not working
  Due to a logic error, the encryption could not be triggered using the MIME header parameter 'Sensitivity'. This has been fixed,
• User-Controlled-Encryption - Wrong return code
  When set to raise 'Encrypt fail' upon no available encrypt key the job falsely raised a returncode, that was interpreted as 'Undetermined'. This has been corrected to raise the proper returncode for 'Encrypt fail'.
• Import of private keys - Passphrase with special characters
  When adding the feature of uploading a key, the encoding method of the import page was modified. This unfortunately led to a double encoding of passphrases, which made it impossible to use special characters in passphrases. This has been fixed.
  NOTE: The characters quotation marks (") and pipe symbol (|) can still not be used.
• Address detection - Falsely considered alias name data
  In some rare occasions the recipient address was extracted incorrectly from the alias name. This happened when the recipient email address (enclosed in > <) was also entered in the alias name field (enclosed in ") together with some valid email address characters like ('). In general the data between double-quote characters should be ignored. The CompanyCRYPT processing therefore has been changed to reflect this behaviour.
• Automatic key generation - Key reply send from wrong address
  The sending address of key replies can be configured. However upon an automatic key generation this setting did not have any effect and the key reply was always send from the key owner address. This has been corrected.
• Automatic key generation - German 'Umlaut' characters prevented key generation
  This applied to the unattended generation of key material, by use of the reference list. Whenever special characters appeared in some of the key parameters (name, company name, ...) the process would stop and would not generate the requested key. This has been changed to automatically convert such characters to valid encodings (i.e. UTF-8).
• PGP key reply messages - Displayed key length wrong
  The key length displayed in key replies did not show the value from the encryption sub key, instead it showed the value from the signing sub key (usually smaller). This has been corrected
• Service start on missing configuration file
  This applied to both, the Operational and the Reprocess service. In case of a missing Companycrypt.cfg file, the services would be shown in Windows Service Manager as being in the process of 'Starting'. However, never reaching the 'Started' condition the stop button never becomes available. The services did detected the missing file condition and stopped working, but this was not signaled back to Windows, which led to no available buttons to control the service. The only way to stop the process, was by ending the task using the taskmanager. This has been fixed. The service will stop immediately after the start, upon a missing configuration file.

Security issues:

• PGP Module (GnuPG) update to v1.4.9
  The latest version of GnuPG is part of this update. Besides small performance upgrades no noteworthy changes in regard to to CompanyCRYPT are part of this release. The following link provides more details.
  • [Announce] GnuPG 1.4.9 released
  
  NOTE: We are aware of the newer version of OpenSSL (v0.9.8h). However this version carries new dependencies on a Microsoft dll-package (VC-Redistributables) that we want to investigate first. As there are no known imminent security considerations, we decided to take the time and make sure that this new version will work flawlessly within CompanyCRYPT before we release it.
  

General benefits, added features und new functions provided by this Maintenance Pack:

• PGP - Partitioned Encoding Format now supported
  The PGP corporation (this is the company producing and selling the PGP desktop software) decided to change the handling of file names when applying 'Inline-PGP' on emails. The file name in this format will not be transmitted in plain text in the MIME container. Instead it becomes part of the encrypted data. In result the normal CompanyCRYPT decryption process would decrypt the file, but would not provide the original file name or extension. It would have been easier for us, if PGP had announced this prior to implementing it in their products, but they preferred to surprise us and the customers with this new feature. By some accidental whitepaper disclosures from eMail archives and some reverse engineering, we are now happy to be able to process this kind of data correctly, at least for the existing PGP implementations (Desktop and PGP Universal). We will see what they come up with in the future.
• New 'Smart' Job - Best Effort Encryption
  There is now a job (szenario) available that is independent of static MIMEsweeper address lists. It will simply always encrypt emails for those recipients, where the key or certificate is available within CompanyCRYPT. If the recipients consist of a mixed group (PGP, S/MIME, 'No-Key') the eMail will be split up through the Reprocess service.
• WebGUI - Rearangements
  In preparation of future improvements (multi domain support) a new tab under Central Accounts has been introduced. Apart from the possibility to configure the system notification sender address it doesn't provide anything new. The purpose of this change is to integrate company relevant settings in a single view. This will make them configurable for multiple Company-ID's in the next update.
• BCC recipient detection
  Finally a method has been developed to always get the exact SMTP email address information from the MIMEsweeper. This solves a long term issue on Site2Site connections, where external BCC recipients sometimes weren't able to open encrypted messages, because the assigned key for that domain wasn't used. With this new mechanism the processing will be using the correct keys.
• Apple eMail client compatibility
  We found Apple email clients that didn't comply with the RFC describing PGP/MIME. When processing mails with this method, it is expected the encrypted content is correctly MIME encoded. In this case the line endings should be CRLF and not LF only as some examples showed. When detected, this will now be automatically corrected.
• Key list display
  The display color of expired keys is changed to grey (inactive). The red text color will now be used to indicate that a key or certificate is about to expire in less than 30 days. This way the signaling color red is used more meaningful.
• Online Remote Support
  Withour strategic decision for the 'Teamviewer' product family for our support section, we are now happy to provide an extremely fast and easy to handle way of online support (similar to WebEx session). To improve this even further the necessary client module is now integrated and startable from the CompanyCRYPT web interface (Click on 'Remote Support' in the startup view).

Install this Maintenance Pack on the following versions of CompanyCRYPT only:

• CompanyCRYPT v1.4.0 (Build 537) or higher

The account on which this Maintenance Pack is executed requires:

• Read/Write/Change access to the entire CompanyCRYPT installation folder.
• Start/Stop permission for the 'CompanyCRYPT Reprocessing Service', the 'CompanyCRYPT Operational Service' and the 'MIMEsweeper for SMTP Security service'.

Before installing this CompanyCRYPT Maintenance Pack, ensure that you have read the Prerequisites section of this ReadMe.

To install this CompanyCRYPT Maintenance Pack, follow the instructions below.

1. Strongly recommended: Copy of CompanyCRYPT folder
   Due to the little effort, the best rollback option is a simple filecopy of the complete CompanyCRYPT folder. This step does not require any services to be stopped.
   
   
2. Stop MIMEsweeper Security Service
   
   
3. Execute 'CompanyCRYPT_v141_572_MaintenancePack.exe'
   Relevant and still active services are stopped and restarted afterwards
   
   
4. IMPORTANT: Start either SyncManger or WebGUI
   With this step some initialisation is performed. You can verify the new binary versions on the 'Info' tab with the ones listed below.
   
   
5. Start MIMEsweeper Security Service
   It is advisable to also confirm the operational status of the services mentioned above.
   
   

If you experience problems after installing this CompanyCRYPT Maintenance Pack, you can remove it.

To remove this Maintenance Pack, follow the instructions below.
All files and folders changed or removed during the update process are stored in this folder:

[CompanyCRYPT installation folder]\_Previous_Version\Before_v1.4.1_572.

In this folder you will find a file with the name Changelog.txt.

This file contains the protocol of all changes made during the installation of the Maintenance Pack. By reversing all steps listed there using the saved files in ...\_Previous_Version\Before_v1.4.1_572 you can undo all changes.

The table below shows the files contained in this Maintenance Pack, listing their latest current version number.

CompanyCRYPT program file	Version	Action
CCrypt.exe	1.9.0	Replace
Index.exe	1.9.6	Replace
CC-Operate.exe	1.2.8	Replace
CC-Reprocess.exe	1.3.9	Replace
SyncMng.exe	1.1.2	Replace
SIT_Support.exe	-	Add
gpg.exe	1.4.9	Replace
Body_Encrypt_No_Key.txt and htm	-	Add
D-Opt.ini	-	Replace
E-Opt.ini	-	Replace
S-Opt.ini	-	Replace
ie_0.css	-	Replace
fi_0.css	-	Replace
CAcollect.add	-	Add