This Installer/Updater will improve your CompanyCRYPT to version 1.5.0 (Build 768).
It includes all previous releases, maintenance packs and updates since the initial v1.4.0 (Build 537)
Added Features / Abilities:
- AdHoc encryption - EML Format
AdHoc encryption now offers an additional 'packaging format' that provides a far better usability. Until
now the content of the 'original message' zip file basically contained separate attachment files
effectively resulting in a break of media.
The EML format however is a single file that contains the entire message in it's original form (header,
MIME structure, etc.). The recipient simply unpacks the password protected zip file and double-clicks on
the extracted EML file. All common mail clients (Outlook, Thunderbird, ...) will simply import this message.
After import it will look as the message was received via SMTP. It will even appear in the original
time related order.
- Key harvest from key server - More Automation
So far key server queries only supplied keys during processing without any caching or storing
facility behind it. This has changed and now available keys may be automatically collected in the
import area. From there they can be picked up by the auto-import and if usable and/or trustworthy
transferred into the key stores (possibly avoiding further queries).
The same saving mechanism is also available when doing manual test queries via the UI (Tab 'Key
Server' -- Sub-menu 'External Keyserver'). Thereby it has become much more easy to bring available
keys in use.
- S/MIME signature verification - Modell selection available
The signature verification modell for S/MIME signatures can now be selected, which makes signature
verification more flexible.
[NOTE: The below rules apply on signatures made on data as well as signatures made on certificates.]
- SHELL Model:
All signatures need to valid at time of verification
- HYBRID Model:
All signatures need to valid when the data was signed
- CHAIN Model:
Each signatures need to be valid when made
- Compatibility with prolonged PGP keys
Although not seen very often PGP keys can have their validity prolonged. The difference to S/MIME is, that
the key ID and the fingerprint remain the same. This of course has to be considered when identifying keys
in the key store by their fingerprint. It can then have two different results for the same fingerprint.
CompanyCRYPT processing has been enhanced to support prolonged keys.
- Display improvement
As nowadays browser continue to evolve some amendments were necessary to make the UI work as usual.
This is visible when holding the focus on a key as well as table structures. Also the file names in the
import area were changed back to display the common name and email. Additonally the key lists can now
be filtered to custom values in the columns.
- S/MIME Signing algorithm selection
It is now possible to select the algorithms for encryption and signing for the S/MIME formats.
It's is however recommended to stay with the defaults (des3 / sha1) unless security requirements occur.
For example, some customers changed the encryption algorithm to AES only to learn that even encryption
systems of large banks seem to be not yet ready to cope with this.
Problems addressed in this release:
- Reprocess Service
Two processing flaws have been identified in the recipient splitting of the Reprocess Service.
It resulted in recipient groups that were not fully separated. This again lead to a loop effect
as the processing continued to request further recipient splitting; eventually leading to 'undetermined'.
- Automatically imported keys were not available for recipient splitting
The signaling mechanism between auto-import and keystore-reload apparently wasn't working
as designed resulting in the described effect (undetermined).
The Reprocess Service now is enhanced to detect keystore changes and perform the reload
automatically whenever they occur. This provides a permanent solution.
- Recipient splitting did not consider keys available from key server
Although being caused by a different reason (ill-designed conditional) the effect was the same.
The recipient splitting was not properly done. The routine has been corrected and is now taking
available keys from key server into account.
- Expired keys used for encryption + Auto-signing did not use the newest key
The XML key store system did have an unfortunate bug that came into effect when auto-encryption
(or -signing) found multiple keys for an email address. Instead of making an intelligent choice
the first that appeared was used. Even worse, for encryption even expired keys were used.
The routine selecting the keys has been reworked and is now only using valid keys for encryption.
The auto-signing will look for the newest key (by 'valid from' date).
- Synchronization - CompanyCRYPT Slave displayed as outdated
Once found it became clear that this only was a display problem in the system overview. Due to
minor bug this status was possibly indicated during the first month of the year. This has been
corrected
- Decryption problem with Inline-PGP
Two issues were found while decrypting Inline-PGP messages.
- Inline PGP signature
Normally, if processing comes across a so called 'detached signature file', a token is to the header
to track processing. Incidentally for PGP it compared the token with the wrong block of data, declaring
the token invalid. Invalid token lead to a normal decrypt/verify that would add a new token. Which is
invalid again in the next go. After six or seven steps the processing exits with a decrypt fail.
This has been fixed.
- Inline PGP decrypt did not detect PGP Block
It turned out, that (in very rare instances) if a PGP block has either no trailing CR/CRLF (which is
not in accordance to RFC 2440) or was terminated by a softbreak, the detection failed and no
decryption/verification/key scan took place. The detection routines have now been modified to work
independently from the trailing characters.
- Triggered-Encryption exception falsly applied under Best-Effort-Encryption -
The exception list no longer has an influence on Best-Effort-Encryption.
- Memory leakage - Operational and Reprocess Service
Under MS-Windows versions 2008 and later a memory leakage problem was identified. It did
not affect operations or message processing. However small portions of memory (~20kB) were kept
in GnuPG and S/MIME zombie processes. The problem was not visible via the taskmanager (besides
the missing memory). Using a tool like RAMMap finally revealed the problem. Over time
and extend of usage this could lead to a memory shortage affecting the operating system.
This too has been fixed.
Compatibility
- Tested with MS Windows Server 2012 / MIMEsweeper for SMTP 5.6
This CompanyCRYPT version has been tested to work under MS Windows Server 2012 as well as
MIMEsweeper for SMTP v5.6
Security issues
- S/MIME Module (OpenSSL) update to v1.0.1i 06 Aug 2014
The latest version of OpenSSL is part of this update. So far none of the development steps are of any effect
to CompanyCRYPT. The following links provide more details.
- PGP Module (GnuPG) update to v1.4.18
The latest version of GnuPG is part of this update. Besides small performance upgrades no noteworthy changes
in regard to to CompanyCRYPT are part of this release. The following link provides more details.