First Encrypted IMAP Mail Program for Treo

veritouch · 09/11/2004, 11:33 PM

Answering many Treo600 user's need to secure mobile email messaging, New York City-based VeriTouch Ltd. will be introducing reprise email, the first and only totally encrypted secure IMAP email client.

Using VeriTouch's advanced 21,000 bit dynamic encryption, reprise email provides absolute end-to-end encryption to ensure only the true recipient can decrypt the sender's message. All messages recieved on the recipient's Treo600 will remain encrypted until such time as the true recipient activates their secret key to decrypt and read the message(s).

A unique "self-destruct" feature can be activated, which destroys the contents of the message after "X" seconds have elapsed from the time it is opened.

Interested parties may test drive the current Win32 version by contacting:

Gary E. Brant, CEO
VeriTouch Ltd.
gb@veritouch.com

VeriTouch is seeking 50 Beta Testers to evaluate the Treo600 version upon release, on a first-come, first-serve basis.

Kindly contact the company via email as above!

veritouch · 09/12/2004, 10:28 AM

We have renamed the new T600 encrypted IMAP Mail client Mirage.

The messages you send are invisible to anyone but the intended recipient.

Gary E. Brant, CEO
VeriTouch Ltd.
gb@veritouch.com

100thMonkey · 09/12/2004, 11:12 AM

WOW, is true push supported with the IDLE command, or does the client poll periodically?

veritouch · 09/12/2004, 11:23 AM

True push is supported, with Mail ISPs that are compatible, like Fastmail.fm.

Gary E. Brant, CEO
VeriTouch Ltd. - New York
gb@veritouch.com

bclinger · 09/12/2004, 01:36 PM

And what's the bottom line cost, recurring, et cetera. Ben

jaytee · 09/12/2004, 01:46 PM

OK.. Here are a few questions that pop into mind

What is '21,000 bit' encryption? Is the encryption algorithm a standard, vetted algorithm or a proprietary one? (I've heard of 64bit, 128bit, 256bit, 1024bit, 2048bit, etc. I've heard of SHA, SHA1, RSA, blowfish, etc..)

Does the sender have to encrypt the message, or is it encrypted as it arrives at the treo?

How does it handle sending messages to non-secure recipients? (Can I send normasl mail to normal people?)

Am I required to send my mails through your server?

Do I have to supply the encryption key for each message I read, or once per session?

Will you support public key encryption, such as pgp and/or gpg ?

tifosiv122 · 09/12/2004, 02:13 PM

Quote:

Originally Posted by veritouch

We have renamed the new T600 encrypted IMAP Mail client Mirage.

Sounds much better, good job!

Erik

jaytee · 09/12/2004, 09:16 PM

I'm still interested in discovering what exactly you mean by '21,000 bit dynamic encryption'. Are you using a 21000 bit key? (It seems strange that is not a proper power of 2). What exactly do you mean by 'dynamic'? Are you constantly decrypting and re-encrypting the message?

smiley88 · 09/12/2004, 11:29 PM

Quote:

Originally Posted by jaytee

I'm still interested in discovering what exactly you mean by '21,000 bit dynamic encryption'. Are you using a 21000 bit key? (It seems strange that is not a proper power of 2). What exactly do you mean by 'dynamic'? Are you constantly decrypting and re-encrypting the message?

no coporate client will ever accept a secure email solution unless it uses standard encryption such as AES, 3DES, Certicom etc. and works with both on the handheld and the desktop.

veritouch · 09/13/2004, 12:48 AM

OK.. Here are a few questions that pop into mind

What is '21,000 bit' encryption? Is the encryption algorithm a standard, vetted algorithm or a proprietary one? (I've heard of 64bit, 128bit, 256bit, 1024bit, 2048bit, etc. I've heard of SHA, SHA1, RSA, blowfish, etc..)

GB> 21,000 bit encryption is a unique and patent-pending cryptographic algorithm developed by VeriTouch. As you are probably aware, standard SSL credit card transactions over the Internet are "protected" by a paltry 1024-bit key. Our key is fully 200 times more powerful, ensuring that your mail is going to be very well protected from hackers.

Does the sender have to encrypt the message, or is it encrypted as it arrives at the treo?

GB> The message is encrypted just before it is sent from the sender's Treo, and is actually encrypted twice, making MIRAGE the most secure email client ever deliverd to consumers.

How does it handle sending messages to non-secure recipients? (Can I send normasl mail to normal people?)

GB> You may use the MIRAGE client to send un-encrypted messages to any recipient in the world, however, a MIRAGE message can only be received and decrypted by a recipient running MIRAGE.

Am I required to send my mails through your server?

GB> In the first release of MIRAGE, you must use our server as the way-point between your IMAP ISP, like Fastmail.fm.

Do I have to supply the encryption key for each message I read, or once per session?

GB> As noted above, MIRAGE messages are encrypted TWICE. To read a MIRAGE message, you simply enter your PGP private key passphrase, which can be set to local cache or while you are logged on. However, for true security, you should enter your PGP private key passphrase at each read.

Will you support public key encryption, such as pgp and/or gpg ?

GB> As you understand by now, MIRAGE uses PGP as one of the two encryption processes on all messages sent and received. The program also contains a PGP search engine to locate users' public PGP keys so that you can send them a MIRAGE message.

Get into the BETA TEST PROGRAM, and you can try the Widows version if you wish!

Gary E. Brant, CEO
VeriTouch Ltd. - New York
gb@veritouch.com

veritouch · 09/13/2004, 01:12 AM

We don't agree.

Corporate clients need a solution exactly like MIRAGE, that provides full end-to-end military grade encryption, and offers non-repudiation of the message, and absolute assurance from the sender and receiver that the proper parties have been engaged in the exchange!

With "Joe Job" attacks (impersonating a valid email account holder and sending mail under their ID) under way in droves, and other mischief like password crackers attacking email accounts high and low, MIRAGE offers a unified solution to ensure no message can be cracked, altered in transit, or sent from phantom accounts.

Gary E. Brant, CEO
VeriTouch Ltd. - New York

kd_cooke · 09/13/2004, 02:42 AM

OK. Color me intrigued. I'm not sure how you can say this solution insures non repudiation -- I understood that this requires somthing beyond a key, for example biometrics...

Regardless, I'd love to learn more and become a beta tester... Where do I sign?

veritouch · 09/13/2004, 09:38 AM

Quote:

Originally Posted by kd_cooke

OK. Color me intrigued. I'm not sure how you can say this solution insures non repudiation -- I understood that this requires somthing beyond a key, for example biometrics...

Regardless, I'd love to learn more and become a beta tester... Where do I sign?

Hello KD, no, a private key (to which only the authorized sender has access), provides non-repudiation.

Biometrics, you betcha'. That is VeriTouch's primary domain, and a version II of MIRAGE will feature an SD fingerprint scanner for the T600-650 that manages the user's private key.

Gary E. Brant, CEO
VeriTouch Ltd. - New York
gb@veritouch.com

shneor · 09/13/2004, 12:31 PM

I'd be very careful about using some proprietary and publicly-untested encryption scheme. Standard public-key encryption will provide the best encrytion, authentication and non-repudiation around. It's time this is made available on the Treo600. But existing Treo600 browsers do not support a key algorithm.

Biometrics is generally not there yet. Fingerprint readers are easily fooled See Bruce Schneier's article on this at http://www.schneier.com/crypto-gram-0205.html#5. For more information on fooling biometric devices, you can check http://www.heise.de/ct/english/02/11/114/.

veritouch · 09/13/2004, 12:37 PM

Quote:

Originally Posted by shneor

I'd be very careful about using some proprietary and publicly-untested encryption scheme. Standard public-key encryption will provide the best encrytion, authentication and non-repudiation around. It's time this is made available on the Treo600. But existing Treo600 browsers do not support a key algorithm.

Biometrics is generally not there yet. Fingerprint readers are easily fooled See Bruce Schneier's article on this at http://www.schneier.com/crypto-gram-0205.html#5. For more information on fooling biometric devices, you can check http://www.heise.de/ct/english/02/11/114/.

You can be careful, we'll introduce a product that the market needs.

Bruce Schneier, whom I've met, is down on biometrics because they threaten his domain of encryption (which he's made a lot of money with!).

You have no idea how we're implementing biometrics and encryption together, so don't go making pronouncements about it before you've actually kicked tires.

Gary E. Brant, CEO
VeriTouch Ltd. - New York
gb@veritouch.com

kd_cooke · 09/13/2004, 03:19 PM

You still haven't told us how to to sign up for one of those 50 first-come-first-served beta seats?

veritouch · 09/13/2004, 04:58 PM

All interested parties who want to participate in the Beta Testing Program should send an email to:

gb@veritouch.com

Thank you!

Gary E. Brant, CEO
VeriTouch Ltd. - New York

jaytee · 09/13/2004, 05:31 PM

Encryption using proprietary, unknown algorithms can never be proved to be secure though. How can I possibly know how secure your encryption algorithm is? From the reading I've done, it seems like proprietary encryption algorithms are not either as secure or as well received as well peer-reviewed, thoroughly tested algorithms. Why are you not using a modern and open standard with a decently long key length (say 2048 bits)? Why not just use the concepts shown and proven with public key cryptography systems?

Secondly, if I have information that needs this high a level of security, why am I letting it flow through a server I have no control of on the way to the recipient? I assume it will be encrypted by then, but I have no assurance that the encryption does not have some proprietary backdoor inserted in it.

Several things just fly in the face of good security practices here. I know that with a spiffy marketing job, you may garner some business interests, but security through closed cryptographic methods is out of the question for me. Locking both the sender and the recipient into a specific product is also something I try to avoid. (I use many OS's and many different products in my computing work and play).

Woof · 09/13/2004, 05:32 PM

I for one am not going to send anything to thae above address until I find my sd fingerprint reader.

Sorry guys, just the thought of puling out a fingerprint scanner and popping it in my phone when I send emails, just cracks me up.

Why dont you make a retina scanner? Much cooler on the treo I would think.

veritouch · 09/13/2004, 06:18 PM

Quote:

Originally Posted by Woof

I for one am not going to send anything to thae above address until I find my sd fingerprint reader.

Sorry guys, just the thought of puling out a fingerprint scanner and popping it in my phone when I send emails, just cracks me up.

Why dont you make a retina scanner? Much cooler on the treo I would think.

There's a lot more you'll be able to do with the FP Scanner.

Study up on our company and you'll get the focus of our applications for this HW and encryption.

Best wishes,

Gary E. Brant, CEO
VeriTouch Ltd. - New York
gb@veritouch.com