LockedEnvelope Allows Easy, Encrypted E-mail

Navoty has announced the immediate availability of LockedEnvelope in beta. The system allows users of any e-mail application with any e-mail service on any OS to send an encrypted message to anyone with a simple pass phrase.

Creating encrypted e-mail is not extremely difficult. However, when it comes to making everything work with all your associates all the time, it can be a challenge. Especially when all one wants to do is send an occasional secret piece of data. For example, when working collaboratively on building a Website with passwords.

Now, LockedEnvelope can solve that problem. TMO spoke with the developer, Terry Heath of Navoty, Inc. to get more details. The systems uses a Website and secure server as an intermediate. Any standard e-mail system can be used. The idea is simplicity itself.

First, one goes to LockedEnvelope.com and creates a challenge question, for example, a spouseis favorite food, and answer (pass phrase). The system creates a URL and stores an AES-256 bit encrypted package on their server that is not tied to the senderis ID. The sender then cuts, pastes, and sends that URL in a standard message to the recipient. Utilizing the fact that clicking on a URL in e-mail opens a Web page for most users, the page with the challenge question is shown in the recipientis browser.

The pass phrase is hashed in a one-way encryption algorithm to authenticate. If valid, the AES 256-bit encrypted content is displayed. "Because the would-be bad-guy has no idea what your wife?s favorite food is, there?s no way for them to access the message, and thus, the information is sent safely and securely, completely out of sight from prying eyes," Mr. Heath explained.

"We hash your answer in our database, which means that we canit recover it if you lose it. It also means that if someone broke into our server and looked at our database, they canit recover the answer. The secret message is encrypted using your answer, which, again, we donit have. When the message is finally decrypted by the recipient, itis over SSL, an industry standard HTTP encryption and authentication protocol. You know that the message is coming from LockedEnvelope, and you know that nobody else is reading your message."


Creating the URL


Receiving the message

Currently the service is completely free and is limited to text entered by the sender on the Website. A future service that could include the transmission of large files is being evaluated as a pay service that will support the growth of the service. However, Mr. Heath said the initial, limited version will always be free.

LockedEnvelope was created with Ruby on Rails.

Mr. Heath explained that their server is purged every week, and even if it were compromised, all the hacker would get is AES 256-bit gibberish, a challenge for anyone to decrypt, and no association of the data with the sender. In time, itis expected that revenue from the paid services will support the growth of their server farm as the service becomes more popular.

For those users who havenit implemented secure e-mail with PGP or a Thawte SSL certificate in their everyday e-mail program, this system allows for an easy, occasional transmission of sensitive data to a friend or colleague.