Enigma

Enigma was a research project to produce software that would automatically protect your Internet e-mail from forgery and interception. It encrypts and signs outgoing mail and decrypts and authenticates incoming mail. It contains built-in PGP-compatible code. It works with Windows, Mac OS, most UNIXes, and many other platforms. It will work with Eudora, Netscape Mail, Internet Explorer Mail, and many other mailers. It does not interoperate with newer (PGP 5+) versions of PGP, and needs updating. Let me know if you'd be interested in doing this!

Features
How it works
Download Enigma
Security issues
Known bugs
Future improvements
Licensing
E-mail the author
What errors mean

Features

Written in Java for maximum portability
Uses built-in PGP 2.6-compatible code for maximum security
Works with any mail program that uses the POP3 and SMTP protocols
Searches any number of local keyrings and a user-specified keyserver

How it works

Passphrase dialog box Enigma impersonates a POP3 and SMTP server to your mail client, and a mail client to your mail servers. When your mail program retrieves your mail through Enigma, messages are checked for PGP sections. If found, they will be decrypted and/or authenticated before being passed on to your mail program. When you send a message, Enigma signs and encrypts it if a public key is available for the recipient.

All a user has to do is supply their passphrase when the program starts. From then on, it works entirely automatically.

You can read more about Enigma in this research paper.

Download Enigma

The latest version of Enigma can be downloaded here as well as some user-contributed patches.

Keyfetching security issues

By default, Enigma's automatic key-fetching facility is not used - mostly for speed reasons, as communicating with a keyserver every time you communicate with a recipient to check for a public key can be slow if you are (in Internet terms) some distance away. If you use the facility, be aware that fetched keys are not trusted. No secure path exists between Enigma and the keyserver; even if it did, this would provide little protection as keys can be submitted to servers by anybody. The next version of Enigma will certainly only use keys that are self-signed, and will most likely also check signatures. A user-configurable level at which keys will be accepted (similar to PGP's summing of the trust levels on signators' keys) will allow you to decide how certain you want to be of keys' authenticity.

The best way to use the key fetching facility is by getting and verifying public keys of your regular correspondents using the same methods as PGP, adding them to your public keyring. Enigma will always use a local key in preference to a remotely-fetched one. Leave the automatic fetching as a convenience feature for communicating with strangers.

Trust

Obviously, you should be very careful with any program that gets access to your passphrase, secret key and mail servers. The full source code, signed by me, is available for anyone to check. But I wrote Enigma to protect people's privacy, not introduce a trojan horse for certain three-letter agencies.

Known bugs

Problem	Workaround	Fixed
Doesn't understand revoked keys	Remove (just for now) any such keys from the keyring you use with Enigma	In the forthcoming release of Cryptix OpenPGP
Doesn't understand PGP 5/6-produced DSS/DH keys	Only have RSA keys on the keyring you use with Enigma	In the forthcoming release of Cryptix OpenPGP

Future improvements

All sorts of things could be usefully added to Enigma. Here's a few of my current ideas. Please e-mail me if there's something you would find useful and like added.

Integrated support for MIME and PGP/MIME
PGP5/6 -- 3DES, CAST, SHA1, DSS and Diffie-Hellman support, new packet format support. A new Cryptix OpenPGP library with these features is now substantially written.
Protocols -- News and IMAP4 handlers
Support for Carl Ellison and friends' Simple Public Key Infrastructure
Smartcard support -- the more I see of passphrase usability and PC security in the real world, the less I trust them!
Timing-out, multiple passphrases
Automatic configuration
System-wide policy files

Licensing

Enigma is being distributed as freeware for personal use. Conditions for large-scale corporate use should be checked with me first. I assert my moral rights and copyright with regard to the software and documentation, but the whole point of the program is to increase the use of strong cryptography on the Internet. Therefore - give it to your friends! Tell everyone! The software is provided "as is". The documentation is provided purposely as a template which can be modified for organisational use. If there is something which would help you use - or install for others to use - Enigma, I'll be happy to help provide it. I am particularly happy to help system administrators!

Please feel free to send comments, code, bug reports ;-) etc. to ianb at acm.org. You can get my PGP public key here.

Last modified 2 Dec 2005