Sending files over the Internet is common, and sending those files securely is vital to many businesses. There are a number of ways you can transfer files, just as there are a number of ways you can secure those files during transmission. Your choice of transfer and encryption methods depends on your overall needs: Do you simply want to ensure that your files are secure while in transit? Or is it more important to you to encrypt files so that they remain secure after they arrive at their destination? Let's take a close look at your secure file-transmission options.
In Transit and Beyond
If you want only to protect files as they're transferred across the Internet, you need a secure transport technology. One option is to transfer files using a Web site that accepts uploads and provides a method for secure downloads. For secure uploads, you can build a Web page that uses an ActiveX control or Javascript, along with Secure Sockets Layer (SSL) to provide a secure transport. For example, you could use Persitis Software's AspUpload control, which claims to be "the most advanced upload control on the market." Or you could use the Free ASP Upload script, which doesn't require the use of a binary component. To gain further security, you might even password-protect the Web page and the associated upload directory. For downloads, you need only ensure that the Web server provides an SSL-enabled connection for at least the particular URL used to download the files.
An alternative would be to use an FTP server that supports FTP Secure. FTPS is essentially FTP running over an SSL connection. Many popular FTP client applications support FTPS, but unfortunately Microsoft's FTP Service doesn't support FTPS. Therefore, you'll need to use an FTP server application (e.g., the popular WFTPD) that does support FTPS. Don't confuse FTPS with SSH File Transfer Protocol. SFTP is a file-transfer protocol that runs over Secure Shell (SSH), and you can also use it to transfer files. Keep in mind, however, that SFTP isn't compatible with the traditional FTP protocol, so you'll need a special SFTP client (e.g., the client that the PuTTY Telnet/Secure Shell package provides, or the GUI-based WinSCP), along with a secure shell server (e.g., the one available from SSH Communications Security).
You can also use a VPN to securely transfer files. Windows Server platforms offer support for VPN technology through RRAS. However, this support might not be compatible with that of your partners' VPN solution. If it isn't, you could use a common solution such as the open-source Open-VPN tool, which is free and runs on a variety of platforms, including Windows, Linux, BSD, and Macintosh OS X. For information about how to integrate OpenVPN, see "Putting Open-VPN to Work," InstantDoc ID 45844. With an encrypted VPN connection in place, you can map directories and transfer files back and forth. With any VPN, your traffic is already encrypted, so you wouldn't necessarily need to encrypt the files, unless you want to ensure that the files remain secure on the system to which they're transferred. This principle applies to all the transfer methods I've discussed so far.
If you aren't worried about the transfer process and are mainly concerned that any unauthorized users not have access to file content, simply encrypting the files before you transfer them is a good approach. In this case, email is probably an efficient way to send the files. Email is the most commonly used application on desktops, so if you use email, you wouldn't need any additional technology besides a data-encryption method. Sending files over email is efficient because messages and associated file attachments typically go directly to the recipient's mailbox, even though the email might traverse several servers along the way.
If you do want additional security during the email-transfer process, consider using the SMTP Secure (SMTPS) and POP3 Secure (POP3S) protocols. SMTPS and POP3S are essentially the ordinary SMTP and POP3 protocols running over an encrypted SSL-based connection. Microsoft Exchange Server supports SMTPS and POP3S, as do most email clients, including Microsoft Outlook. Remember, even if you use SMTPS between your mail client and mail server, your mail server might deliver the email to its final destination over a regular, unencrypted SMTP connection.
Because email is so common, the rest of this article will focus on using email to securely transfer files. The inherent assumption is that you want to encrypt the message data to protect it during transit and after the data's arrival. Now, let's look at the more popular encryption technologies available for email today. After doing so, you should have a good idea about which encryption technology is right for your needs.
File-Compression Applications
Many types of file-compression applications are available for compressing files into a single archive file, and many of these solutions provide some form of encryption with which to protect the archive's content. Typically, you set a password during file compression, and anyone who wants to open the archive must have that password.
One of the most popular archival compression schemes is zip compression, which most archival applications support. One of the most popular zip-compression applications available today is WinZip. WinZip can work as a standalone application, integrate into Windows Explorer for easy access, and integrate with Outlook, thanks to the WinZip Companion for Outlook.
WinZip—and many other zip-enabled archive applications—offers support for Zip 2.0 Encryption. However, Zip 2.0 Encryption is a weak file-protection method. Strong encryption is new to WinZip 9.0. As Figure 1 shows, WinZip now supports the Advanced Encryption Standard (AES), using either 128-bit or 256-bit encryption keys. AES is a relatively new technology, but it's already considered an industry standard.
I'm not sure how many compression applications support strong encryption through AES, but one other such application is BAxBEx Software's bxAutoZip, which can interface with BAxBEx's CryptoMite encryption product and can also integrate with Outlook. Whereas WinZip supports only Zip 2.0 and AES encryption, CryptoMite supports several different encryption schemes, including AES, the popular Twofish and Blowfish algorithms, Cast 256, Gost, Mars, and SCOP.
Although most computer systems probably already have the ability to decompress zip files, not all zip applications support various encryption algorithms. Therefore, before you send encrypted files, you need to ensure that the algorithm you choose is supported by the recipient's zip application.
When you use a zip application to encrypt files, you'll need to supply an encryption password. To decrypt the archive file, the recipient of the file will also need that password. Be careful when you choose a password-delivery method. The safest ways to deliver the password are probably by phone, by fax, or by courier. Whatever method you choose, don't email the password in plain text, because that method will greatly increase the likelihood that an unauthorized user will gain access to the encrypted file.
Keep in mind that encryption-enabled archival applications aren't limited to sending files over email. You can also use them effectively to transfer files through the other aforementioned methods.