4

An employer wants me to send an i-9 form, which has my social and date of birth, via e-mail to their HR department. This seems quite baffling to me why they would want me to just send the form in this method.

I was wondering if I was being too paranoid and if I should just send the form? Or, if I'm not, how to send such a file securely without too much tech-work on the HR end?

I was thinking to send a password protected zip file containing the pdf.

jman
  • 143
  • 3

2 Answers2

0

The easiest solution is to employ both zip encryption and also password protecting the PDF file. I'm quite partial to services like onetimesecret for sharing the actual passwords, but calling them with the actual passwords would work as well. The point is to make it easy for HR to access your documents but not thrown out in the open like you want. GPG encryption is of course much safer and the recommended method, but in this case you don't control the other end and they'd be less open to using this sort of solution.

Nathan C
  • 800
  • 6
  • 9
  • 1
    -1 for recommending zip encryption. Encrypting a zip file often uses the broken ZipCrypto algorithm. Only when using custom applications (or on newer systems?) does it use a standard algorithm like AES. Additionally, layering multiple encrypted containers reduces security when compared to a single encrypted container that uses a password of double length. Plus doesn't PDF encryption use RC4? Or was that Word documents? – forest Mar 07 '18 at 02:55
-1

Following this question response:

When creating a password-protected Zip file (with the "compressed folder" utility integrated in the OS), Windows XP uses the "standard" encryption algorithm for Zip files. This is a homemade stream cipher, and it is weak. With 13 bytes of known plaintext, the complexity of the attack is about 238 operations, which is doable in a few hours on a PC. 13 bytes are relatively easy to obtain (e.g. if one of the files in the archive is an image, it will probably be uncompressed and begin with a known header). The result has even been improved, notably because the files in an archive are encrypted separately but without proper key diversification. Some years ago (quite a few now, tempus fugit), I have seen a password cracking software by Ivan Golubev which put this science to good use, and could crack Zip encryption in an hour.

The attack on Zip encryption is actually:

a nice introduction to cryptanalysis; a good exercise in programming; a reminder that you should not roll your own crypto. Phil Katz was very good in his domain, but the best cryptographers in the world will tell you that it takes much more than one extremely good cryptographer to make a secure algorithm -- it takes many cryptographers who feverishly propose designs and try to break the designs of the others, for a few years, until a seemingly robust design emerges (where "robust" means "none could find the slightest argument to support the idea that they may, possibly, make a dent in it at some unspecified date").

Consider using a PGP/GPG end-to-end encryption solution, either provided by the company or by your common agreement with your HR department.

Personally I use either Mailvelope or gpg4win as Windows solutions.

Lucian Nitescu
  • 1,802
  • 1
  • 13
  • 27
  • PS: Mailvelope or gpg4win will be some of the easiest solutions out there with a GUI. – Lucian Nitescu Mar 06 '18 at 21:08
  • 1
    Note that the quote is from Windows XP. There are many more robust options for zip file encryption (such as the use of 7-Zip to create AES-256 archives). ZipCrypto is "weak", but is sufficient for say, sending files to HR without attempting to train them on GPG or some other solution. – Nathan C Mar 06 '18 at 21:33
  • Your quote does not apply to the question. – schroeder Mar 06 '18 at 21:45