Tuesday, August 5, 2008

Keeping Away the Peeping Toms...With Mail Encryption

If you are mailing a Cheque/DD to somebody or a very important document to a family member or to your customer, do you send it by ordinary post? NO, in all probability you would either send it by courier or by registered post to ensure that the packet reaches the hands of the right and intended person only. Moreover, you will ensure that the envelope holding these items is not transparent or easily tamperable. This will help you to obfuscate or hide the contents even better. To ensure that it has been received by the intended person, you ask for an acknowledgement, the date when the delivery has taken place etc.

Why then would you send personal or confidential information in an unprotected email?

Why do I need to encrypt my emails?

Sending information in an unencrypted email is the equivalent of sending a cheque/DD in an unsealed envelope or writing confidential information on a postcard for all to see. This will allow anybody and everybody to take advantage of such information and use it to defraud us. We are all sure that none of us would like to encounter such a situation.

While in transit, e-mail messages are sent through one or more mail transfer agent servers until it reaches the destination e-mail server. Someone with access to this server can easily intercept and read the e-mail message. In addition, e-mail messages that travel through these mail transfer agent (mta) servers are very likely stored and backed up even after delivery to the recipient, and even if the recipient and the sender have deleted their copies of the message. This stored copy of the e-mail may be subject to snooping in the future, and persist indefinitely.
Additionally, the internet makes it easy to “spoof” the sender field of an email message, allowing nefarious individuals to misrepresent their identities. This has led to a phenomenon known as “phishing” and other forms of attacks over e-mail, underscoring the importance of the recipient being able to reasonably authenticate the sender's identity. That is the reason why we need to ENCRYPT OUR MAILS.

Techniques used to encrypt emails:
1. Symmetric Crypts: both recipient and sender share a common key or password that is used to decrypt/encrypt the message.

2. Asymmetric Crypts: here there are two keys used. One is a public key that can be shared with everyone and to encrypt the message. The other is the private or secret key known only to the recipient and used to decrypt the message. Both the keys are required in a transaction here.

E-mail encryption design approaches

1. The Client-Based Method suggests that the sender of the email should be responsible for e- encryption.

2. The Gateway-based Method suggests that the organization is responsible for e-mail security, and encryption should be performed on a server operating on the corporate network, based on the security and regulatory compliance needs of the company and its industry vertical.

Methods of Message Retrieval
1. The “in box” delivery model: the encrypted e-mail is delivered to the user’s email inbox, where they can open the encrypted message after providing the appropriate password or credentials.

2. The “mail Box” model: the user receives an e-mail with a hyperlink to the encrypted message. The user then follows the hyperlink to arrive at a website where they submit their credentials and are then able to view the decrypted message.

Standard approaches to e-mail encryption
The need for e-mail encryption has lead to a variety of solutions – some from standards bodies, and some from the marketplace. Below are a few of these approaches:

1. S/MIME : S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption signing e-mail. S/MIME was developed by RSA Data Security, Inc. S/MIME provides the cryptographic security services for authentication, message integrity, and non-repudiation by combining a digital signature with encryption. Before S/MIME can be used in an application, the user must obtain and successfully install a unique key/certificate from a Certificate Authority (CA) or from a public CA. Encryption requires storing the destination party's certificate, a process that is typically automated when receiving a message from the party with a valid signing certificate attached.
2. PGP and OpenPGP: Pretty Good Privacy (PGP) is a standard that delivers cryptographic privacy authentication. The first version of PGP, by designer and developer Phil Zimmermann, was released as an open standard. Zimmermann and others have developed subsequent versions. Eventually, the PGP secure e-mail offering was adopted as an Internet standards-track specification known as OpenPGP. OpenPGP is now an open standard with PGP. PGP and OpenPGP require a client or plug-in. PGP uses both public-key cryptography and symmetric key cryptography.
3. PostX Registered Envelope Encryption and Security: The PostX Registered Envelope is a secure delivery model for PostX Envelope. The Registered Envelope uses online authentication for decryption key retrieval to provide secure auditable message delivery. The Registered Envelope delivers both the encrypted payload and necessary decryption code via an e-mail attachment to the recipient. E-mail payload is encrypted with a unique (per message) secure random session key. The session key is stored in the PostX KeyServer (and is not sent with the message itself).
4. Identity-Based Encryption: In the 1980’s, identity based encryption (IBE) methods were developed for e-mail by RSA and others to communicate securely in ad hoc environments. In this model, the e-mail address of the recipient is used to perform the e-mail encryption. In order to provide the strength of a password or authentication, identity-based encryption requires client software.
5. Pull solution: In this model, the recipient is pulled into a secure message inbox. In this inbox, the recipient can perform all of the e-mail functions in a branded environment.


1. Encrypting your email will keep all but the most dedicated hackers from intercepting and reading your private communications.

2. Using a personal email certificate, you can digitally sign your email so that recipients can verify that its really from you as well as encrypt your messages so that only the intended recipients can view it. This will help stem the tide of spam and malware being distributed in your name.

3. When your contacts receive an unsigned message with your email id spoofed, they will realize that its not from you and will delete it.

4. Protect your integrity and confidentiality.

5. It will also help you to adhere to the compliance rules of most standards.

Reference: Wikipedia, About.com.

Image Source: http://images.teamsugar.com/

1 comment:

Stephanie said...

As for approaches to email encryption, Voltage Security created the first practical implementation of Identity-Based Encryption over 5 years ago, Voltage SecureMail. It’s now proven and in use by many of the largest and most successful corporations in the world. Working within your existing email environment, Voltage SecureMail makes email encryption super simple and intuitive. Your recipient’s email address is all you need to know in order to send secure messages. Once they receive a secure message, your recipients simply verify their identity to view—and respond—securely.

Through the Voltage Security Network (http://www.vsn.voltage.com/), this solution is being made available to everyone.