09Feb, 2017

Email Encryption

Electronic mail popularly is a medium via which digital messages could be exchanged between computers users over a network; it first was substantially utilized in the ’60s. This method was later shortened in name to read as “email” in the mid ’70s. This medium is such that functions over a network of computers which is of course primarily the Internet. To facilitate electronic mail exchange between remote sites and with other organizations, telecommunication links, such as dialup modems or leased lines, provided means to transport email globally, creating local and global networks. This was challenging for a number of reasons, including the widely different email address formats in use. How does an email know where to “go”? Email software looks for the recipient in the Internet’s address book (a world-wide list) and send the file to the next computer that knows the recipient. This process repeats until the recipient receives the file. The chain of computers can include one, two, three, or more computers.

How is an email “sent”? The file is copied, just like you might copy a file to an external hard drive, from one computer to another and another until it reaches the recipient.

What happens to all those copies of the email? Email copies are saved by each computer, sometimes forever.

Who can read email? Email can be read by anyone with access to the file. That includes you, the recipient, and everyone with access to the computers with copies of the file (usually system administrators).

EMAIL RISKS The most common email risk is disclosing sensitive information to someone unauthorized to see that information. Types of information that are often disclosed include:

  • Personal information like social security numbers, phone numbers, and addresses
  • Health information such as medications, accident information, etc.
  • Financial information like salaries, bonuses, credit card numbers, etc.
  • Technical information such as passwords, private links to files, and usernames.

Encryption In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not of itself prevent interception, but denies the message content to the interceptor. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, large computational resources and skill are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors. The purpose of encryption is to ensure that only somebody who is authorized to access data (e.g. a text message or a file), will be able to read it, using the decryption key. Somebody who is not authorized can be excluded, because he or she does not have the required key, without which it is impossible to read the encrypted information. Sometimes big security problems go unfixed for so long that they sort of disappear. They can disappear without being fixed or mitigated. They can disappear without anyone forgetting they exist or forgetting that they’re serious. They can disappear just because they become normal. Today the people of the world will exchange about 250 billion messages using a system that has been shockingly insecure for decades: email. Many of those billions of messages will contain personal, private or even confidential information because most of the people sending them just don’t know how easy it is to read somebody else’s email. As security problems go, email insecurity may not be fashionable, it isn’t bleeding edge, and it doesn’t have a logo or a PR friendly name like Heartbleed or Cryptolocker. However, it shouldn’t be handled with levity. Hence, we look into one of the best modes of securing emails: Email encryption.

Email encryption This is the encryption of email messages to protect the content from being read by other entities than the intended recipients. Email encryption may also include authentication. Email is prone to disclosure of information. Most emails are currently transmitted in the clear (not encrypted). By means of some available tools, persons other than the designated recipients can read the email contents. Email encryption has been used by journalists and regular users to protect privacy. Email encryption can rely on public-key cryptography, in which users can each publish a public key that others can use to encrypt messages to them, while keeping secret a private key they can use to decrypt such messages or to digitally encrypt and sign messages they send.

What to Encrypt To secure your email effectively, you should encrypt three things: the connection from your email provider; your actual email messages; and your stored, cached, or archived email messages. If you leave the connection from your email provider to your computer or other device unencrypted while you check or send email messages, other users on your network can easily capture your email login credentials and any messages you send or receive. This hazard typically arises when you use a public network (the Wi-Fi hotspot in a coffee shop, say), but an unencrypted connection can also be pose problems on your work or private network. Your actual email messages are vulnerable as they travel over the Internet, after leaving your email provider’s server. Bad guys can intercept a message as it bounces from server to server on the Internet. Encrypting your messages before sending them renders them unreadable from the point at which they embark on their journey to the point at which the intended recipient opens them. If you leave your saved or backed-up email messages (from an email client program like Microsoft Outlook) on your computer or mobile device, a thief or snoop might be able to gain access to them, even if you’ve password-protected your email program and your Windows account or mobile device. Again, encryption renders them unreadable to the intruder.

Encryption protocols Protocols for email encryption include: Bitmessage OpenPGP GNU Privacy Guard S/MIME TLS

Mail Sessions encryption The STARTTLS SMTP extension is a TLS (SSL) layer on top of the SMTP connection. While it protects traffic from being sniffed during transmission, it is technically not encryption of emails because the content of messages is revealed to, and can be altered by, intermediate email relays. In other words, the encryption takes place between individual SMTP relays, not between the sender and the recipient. When both relays support STARTTLS, it may be used regardless of whether the email’s contents are encrypted using another protocol. STARTTLS is also an extension of IMAP4 and POP3, as stated by RFC 2595. Mandatory certificate verification is not viable for Internet mail delivery. As a result, most email that is delivered over TLS uses only opportunistic encryption. DANE is a proposed standard that makes an incremental transition to verified encryption for Internet mail delivery possible.

About The Author

Read more