Big Brother seems to get more aggressive every day. The U.S. government recently commissioned a study on chat room surveillance. The Patriot Act authorized law enforcement agencies to obtain blank warrants allowing surveillance at ISPs. Large companies snoop in their employees’ e-mail as a matter of policy. Surveillance tools that can be used by curious co-workers or suspicious spouses are widely available on the Web. It’s enough to make the most laid-back sender of the most innocuous messages a little paranoid. Things are no better (and in some cases, are much worse) in other countries.
E-mail Security: an Oxymoron?
Electronic mail was not initially designed to be a secure means of communication. In fact, e-mail can be likened to a post card – whether your message is going across the LAN or across the Internet, it passes through one or more servers where administrators can easily read it, and it’s likely that it will be archived so a hacker could access it days, weeks, months or even years down the line.
This isn’t the only security issue with e-mail. Another big risk is e-mail forgery; spammers, “phishers” and others can forge e-mail headers to make it look as if your incoming messages are from someone else, or to send messages that look as if they came from you.
Public key cryptography can solve both of these problems. It can be used to digitally sign your messages so recipients can be confident that they’re really from you (or so you can be confident of the identity of those from whom you receive mail). It can also be used to encrypt the message data itself, to protect it from prying eyes. Let’s look at how that works.
How E-mail Encryption Works
E-mail encryption technologies generally use asymmetric encryption based on a pair of mathematically related keys, one of which is used to encrypt and the other of which is used to decrypt the binary data. The key pair consists of a public key that is distributed openly to others and a private key that is available only to the user. This same key pair can be used to provide authentication of the sender’s identity, confidentiality of the message content, or both.
To provide authentication, a sender encrypts a message with his/her private key. Because the public key is available to anyone, anyone can decrypt it using that sender’s public key. Thus, this does not protect the contents of the message – but because only messages encrypted with that particular private key (which only the sender has) can be decrypted by that particular public key, the recipients can be confident that the sender is whom he/she claims to be. This use of public key cryptography is known as a digital signature. The digital key is stored on a digital certificate, which is issued by a “trusted third party” such as Verisign.
You can purchase an e-mail certificate from Verisign for $19.95 (valid for one year) at http://www.verisign.com/products-services/security-services/email-security/index.html. You can get a free personal e-mail certificate from Thawte at http://www.thawte.com/email/index.html.
To provide data confidentiality, a sender encrypts the message with the recipient’s public key (which is available to everyone). Only the recipient has the private key that goes with that public key, and only that private key will decrypt the data, so the data is protected from being read by anyone else.
To use e-mail encryption, both sender and recipient need to have compatible encryption software. To create a digital signature, the software uses the private key and the message contents (in its binary form) to generate a number that is then hashed (run through an algorithm that creates a numerical summary). Any changes made to the message will invalidate the signature, because the message content is used to create the digital signature. The software on the recipient’s computer determines whether the signature is valid, and usually displays an icon showing a good or invalid digital signature.
To encrypt the contents of your e-mail, you need to have the recipient’s public key.
If the recipient’s software (e-mail client or Web mail site) is not compatible with the encryption technology or the MIME/SMIME standards, your digital signature will come through as a garbled bunch of random characters.
How to Install a Free Digital ID from Thawte
To install a free digital ID that can be used to sign or encrypt e-mail, or to authenticate with Web servers, go to http://www.thawte.com and click the Products link at the top, then click “Free personal e-mail certificates.” To apply for your certificate, click the Join button.
You will be asked to provide information including your name, date of birth, nationality, e-mail address, and a national identification number that can be your passport number, social security number, driver’s license number or “other” (which you specify). You can also choose language and character set preferences, or use the settings that you have configured for your Web browser. You’ll be asked to enter a password and provide information for resetting the password if you lose it (a telephone contact number and a set of questions and answers to verify your identity). After you complete the application, you will receive an e-mail message containing instructions for the rest of the enrollment process. You must respond within two days, or the enrollment info you’ve provided will be deleted and you’ll have to start the process over.
The e-mail message contains a Web link and two values that must be copied and pasted into the proper fields on the Web page. Then you will be asked to enter your username (e-mail address) and the password you just selected. This will take you to a Web page where you can request your certificate. Just click the Request button. You can then choose the certificate type (X.509 certificates are available for Netscape, MSIE/Outlook/Outlook Express, Lotus Notes, Opera and C2Net SafePassage). You can configure certificate extensions to control how the certificate can be used by applications, or accept the default extensions if you’re not sure how to do this.
Next, you’ll be walked through the process of generating a public key. You can choose the Cryptographic Services Provider (CSP). Your browser may return a “Potential Scripting Violation” warning that the Web site is requesting a certificate on your behalf and asking if you want to request this certificate. Click Yes.
A new dialog box will open informing you that a new RSA exchange key is being created. You can set the security level to Medium or High (Medium is the default). At Medium, your permission will be requested when the key is used. At High, your permission will be requested and you’ll also have to provide the password.
The certificate created by this process will use be identified by your e-mail address. If you need or want your full name in the certificate, you must join Thawte’s Web of Trust (WOT) and have your identity verified by one of Thawte’s notaries (in person) or have a CPA, practicing attorney or bank manager certify your identity to Thawte and become a WOT notary yourself if there are none in your area.
You will receive an e-mail message notifying you when your certificate has been issued and is ready for you to download. This normally only takes a few minutes. A link takes you to the “Install Your Cert” page; clicking the button downloads the certificate to your computer. After installation, you can view the certificate by clicking Tools | Internet Options | Content | Certificates in IE.
In Outlook, you can sign and/or encrypt your messages using the toolbar buttons (an icon showing an envelope with a ribbon to add a digital signature, and an icon showing an envelope with a lock to encrypt the data) or by clicking View | Options and clicking the Security Settings button. Depending on the security level you set earlier, when you click Send you may be asked to give permission or to enter your password for the certificate.
Other E-mail Encryption Options
There are a number of software programs and services that you can use to encrypt e-mail. These include:
- Pretty Good Privacy (PGP): one of the most popular encryption programs. A freeware version is available at http://www.pgpi.org/.
- Authentica: for corporate level e-mail protection (www.authentica.com)
- DESlock: encrypts e-mail, as well as files and folders on the hard disk (www.deslock.com)
- GlobalCerts: secure e-mail gateway appliance that encrypts mail (www.globalcerts.net)
- Hushmail: PGP compatible secure mail service (www.hushmail.com)
To Encrypt or Not to Encrypt
Should you encrypt all of your e-mail? Probably not. The overhead of the encryption/decryption process may affect performance and the complexity may introduce new opportunities for programs, especially with recipients whose e-mail client software isn’t compatible. Besides, it’s just not necessary for the majority of e-mail messages sent by most people.
Some feel that an encrypted message is like a “red flag” announcing itself to the world as a message that contains sensitive data, making it more of a target for others to try to hack.
On the other hand, some industries are mandated by government regulations to take steps to ensure that certain information is kept private (for example, healthcare providers are governed by HIPAA laws, the financial industry by the GLB Act, etc.). In those cases, you might not have much choice; failure to encrypt certain data could leave you open to lawsuits or even criminal charges.
It’s up to each individual and organization to evaluate the nature of the e-mail you send and determine whether and when you should use encryption. Luckily, if you do decide you need it, today’s technology makes it relatively easy – and inexpensive – to implement.