Security

Email encryption: Using PGP and S/MIME

For those worried about the security and privacy of email communications, encryption is one layer to add, but using encryption software isn't terribly user-friendly.

Ever since the NSA leaks the debate has started once again over privacy, encryption and security. People from all walks of life now wonder how much privacy they truly have online and try to find out ways to protect themselves -- for the first time in many cases. Perhaps the most obvious type of communication is email, yet it is also the least secure. The mailing system was never designed to be secure or private, with everything being completely open and with no security or authentication whatsoever. Servers would communicate over insecure links, addresses could be spoofed endlessly, and servers would accept messages from anyone who said HELLO.

Since the early days of the Internet we've had some improvements in email security. While early clients would connect to mail servers using POP or IMAP, both of which were plain text by default, now the vast majority of servers support SSL encryption over these protocols. At least your user name and password aren't sent in plain text anymore. While SMTP, the protocol used to send mail, also has an encrypted version, most servers do not use it when talking to each other. So while your messages may transit over an encrypted link for the last bit of their voyage, the previous connections were likely open for all to see.

The chance that e-mails can be seen over the wire is not the only issue either. The law governing these things is very old, and the way the US government interprets it means that anything older than 180 days is seen as abandoned. This means if you leave messages in your Gmail or Hotmail account, or even on your business hosted Exchange server, they become available for any law enforcement agency without a warrant, or even probable cause. All they need to do is ask, since those messages are no longer yours. Of course, even newer emails barely need any kind of judicial process to access. A FISA court can submit a secret order to Google, Microsoft or Apple, and all your messages will be sent to the government without you ever finding out about it. That is, if they hadn't already intercepted them on those insecure connections.

So why is it that email encryption isn't more widely used? It would solve all of these problems in one go. The issue, of course, is convenience. Right now, it's fairly annoying and not that obvious to start encrypting all of your messages. But if you want to do it, here's how.

S/MIME

There are two ways to encrypt or sign messages. The first one is using S/MIME, a very similar method to SSL connections. The way this works is with a digital certificate that is issued to you by a trusted authority. The actual protocol is derived from the PKCS #7 data format, and most email clients support S/MIME. Once you get a certificate, many of which are free from firms like Comodo or InstantSSL, you download a file ending with a .p7s extension and you add it to your e-mail application. Then, you gain the ability to sign messages to prove that they come from you, at which point the recipient will receive a message with an attachment. This attachment is your signature and can be read by any email reader which supports S/MIME.

This whole process is typically fairly straight forward and makes S/MIME the most transparent way to get started with email encryption. When you go to one of the Certificate Authorities (CA) you can download the certificate directly from the site, add it to your email software, and start using it right away.

If you don't know how public key cryptography works, I highly suggest checking out the Wikipedia article, but basically once someone receives a message with this attachment, they get your public key. This is what they use to then encrypt messages that only you can decrypt using your private key. If you want to send encrypted messages, then you need the public key of the people you write to. Getting these certificates is a major hurdle to email encryption. S/MIME is mostly used inside of corporations. If you have a Windows-based network for example, you can use your Active Directory infrastructure to automatically distribute the certificates to all employees, so everyone can send encrypted emails to each other. But over the Internet, that's a different story.

PGP

The more popular form of encryption over the net is called PGP or Pretty Good Privacy. Strictly speaking, the protocol is OpenPGP, and PGP is a commercial program that is sold to take advantage of email encryption. Most people instead use GPG, the open source version of PGP made by Gnu.

In many ways, PGP is similar to S/MIME in that both use public key cryptography. However, with PGP you don't rely on a central authority. Instead, you create your own private/public key pair using the PGP software. This makes it a bit more involved to get started. You need to go to the GPG web site where source code and binaries are available for various platforms. Once installed, you have to generate your own key. However, PGP also has the concept of key servers to allow the distribution of keys. You can upload your public key to a key server and others can then search for it, then download it, in order to send you encrypted messages. However, because you basically self-signed your own keys, there is no way to know whether a particular key is valid or not. You could make up a key pair for any email address, and no central authority can validate it. This is why PGP has the concept of key-signing parties. You can contact friends who will validate your key and sign them.

As you can see, none of this is particularly user-friendly. Email encryption has existed for a long time, and is fairly robust. If you get the public key from someone and then send them messages encrypted using either S/MIME or PGP, then it doesn't matter that email security is basically non-existent; no one but your recipient will be able to read what you say. However, getting started takes some doing, so few people bother. Worse, all of this is very hard to do with web based email services. You can't use the Gmail or Hotmail websites to do encrypted emails, because your private key would have to reside on their servers. However, there are workarounds such as Mailvelope, which does the whole encryption process in JavaScript, inside of your browser.

I, for one, wish email encryption was ubiquitous, but we're far from there still. Does your organization use email encryption software? Tell us about your solution.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

4 comments
sean_dorman
sean_dorman

Private key would not have to reside on a company's servers. A company can generate a pair of keys; one public (which is stored on the web server) and one private (stored on a smart phone database or in desktop browser cookies) If I send a message to you, I use your public key from the web server and you decrypt it using your private key on your device or desktop. If the smart phone loses its memory or is compromised, or the cookies are deleted from a computer, the end user would have to have a new pair of keys generated (the public key saved again to the web server...) and would have no ability to access messages received prior to the loss or compromise of the original pair.

Neon Samurai
Neon Samurai

Enigma is a must-have plugin for Thunderbird/Icedove. Anyone have good PGP/GnuPG for Outlook or exchange?

Editor's Picks