E-mail Encryption

E-mail encryption is one of the most important aspects of security in organizational networks, personal use, and the Internet. By default, email messages are not secure. They are sent across the Internet in plain text. Hackers who gain unauthorized access to an email account can access attachments, content, and even hijack your entire email account.

We have already written a post about data encryption. You might want to take a look at that post first.

E-mail encryption involves encrypting, or disguising, the content of email messages in order to protect potentially sensitive information from being read by anyone other than intended recipients. In other words, encryption renders the content of your emails unreadable as they travel from origin to destination, so even if someone intercepts your messages, they can’t interpret the content.

End-to-end e-mail encryption provides the highest level of confidentiality and protection to your email communication. The public key infrastructure (PKI) is used to encrypt and decrypt emails. Each person is assigned a public and private key in the form of digital code. The public key is stored on a key server along with the person’s name and email address, and can be accessed by anyone. This public key is what is used to encrypt the email. If someone wanted to send you an email with sensitive information, they would use your public key to encrypt it.

Additionally, all persons have a private key they can use to decrypt such messages or to digitally encrypt and sign messages they send.

Source: digitalguardian.com and blog.mailfence.com and pandasecurity.com

What to Encrypt?

There are three primary things should encrypting:

The connection from email provider: Encrypting the connection prevents unauthorized users on the network from intercepting and capturing your login credentials and any email messages you send or receive.
Actual email messages: Email encryption ensures that even if access is obtained, the content of your email messages is unreadable.
Stored, cached, or archived email messages: If you store backed-up email messages in an email client, such as Gmail, hackers may gain access despite password protection of your accounts and even your device.

Source: digitalguardian.com

E-mail Encryption Methods

There are numerous methods for email encryption; this lesson will discuss three major players in encryption:

Pretty Good Privacy/Multipurpose Internet Mail Extensions (PGP)
Secure/Multipurpose Internet Mail Extensions(S/MIME)
Transport Layer Security (TLS)

S/MIME

S/MIME, based on Public Key Infrastructure or Asymmetric Encryption, facilitates email security by virtue of encryption, authentication, and integrity. S/MIME is built into large web-based email companies such as Apple and Outlook.

S/MIME provides the following cryptographic security services for electronic messaging applications:

Authentication
Message integrity
Non-repudiation of origin
Privacy
Data security

With S/MIME using, the following occurs when the message is created:

Message is entered/composed.
Unique information regarding the sender is retrieved.
A digital signature is added to the message using the sender’s unique information.
Message is sent

When the message is received at the other end, the following occurs:

Message received.
The digital signature, the message body and finally Identifying information from sender are read.
A signing operation is run on the message.
The digital signature on the message is compared against the signature read on receipt.
If the signatures match, the message is verified.

S/MIME Certificates have some advantages:

The sender cannot deny having sent the email and its contents. (Due to the existence of digital signature)
No cybercriminal can insert any sort of malware while the email is in transit.
Digital signature protects the email recipients from email spoofing.
If someone has tampered with the email or digital signature, S/MIME immediately alerts the recipients about the risk.
With S/MIME certificates, no email tampering is possible.
An S/MIME certificate protects data from eavesdropping and leakage.

These are some of the many desktop and mobile email clients that support S/MIME certificates:

iPhone iOS Mail
Gmail (paid version)
IBM Notes
Microsoft Outlook and Outlook on the Web
Mozilla Thunderbird

Source: comodosslstore.com

PGP

PGP is an encryption program that provides cryptographic privacy and authentication for data communication (include e-mails, files, directories, and whole disk partitions). Within this model, there is more flexibility and control over how well emails to be encrypted.

Person needs to goes to the GPG web site where source code and binaries are available for various platforms. Once installed, person has to generate his/her own key. These are some of the many desktop and mobile email clients that support S/MIME certificates:

iPhone iOS Mail
IBM Notes
Microsoft Outlook and Outlook on the Web
Mozilla Thunderbird

TLS

TLS is intended to secure the communications between two points. We can apply TLS encryption to a variety of protocols, including HTTP for the web and SMTP for email.

When we have one email server send a message to another email server over TLS, the connection itself is encrypted, without actual data is encrypted. It’s secure and compliant because it was sent over an encrypted channel. It’s important to use SSL or TLS with our email setup. TLS is a good option for this but it may not be enough for email encryption strategy.

Why? TLS-encrypted messages doesn’t always meet every one of customers’ needs. For example, we know that TLS only secures the channel from the sender’s device to the corporate mail server. But emails are often transferred via additional servers where encryption cannot be guaranteed. Another security risks lies in the X.509 certificates used because many companies simply fail to validate their certificates, leaving them exposed to threats.

And there are a variety of other secure delivery options available, from public key encryption methods, like S/MIME and PGP, to Secure Web Portals.

Source: datamotion.com