Worried About Email Security?

Recently by James Black: Myths of Email

Perhaps the greatest email myth of all is that email is secure.

When asked whether the U.S. Government keeps copies of all emails, William Binney, a former employee of the National Security Agency (NSA) turned whistle blower, stated "I would think – I believe they have most of them, yes."

Many erroneously assume that email communications are secure when an encrypted connection is made to an email service. However, this only secures the connection to the web server – it does not protect email communications in transit.

Email communications are "open" and data can be "sniffed" by virtually anyone.

This is an open secret that few people are cognizant of.

What even fewer realize, however, is that it does not require sophisticated technology or a massive government budget to intercept email communications – indeed, even in the absence of all government, email communications can be intercepted. Mobile network operators, Internet service providers (ISP), and private individuals, for example, can intercept email communications in transit and even block or forge them.

Secure email communications require encryption.

Encryption is the process of scrambling plain text communications into cipher and unscrambling them back into plain text. This ensures that no one other than the intended recipient receives the electronic data. In transit, the encrypted data appears scrambled and cannot be read, listened to, or watched by anyone save the parties with the decryption key. Encrypted data can be protected in sundry manners, including a keyfile or password or both. However, because there is ordinarily no secure manner to transmit a password or keyfile over the Internet to an intended recipient, symmetric encryption alone is of little use.

Instead, only public-key cryptography, which utilizes asymmetric encryption, can be used to secure communications between two or more parties. Asymmetric encryption is a system of encryption with public and private keys, which are dissimilar but share mathematical affinity. Public-key cryptography is simple – each person generates a pair of public and private keys. Two parties intending on transmitting secure data exchange public keys. When person "A" sends encrypted data to person "B," he encrypts it with person "B’s" public key; person "B" then decrypts the message with her private key. Although public-key cryptography encryption may seem complicated, it is anything but.

The essential thing to remember is that email encryption is only possible if two parties exchange public keys – email cannot be transmitted encrypted by only one party.

Pretty Good Privacy

The most widely accepted email encryption standard in the world is PGP. PGP is an acronym for Pretty Good Privacy and was developed in 1991 by Phil Zimmermann. PGP is commercially sold by the Internet security company Symantec. While there are some advantages to using the commercial version of PGP, including disk encryption, there is one serious disadvantage. The commercial version of PGP is closed source. Closed source applications have a closed source code, which debars the source code from being independently analyzed for security bugs, including "backdoors." In addition to the source code, there are pecuniary interests to consider – the commercial PGP version is not cheap.

OpenPGP, however, is the open source alternative to PGP and is considerably more secure and trustworthy than the commercial version. The implementation of OpenPGP is made available by GnuPG. GnuPG is free software and cross platform – meaning it is available for Linux, Mac, Microsoft Windows, et al. OpenPGP can be used to sign and encrypt emails, files, and other data; nevertheless, it cannot, hitherto, be utilized for disk encryption.

Here are some essential elementary OpenPGP principles to consider:

  • Generate a key pair that has a key size of at least 2048 bit.
  • Create a separate password for the private key (i.e. separate from the email account).
  • Limit key expiration to no more than five years.
  • Create a revocation certificate.
  • Export (i.e. backup) the key pair.
  • Encrypt the private key locally on an encrypted PC.
  • Generate and store a key pair locally in an email client (i.e. avoid web mail).

While it is possible to utilize OpenPGP in some web mail systems, with very few exceptions, it is universally a bad idea. Storing a private key on a web mail server exposes users to potentially serious security problems. Once the security or privacy of a private key or its password has been compromised, it can no longer be utilized or trusted. Indeed, in such instances, it is best to revoke the key and warn others that the security of the private key can no longer be guaranteed. An enemy (i.e. a hacker, a government agent, an identity thief), for instance, can utilize a compromised private key to forge signatures, impersonate persons, and read sensitive data.

In conclusion, public-key cryptography can be used to secure mobile communications, including phones calls and SMS; email, documents, files, and virtually all electronic data. Its use is virtually limitless. Public-key cryptography such as OpenPGP is unbreakable, even to the most demanding and powerful government agencies.