PGP and Email Security
If you are a subscriber to the OpenSourceIT technology newsletter, you saw a small introduction from me a couple of weeks ago on how to secure your files and email using industry standard encryption. I mentioned two specific programs, PGP and GnuPG. In the following article we will discuss these two technologies and some other options available to the end user.
Every person, at some point in their life, worries about their security. It may be when they are walking to their car late at night, or as an afterthought when they leave their house unlocked. There are many people who do something every day that is inherently insecure and is easier to snoop or steal than a car- they send email in plain text.
Usually email is harmless. It is casual conversation about the days events or negotiations about a possible contract. Email is not thought of as a business communications tool until it breaks. There are many people on the Internet that, to this day, continue to send passwords, credit card information, personal information such as addresses and anything else you can think of over plain text email. The reality of the dangers that exist within email are not apparent to them. Even with the multiple cracks exposed with major e-commerce sites such as Egghead, too few people consider email potentially dangerous.
There are ways to make email secure. The problem is that it requires that the server and the client support the technology. It usually requires that the person you are sending email to supports it as well. A long available technology is an S/MIME certificate. This technology is similar to the secure web sites that you access. It requires an external party to authenticate the certificate that a file was sent with. As an example:
Suzy writes an email to Tom and signs it with her certificate. If Tom already has Suzys public key, and if Toms email client supports S/MIME, it will check the signature of the certificate and contact the signing authority to check for authenticity. If Tom does not have Suzys public key, Tom's email client can extract the email as the public key is sent with each encrypted email.
This is a very cumbersome process as it requires that the people using the email have the same capabilities. It can also be expensive because commercial use of S/MIME for email signing usually costs money. You have to pay a subscription to have a signed key from an authority. The certificate authority Thawte will allow people free personal certificates.
There is a suite of technology applications currently available but not widely used that help ease the above burden. They are S/SMTP, S/POP, and S/IMAP. Using these technologies is just as simple as using your web browser to go to a secure web site. S/SMTP is the use of SSL or TLS (Transport Layer Security) to encrypt the SMTP transfer of email. SMTP is the protocol that is used to send email. S/POP and S/IMAP is the use of SSL or TLS to encrypt the transfer incoming email. Although most commercial email applications support this capability, it has its own implementation issues. In order for any of these technologies to be effective, every mail server on the Internet must be upgraded to support them. That is a huge, time consuming prospect, but it would be easier to implement a server wide upgrade over two years than to enforce rules on security to an end user. It also does not address the issue that most email stored on the Internet is stored in plain text. That's right, if you do not encrypt your email or even if you use the S/ suite of protocols you still run the risk of system compromise. If the server uses Sendmail, which the majority of the Internet does, the email is stored in plain text within a message spool.
As you can see, email security is a simple question to ask but a very difficult question to answer. A security technology that has been around for several years is PGP and it has a correlating standard called OpenPGP (RFC 2440). PGP first appeared on the Internet in 1991 and has enjoyed a great amount of success. It is not difficult to use, has free implementations, and is a defacto standard for file and email encryption. It too suffers from its own share of positives and negatives.
On the plus side, PGP is widely in use. The famed Gnu project has created its own version called GnuPG.. It works on normal files and email and operates on most platforms. The negative is nominal but can still present issues when using the products.