E-Mail Encryption Explained
Email plays a massive part in today’s business. However email relies on an insecure transport protocol, which is SMTP on port 25. Many anti-spam filtering solutions support e-mail encryption. This will ensure e-mails are in a none-readable format from sender to receiver. Usually banks and other data sensitive organisations would require the use of encrypting emails. Transport Layer Security (TLS) and Pretty Good Privacy (PGP) are two common methods used to encrypt e-mails.
Using Transport Layer Security (TLS)
One of the ways to resolve this is to use Transport Layer Protocol (TLS) which will provide some security and privacy for email messages.
We use TLS to protect web traffic as well as email, usually known in the form of Secure Socket Layer (SSL). The benefits from using TLS are that each email server authenticates to the other and reduces the chances of any spoofing of authenticity from occurring. The content of each email message is encrypted when in transit, and the encrypted conversation makes it difficult for an attacker to tamper with.
Transport Layer Security (TLS) is a cryptographic protocol which provides secure communication, preventing eavesdropping, tampering and message forgery. TLS with authentication requires a digitally signed certificate, signed by a certificate authority (CA). It provides endpoint authentication and communication privacy. Key benefits from TLS are as detailed below:
- Strong authentication – Ensuring servers, anti-spam filtering solutions are trusted.
- Message Privacy – Ensuring the e-mail message is encrypted (None-readable) while in transit from one end to the other.
- Integrity – Ensuring the e-mail has not been tampered with and changed.
TLS works from gateway to gateway. If there are hops between the protected gateways, then the protection is broken. For example two businesses that communicate frequently, then TLS is a good choice, assuming both gateway devices talk directly to each other. If email from one company hops to another server before arriving at the other company, (usually a common scenario when using email protection in the cloud as a first layer of defence) then you would need to secure your emails using TLS from your gateway to the upstream host in the cloud as a first step. The next step would be providing TLS security from the upstream cloud service to the other company. Your business partners would need to do the same if they are using a cloud service. A real world example of an email cloud service which is used as a layer of email security is Message Labs, who provide a hosted anti-spam and web security in the cloud service.
Both gateway devices would need to support the use of TLS, inbound and outbound for full protection. The peer server can be identified by the domain name or IP address. Note, TLS supports authentication and encryption. However you would need to use a signed certificate for strong authentication. Without a signed certificate you would only be able to encrypt your email messages, there would be no authentication and non-repudiation.
Peer devices should use the same level security settings, so if you set your TLS with a 256 bit key then the peer devices will need to use 256 bit keys or else the TLS will fail and no email's will be exchanged. However with that said, there is a less secure way around this, in using opportunistic TLS. This feature looks to see if the peer uses TLS and if they don’t use TLS it will fall back to unencrypted email. Using this method, you will not fall into TLS conversations problems, although the option is obviously less secure.
Using Pretty Good Privacy (PGP)
Pretty Good Privacy (PGP) also provides cryptographic privacy and authentication. PGP avoids centralised authorities, and implements direct trust with other hosts. A term used in this scenario is “Web of Trust”. If Host A trusts the certificate of Host B and Host B trusts the certificate of Host C, then in turn Host A would trust Host C and vice versa. Using this method would result in tighter security, but more work to do in setting it up.
Further Reading
Wikipedia's guide to Email Encryption