Why should I encrypt and sign my emails?

Have you ever sent your banking details or a copy of your passport via email, or any information you wouldn’t want a cyber criminal to have? Files containing sensitive company information that a rival company could exploit?

The email protocol has been unchanged over the last 40 years, and as it was never designed for security, it can be easily intercepted. As we know from the Snowden relevations many organisations do mass trawling to find and exploit weak targets. Therefore it’s good practice to be using Email encryption. In this article, we’ll cover the two common ways you can encrypt e-mails: PGP and S/MIME.

 

PGP
This acronomy stands for Pretty Good Privacy (https://ja.wikipedia.org/wiki/Pretty_Good_Privacy). It works based on the concept of asymmetric cryptography. Think of it as a lock that requires a special pair of keys – one to lock, and a different one to unlock. The ‘locking’ key is called Public Key, which is a string of code that encrypts emails addressed specifically to the receiver. Therefore, if someone wants to send you an encrypted message he first needs your Public Key. The ‘unlocking’ key (in other words, the decrypting code) is called the Private Key. Only you as the intended recipient of the encrypted email should have the Private Key. Anyone and every one can have your Public Key, you can even post it on your website, because only your Private Key can unlock its encryption. This is why it’s very important that you keep your Private Key safe, and to make sure no-one else can access it. If you want to write an encrypted response back to the sender, then you will first need that person’s public key (which only they can unlock with their Private Key).
The latest e-mail software also offers PGP encryption, for example, Thunderbird with their Enigmail plugin automises the process once set up.
More information in Japanese can be found on this great website: E-Mail Self Defense

S/MIME
Secure/Multipurpose Internet Mail Extensions (S/MIME) is also based on assymetric crytography, but here the key management is handled not by the end user by so-called Certificate Authorities (CAs). Most companies prefer S/MIME because of its hierarchical structure and the fact it can be easily deployed to the employees. It is also the integrated e-mail encryption standard on iOS devices and therefore very easy to use. S/MIME is based on the same technology as SSL, which you might know from websites that start with https://.

Another aspect of asymmetric cryptography which is just as important encryption is that it lets you sign e-mails. The digital signature allows the receiver to verify that the sender is the person he/she claims to
be. Here, the sender’s private key is used to sign the message and the receiver can verify the signature with the sender’s public key. This is an important feature for e-mails, as there are web apps that lets you send e-mails with another person’s e-mail address.

Some final things to note:

  • Meta information like the addresses of sender and receiver as well as the Subject of the e-mail cannot be encrypted, so be careful what you write there.
  • Encrypt also the non-important mails. Otherwise it would be easy to know what information is important and what is not so important.
  • Encryption will hold only for a certain time. As computers get faster and crypto analysis algorithms (code breaking software) better it is only a question of time. If the information is really confidential and will be confidential evenafter a long time, it might be wise not to send it via e-mail at all.