How Secure is Your E-Mail?

  • Written By: P. Hayes
  • Published On: October 1 1999



What is Secure E-Mail?

Secure electronic mail is electronic communication which guarantees messages arrive intact and unhampered in the intended recipient's inbox. If a message can be intercepted, the contents can and most likely will be tampered with. The process of intercepting electronic communication on public networks, such as the Internet, has been simplified. A party interested in viewing point to point e-mail can visit one of numerous news groups and hacking web sites for a full instruction set and tools to read your mail. The process has been documented perfectly, to the point that the 12 year old round the corner can easily read your latest business plan, innovation, stock trades and on-line banking transactions from the comfort of his or her bedroom.

The number of Internet users with e-mail capabilities has surpassed 200,000,000 people. Given the explosion of Internet e-mail, it is shocking that security has only now become a major concern. The standard flavors of POP3 e-mail clients only offer a Data Encryption Standard (DES) of 40-Bits. A 40-Bit encryption level, for today's advanced hackers, offers virtually no protection. By contrast the military uses a 4096-Bit DES encryption level that is unshakeable. At this point the best an average e-mail user can do is register and download a 128 Bit Security patch from their mail client provider's web site, which offers a much greater level of security, but is not hacker proof.

How is E-mail Encrypted?

MIME (Multipurpose Internet Mail Extensions) is the most common method for transmitting non-text files via Internet e-mail, which was originally designed for ASCII text. MIME encodes the files by using one of two encoding methods and decodes it back to its original format at the receiving end. A MIME header is added to the file, which includes the type of data contained, and the encoding method used.

S/MIME (Secure MIME) is a version of MIME that adds RSA encryption (Rivest-Shamir-Adleman) a highly secure cryptography method by RSA Data Security, Inc., Redwood City, CA, (www.rsa.com) for secure transmission. S/MIME was introduced in 1996, and has emerged as the messaging industry's standard for secure e-mail. S/MIME utilizes Public Key Cryptography Standards (PKCS) to ensure cross-platform and multi-vendor compatibility. S/MIME has been, and continues to be widely adopted by the messaging industry.

S/MIME, like MIME, uses two cryptographic encoding methods that both utilize RSA (PKCS), a digital signature and a digital envelope. The digital signature provides some level of security but does not provide for privacy. To encrypt the message for privacy a digital envelope is used so that only the intended recipient can read the contents of the message. The message is not encrypted using RSA, but with encryption algorithms such as DES or RC5 (The latest in a family of secret key cryptographic methods developed by RSA Data Security, Inc).

United States Government Plans

The pending "Cyberspace and Electronic Security Act" sponsored by the Clinton Administration will allow the FBI unlimited access to private e-mail at their discretion. The FBI would not even require a search warrant. Circumventing Fourth Amendment Search and Seizure standards will viably allow the government access to all third party encryption algorithms and keys. If this Act passes successfully through Congress, a user's e-mail will never be safe from prying eyes.

How do you protect your E-mail?

  • Verify that your Internet Service Provider Supports S/MIME. If not, ask when they will. Chances are high that S/MIME is supported (probability 80%). If your ISP has no intention of implementing S/MIME, look for a new ISP.

  • If you are running your own e-mail server, implement S/MIME, even if you choose to go with a third party security product.

  • Take advantage of 128-Bit DES encryption levels for mail clients and Internet browsers. Be proactive in your own security, and either download the patches or contact your vendor immediately.

  • Limit or discontinue the amount of sensitive material being transmitted over the Internet. If the material you are transmitting is entirely confidential, you are best off utilizing a postal service.

 
comments powered by Disqus