There’s a growing awareness of the importance of keeping your information secure and many people are now looking at ways to protect their internet communications. With Google upping the standards on secure HTTP connections and the GDPR re-emphasising the importance of protecting information both in your care and during transport, attention has been turned to the insecure, ubiquitous, e-mail.

[bg_collapse view=”button-orange” color=”#4a4949″ icon=”arrow” expand_text=”Show Index” collapse_text=”Hide Index” ]History Of Email | Problems With Encryption | Entire Email Encryption | S/MIME | OpenPGP | Email Signing | Attachment/File Encryption | SEEOTI | STARTTLS | Secure Email | Bitmessage | End To End | [/bg_collapse]

Brief History of Email

At Sign

Created in the 1960’s, Electronic Mail was originally a means of leaving messages for users users on time-share systems. As the US started to connect various institutions with the ARPANET the use of Electronic Mail systems grew and became a means of sending messages and files between users at different locations. Eventually, from the multitude of programs created to send messages, there began to emerge a standardised protocol for sending and receiving messages, and Simple Mail Transport Protocol was born.

The nature of SMTP meant that the messages (e-mail) was being sent in plain text. In the 1990’s with the boom of the World Wide Web, people started to look at securing the SMTP protocol in order to protect their messages from eavesdroppers. A few alternatives were explored, but the use of SSL/TLS to secure the communications became the most predominant (STARTTLS)

This meant that the email was still being sent in plain text, but via an encrypted communication channel from the email client to the email server. Think of it like a hidden tunnel between your email and the server, your emails are still going along the tunnel in plain text. This adds some protection from eavesdroppers, but doesn’t secure the email or it’s content, and once that email has been delivered to the first email server, it is accessible to anyone who has access to server, and there is no guarantee that further hops and final deliver will be secured with TLS.

Read more on the History of Email

Problems with Encryption

Encryption, in most cases, works just fine. OK, there are various vulnerabilities in different encryption techniques and different attack vectors are found to get around the encryption, but on the whole, the encryption bit works. The problem is the decryption.

If I encrypt a file or message then send it to a recipient over a public or open network such as the internet, I can rest assured that even if other people intercept that message or file they won’t be able to read it without the ability to decrypt it first. But the exact same problem lies with the intended recipient of the email or file, they also need to know how to decrypt it before they can read it.

So the first problem is letting the recipient know what technique I have used to encrypt the file. As there is no built-in encryption on our devices (that can be used to send files or email) or a single standardised form of encryption, both the sender, and the receiver must agree on the technique used beforehand.

Second problem is getting the key needed to decrypt the email or file to the recipient in a way they can understand it, but which would make it meaningless to anyone else who intercepted it.

Some of the encrypting techniques here use either Public Key Encryption (known as PKE, PKC (Public Key Cryptography) or asynchronous encryption) where you freely share the public part of your encryption certificate with everyone, but everyone you are sending information to will also need an encryption certificate. The others are password based encryption (also known as synchronous encryption as the same password is used to encrypt and decrypt the item) where you need to get a copy of the password to the recipient separately to the encrypted files. (See the note on passwords below)

Encrypt entire email

If you want to encrypt the entire email, that’s the content of the email and the attachments, there are a few options available.

S/MIME

Developed in 1995, this is one of the standards for the secure MIME data and as such, your email client may already have some means of implementing S/MIME encryption.

MIME (Multipurpose Internet Mail Extension) was developed to enhance the initial ASCII text only email. It gave the ability to add audio, video images and so on to emails, have multi-part messages (such as plain text and HTML) and to extend the header information which is hidden information used by email systems to offer additional functionality.

S/MIME uses certificates to authenticate the sender and the receiver, different classes of certificate offer different levels of verification of the owner.

[bg_collapse view=”button-orange” color=”#4a4949″ icon=”arrow” expand_text=”Read more about SMIME” collapse_text=”Close this” ]

S/MIME Certificate Classes

The basic certificate, Class 1, verifies the ‘From’ field belongs to the sender/ It does not verify anything else about the sender. This does mean that the recipient knows that the email has not come from a spoofed address or the sender is trying to disguise their identity.

A Class 2 certificate offers more in depth verification. Before a class 2 certificate is issued, the identity of the individual and/or of the organisation is also confirmed.

How it works

The Certificates (or Keys) are issued from a global trusted supplier and held on a network of publicly accessible Certificate Authority servers, these are secure directories of public keys (A public key (Public Key encryption) is one part of your certificate. It’s available to everyone, hence the public part, and is used in combination with the private part of the key to encrypt and decrypt messages)

S/MIME can be use for email signing or for full email encryption.

Pros

  • It’s very likely your email client already has the ability to encrypt/decrypt S/MIME messages, all you need is a certificate (and for your recipients to have a certificate too)
  • You can have multiple certificates for multiple email accounts (such as private and business)
  • This is ideal for business to business email encryption.
  • the senders email address (and for class 2 certificates, the actual sender or the business) are verified before the certificate is issued.
  • S/MIME is very secure and uses trusted email encryption.

Cons

  • It’s not as straightforward to implement S/MIME on mobile apps.
  • While popular webmail clients such as Google, Microsoft and Yahoo can implement S/MIME, other webmail client may not offer the option.
  • Emails are encrypted at the client level, so perimeter anti-virus checking is bypassed, and endpoint malware could be encrypted along with the message if sufficient anti-virus software is not used.
  • The email client may not be able to index the encrypted email for searching.
  • Many email clients may change the text in an email after digital signing, thus causing the email integrity to fail.
  • The EFAIL vulnerability has a significant impact on S/MIME encrypted messages and could expose the unencrypted plain text of the message in an attack.

[/bg_collapse]

OpenPGP (Pretty Good Privacy)

OpenPGP is an encryption standard developed to allow interoperability of software built to be OpenPGP compliant. It also uses Public Key encryption to encrypt/decrypt messages.

Many apps now make use of OpenPGP to provide encryption of much more than just emails, such as Instant Messaging, Entire Disk Encryption, File Sharing and Web services.

Looking at the email and file encryption apps only, there are plenty of apps for Mac, Linux, Windows, iOS and Android that are compliant.

[bg_collapse view=”button-orange” color=”#4a4949″ icon=”arrow” expand_text=”Read more about OpenPGP” collapse_text=”Close this” ]

How It Works

OpenPGP differs from S/MIME in the way certificates are made available. Instead of a Trusted Authority server holding the public key directory, PGP uses WOT (Web Of Trust) to determine the authority of any certificate. As certificates are trusted by users, that information is sent out to other recipients they communicate with, spreading levels of trust of a certificate from user to user.

Newer versions of OpenPGP have included the ability to create Certificate Authorities similar to the S/MIME implementation, not only confirming the key belongs to the owner, but also that the owner is trustworthy and can sign keys of a lower trust level to their own.

Pros

  • Lower cost to implement than S/MIME.
  • More cross-platform apps available.
  • Certificate can be used in multiple PGP applications.
  • Newer versions of PGP can include an expiration date on the certificate.
  • Both Web Of Trust and Certificate Authority servers.
  • Open source development.

Cons

  • Fewer clients offer built-in support meaning you need to install a plugin or additional app.
  • Early apps had a complicated setup that made it a barrier to being adopted.
  • Emails are encrypted at the client level, so perimeter anti-virus checking is bypassed, and endpoint malware could be encrypted along with the message if sufficient anti-virus software is not used.
  • The email client may not be able to index the encrypted email for searching.
  • There is exposure to the EFail vulnerability in incorrectly configured clients.

[/bg_collapse]

Email Signing

OpenPGP and S/MIME offer Email Signing, this is not a form of encryption and the email is still sent in plain text.

The digital signature used in Email Signing is a way of verifying the sender email address, and that the email has arrived without being changed along the way.

The email is signed with the sender’s private key. When it is received, the recipient downloads a copy of the sender’s public key (either sent with the message, via WOT or accessable from one of the Certificate Authority directories) and can use that to verify the email integrity.

This gives assurance of both the sender email address (not the sender) and the integrity of the email (it has not been tampered with between sender and recipient) It does not guarantee the sender or company are who they claim to be. This means that you can be sure the Sender had access to the email address the email came from (it was not spoofed) but not that the email address represents the sender. For example, the sender could set up an email account joe.bloggs@home.net and their ownership of that address is confirmed by the signed certificate, there is no check that it is actually Joe Bloggs who setup the address though.

With S/MIME, depending on the class of certificate used, different levels of authority are available.

Encrypt Attachment (File Encryption)

If you only want to encrypt the files you are sending and not that actual email, File Encryption is the way to go. Most tools still require both the sender and the recipient to have the program installed, and for there to be a sharing of either a password or a certificate.

A Note On Passwords

As we’ve mentioned before, if you’re using a password key to encrypt a file, the strength of the encryption ultimately comes down to how strong the password is and how difficult it is to guess.

Strong passwords consist of a mix of upper and lower case letters, numbers and punctuation marks, combine words together to create longer passwords, and don’t use the same password twice, ever!

An example of a good password might be Micra/AB56DNW#650122@lw126bn made up of your car model with a capital letter, your car reg in uppercase, the last part of your phone number and your work post code in lowercase.

In the case of sharing files with your clients, you might want to agree on a system so you don’t have to communicate the password to your client each time. Perhaps suggesting that you use the client reference number, followed by a # and the date the email was sent in 8 digit notation, followed by a / and then the clients office postcode in lowercase might work, giving something like ABC123456#01082018/bm453de which gives a reasonably complex password but is easy to remember. Obviously if the information being encrypted was particularly sensitive you would want to use a much more robust method of encryption.

OpenPGP

The use of OpenPGP extends beyond full email encryption. Installing one of the many OpenPGP software suites or apps can give you features that include whole disk encryption or single file/folder encryption. Typically the file, files or folders are encrypted in a container file a bit like a .zip file.

The GPG4Win suite allows you to encrypt files and folders either with your OpenPGP certificate or with a password. While the password is less secure it does mean you can send the encrypted file to people who don’t have a certificate.

The recipient will need the encrypted file, software installed that can read OpenPGP encrypted files to be able to decrypt them, they will also need a copy of your public key or the password used to encrypt the files.

ZIP

Well known and well used, the humble zip file began life in 1989 as a way of compressing files to save expensive storage space. Windows and Mac both offer built-in support for zip files, meaning you don’t need to install any additional software, and you can be pretty sure your recipient has the ability to read your zip files.

But zip files alone are not encrypted or protected. Anyone who intercepts a standard zip file can open it and read the contents.

Various programs like WinZIP, 7-Zip, PKWare and so on add the ability to encrypt the contents of the zip files with a password, these are mostly compatible with each other using standards like AES, however the built in support on your computer will not be able to open them.

The recipient will need the encrypted .zip file, a copy of the password to decrypt it, and they will need one of the additional programs as Windows native support can not decrypt an encrypted .zip file.

Microsoft Office

Microsoft Office has offered password protection since Word 95 and Office 97, with versions later than Office 2007 offering strong encryption on password protected files.

When you set a password in Office for the purpose of encrypting the file you need to make sure you select the correct option, passwords used to restrict modification of files do not encrypt the files.

The built in Microsoft Office password based encryption is reasonably robust, though it has been shown that with sufficient resources it can be broken. If the value of the information being protected is worth the effort of breaking it, then you might want to consider additional more secure encryption methods like OpenPGP.

Other office suites, like Open Office, also offer password encryption for their documents, but the files are typically not interchangeable, that is an OpenOffice document saved with password encryption can not be opened in Microsoft Office, and vice versa.

Encrypted PDF

PDF is another well know and well integrated document standard. The ability to create and read PDF’s is built into most modern browsers so they are a good way of sending information especially if you don’t want the recipient to be able to edit the file very easily.

In order to encrypt a PDF however, you will need some additional software.

The full-blown Adobe Acrobat software (not the free ‘reader’ version) has the ability to encrypt a PDF with a password. Other programs that can encrypt PDF files are PDF XChange, Foxit and Nitro (in each case, it’s only the full paid version that offers the encryption ability) Some free PDF reader programs like Foxit Reader, Adobe Reader and Nitro Reader can decrypt the files so this makes PDF a good choice for securing your documents as the recipient doesn’t need to spend money on additional software.

There are also web based service that will encrypt and decrypt PDF files for you, though if the information is sensitive you may want to think twice before uploading it to an unknown server to encrypt/decrypt the file, check what their policy is for the caching of files and the scrubbing of memory.

Bitlocker

Windows built in disk encryption (Not available on Windows 10 Home) can encrypt individual files and folders or en entire partition or disk on the computer. But this encryption is not transportable. That is, the encryption is fine while the file is on your machine ‘at rest’ but once it’s used, the bitlocker engine silently decrypts the file.

This means that if your computer was stolen or the hard disk removed (or the file was on a removable bitlocker drive) the file can not be accessed until the decryption key is entered. but if you copy or email a file from your computer while it’s running, Bitlocker decrypts it first.

As such, while bitlocker is an excellent hard disk encryption tool, it can not be used to send encrypted emails or attachments.

TrueCrypt & VeraCrypt

TrueCrypt was one of those open source freely available programs that just worked, allowing you to create encrypted containers that could be mounted like additional disk drives, or encrypt an entire partition or disk, even the booting system disk (much like Bitlocker does now) Then there were some unusual press releases and suddenly the development ceased, all very mysterious.

But from the ashes of TrueCrypt came VeraCrypt, expanding upon the TrueCrypt base it’s available on Windows, Mac OSX, Linux, BSD and Raspberry Pi.

While you can’t encrypt individual files and folders as such, you can put them inside an encrypted container file and send that by email. The recipient would need VeraCrypt installed, the encrypted container file and the password and any keyfiles used to to encrypt the files.

AxCrypt

This free encryption tool integrates into Windows and allows you to encrypt files or folders. The encrypted files/folders are saved individually as .axx files.

To email the file, the recipient will need a copy of AxCrypt installed, along with a copy of your password or key-file and the encrypted file(s).

There is a subscription version that offers more features, such as secure folders, sub-folder encryption and secure delete.

Portable Encryption Apps

There are a few applications for encrypting files and folders that are small and portable, the benefit there being that you can send a link along with an encrypted file so your recipient can download the software and run it without having to install anything.

The recipient will need to have the encrypted file and the password used to encrypt the files, and a link to download the app from.

dsCrypt, SureCrypt and WildCrypt (all available from http://members.ozemail.com.au/~nulifetv/freezip/freeware/index.html) are examples of portable encryption apps, when you run them, typically you choose if you want to encrypt or decrypt the files, then just drag and drop your files onto the window.

They have options to use passwords or key files and are pretty straight forward.

Self-Decrypting EXEs

The use of self-decrypting EXE’s initially sounds like a good idea, you use a program to encrypt the files or folders into a container file (a bit like a ZIP) and the program then packages that inside an .exe file which can run stand-alone, so you can send it to someone and all they have to do is double-click it, enter the password and the contents will unpack onto their computer (again, like the self-extracting .ZIP files)

However, most antivirus programs, especially those on corporate firewalls, will see the attachment of an encrypted .exe file as a security threat and block or remove the attachment. Essentially to get the file in, you are allowing a program file in that can’t be scanned onto your network, an obvious and very large hole in the perimeter security and one best avoided.

One way around this would be to use a hosted page, upload the .exe to a secure website, send a link to the recipient and let them download it from there. There may still be firewall issues especially on a corporate network.

Advanced Encryption Package
http://www.aeppro.com/

This is a well established file encryption tool, supporting a vast array of encryption algorithms. Simply enter your chosen password or keyfile, select the type of encryption you want, if you want the original files securely deleted after encryption, then drag the files onto the application window.

Quick Crypto
http://quickcrypto.com/

This program offers self-decrypting exe files, file, folder and volume encryption, email encryption, file shredder, internet privacy and on and on. We do wonder about such swiss-army knife applications but from our test machine this did appear to do a pretty good job of encrypting the test files. The interface is a bit WindowsXP so development may have stalled on this.

Other Techniques and Technologies

Signed & Encrypted Email Over The Internet (SEEOTI)

The SEEOTI initiative sought to provide SME’s with the ability to securely communicate with each other, and with government and defense ministries. The SEEOTI approach is based on the Transglobal Secure Collaboration Program (TSCP) as a means of securely encrypting, signing and monitoring communication systems with existing hardware. This is explained in more detail at the Team Defence website

STARTTLS

As we mentioned in the introduction, a lot of email sending now is done with TLS which is actually a means to secure the transmission of the email between one ‘node’ such as the sending email program and the next node in the path, such as the senders SMTP Email server. There may be further TLS encryption between the Senders SMTP email server and the recipients email server (or any intermediate email servers used) but this cannot be guaranteed.

The email is still sent in a plain text format and is not encrypted itself.

Secure Messaging

This is a technique that makes the use of confidential information exchange very easy. The Sender and the recipient sign into a web-based portal and all communications between them are done via the portal.

You might come across this with online banking services where they send emails and messages to you, via their secure messaging system. You will typically get an email to let you know there is a message waiting and then you need to log into the portal to access the messages.

While easy, in that no additional software or encryption keys are needed, it does mean there is an extra gateway between the sender and the receiver. This works fine for banks and the likes, but is unlikely to work for business to customer communications.

Bitmessage

This decentralised fully encrypted peer-to-peer messaging protocol uses public-key cryptography to encrypt messages sent to the network. When you send a message on Bitmessage, you choose the recipient and the message is encoded with their public key, but no other details of the recipient are included, such as their name, account, email address and so on. The message is then sent to everyone on the service, so if 4 million users were on the service around the world, each would receive a copy of your message, and each would attempt to decrypt it (this is done silently in the background by the program)

Obviously only the intended recipients key corresponds to the public key used, and thus only the intended recipient can decode the message, all the other users simply discard the message.

This means tracking messages and performing analysis on senders and recipients is practically impossible. The ultimate secret email system.

Bitmessage Wiki

End-To-End Encryption

There are many End-to-end encrypted communications tools about. They typically ‘live’ entirely in the host domain, that is messages are created and read all in the host app or website. Lots of Instant Messaging apps, such as WhatsApp and Facebook Messenger use this, as do a few ‘webmail’ offerings. Companies like Sendinc offer encrypted email messages with the ability to set an expiry on them (self destructing messages) and integration with popular email clients like Outlook.

Gmail can also be thought of as end-to-end encryption so long as both the sender and the recipient are gmail users. Emails that don’t leave the Gmail domain are encrypted during transport.

TL;DR

Choosing the right encryption tool for you means working with your intended recipients and deciding on which is best for all. The tricky part is getting the decryption key to the recipient safely. Using a PKI (Public Key Infrastructure) gets around that problem. OpenPGP is a good all-round tool for encrypting emails and files, can use PKE or (a much less secure) password, and is open source meaning you’re not tied to a particular vendor or platform.

For help getting your files secure and keeping them that way, contact us.

We can design and implement file encryption, security, backup and antivirus systems to fit your needs.

        <a href="mailto:it@tinsleynet.co.uk" role="button">
                    it@tinsleynet.co.uk
                </a>
        <a href="tel:+447825650122" role="button">
                    07825 650122
                </a>
        <a href="/contact" role="button">
                    Contact Us
                </a>

0 Comments

What are your thoughts?