Secure Enterprise Email

How Safe Is Your Mail System?

Many of us make false assumptions about the security of our "personal"or "private" communications. For example, when we phone a friend, wedon't think about someone monitoring the call. When we send a letter, we don'tconsider that someone can intercept it. And when we send email, we don't expectanyone to alter its contents.

The truth is that all these communications methods are subject tointerception and intrusion. Analog phone lines can be tapped. Cellular phonecalls can be picked up on wireless scanners. Letters can be intercepted,compromised, and re-mailed. And email can be monitored, altered, or forged.

Some people don't worry because they don't send particularly valuableinformation. However, since worldwide email has emerged as an importantcomponent in today's business world, people have been transmitting increasinglyimportant--and extremely valuable--information through the Internet and otherpublic networks (see the sidebar, "Internet Email Architecture," ).Fortunately, new email standards and extensions are emerging to address the needfor secure email delivery.

Concepts and Techniques
The most important technique in computer security is encryption. Secure orscrambled voice telephone lines and satellite television signals, and the secretcodes that the military uses are examples of encryption. Encryption algorithms,such as the Data Encryption Standard (DES), the International Data EncryptionAlgorithm (IDEA), and RC2, transform data until no trace of it is left. IDEA isa symmetric-key block-cipher algorithm newer than, but similar to, DES. RC2 is avariable key-size, symmetric-key block-cipher algorithm also similar to DES andpopular for exportable cryptographic systems because of its variable-length key.

An encryption key is required to return encrypted data to its originalform. An encryption key is a binary value 40 or more bits long. With a goodalgorithm, you must have every bit of the key correct to retrieve any encryptedinformation. Even if you have 55 of 56 bits correct, decryption cannot occur.The longer the key is, the stronger the security is.

No encryption scheme can claim to be secure forever. Today, a home computercan crack World War II's best encryption algorithms in just a few minutes. In100 years, some new device may crack today's algorithms just as easily.Fortunately, most secrets don't need to be kept forever. A monetaryconsideration is that the value of encrypted information determines whetheraccessing it is worth the price: If you can ensure secrecy either until no onecares about the information or so that cracking the code costs more than theinformation is worth, it's "secure enough."

For example a 40-bit key takes about $10,000 worth of supercomputer timeand two weeks to crack. Although this key may be adequate to protect mychecking account, it's probably not large enough for the accounts of a majorcorporation.

A slightly longer key of 56 bits re-quires millions of dollars to crack andshould protect the information for years to come. A 56-bit encryption key has 2⁵⁶--or72 quadrillion--possible keys. With 1000 computers, each trying 1,000,000 keysper second, trying them all would take 833 days. On average, you find the keyhalfway through your search.

An even longer key of 168 bits requires more money and potentially extendsthe data's secrecy for hundreds of years. With 168-bit keys, there are 2¹⁶⁸possible keys. This number is so staggeringly large that nothing can give you afeel for it. Suffice it to say that 1000 computers wouldn't be even close totrying all the keys by the time the sun finally burns out. That's probablysecure enough for anything you want to protect.

The two basic kinds of encryption algorithms are symmetric key and publickey.

One public-key algorithm, the Diffie-Hellman key exchange, lets the senderand the receiver share a symmetric key securely. Thus, you can use asymmetric-key algorithm to encrypt the message. This combination achieves bothspeed and security.

Security Issues in Email
The most common threat to email is invasion of privacy. You don't wantanyone but the intended recipient to read the message. Another threat is tomessage integrity. You don't want anyone to tamper with, or change, the contentsof the message while it's in the mail system. The third major threat is to theauthenticity of the sender. You want to ensure that a message really came fromthe person it claims to be from, not someone else. Let's look at these threeissues.

Privacy: The privacy threat is simple to understand anddeal with. In most cases, you don't want people privy to the contents of youremail. This threat is analogous to tapping a phone conversation. Unlike withphone taps, however, no laws currently restrict the interception of email. Infact, email messages are often considered the property of the organization thatowns the email system, rather than of the message sender or receiver. Your bestbet is to assume that sending non-secure email is equivalent to posting a noticeon a public bulletin board.

Rumor has it that the US National Security Agency (NSA) can monitor allemail--at least all that crosses US borders--and scan for key phrases (e.g.,bomb, kill, assassinate). If you encrypt your mail, however, an NSA snoop--orany snoop, for that matter--needs to decrypt the message before reading it. Witha strong algorithm and carefully chosen and managed keys, you can make this taskoverwhelmingly difficult, expensive, and time-consuming.

You can address your privacy requirements in two ways. You can manuallyencrypt all messages and give your recipients the decryption keys.Unfortunately, this approach puts the responsibility for security on yourshoulders. Or, you can automate encryption by using secure email servers. Withthe eventual implementation of address book servers that also support public keymanagement, and client software that can obtain public keys with email addresses(e.g., X.500), similar automation will be possible.

Secure email servers encrypt messages as they are transmitted over anunsecured channel, such as the Internet. Secure clients encrypt messages intransit. They can also store email in encrypted form, decrypting it only whenthe recipient reads it. Because both approaches are automatic, the chance forhuman error is removed. They are not, however, free from drawbacks.

Many people are surprised that deleting an email message doesn't remove alloccurrences of it from the email system. Maintaining privacy through deletion isnot a valid option.

Integrity: The integrity threat is similar to the privacythreat. Unfortunately, email is an impersonal medium. Because it lacks manytraditional cues such as handwriting, stationery or letterhead, signature, andsealed envelope, detecting email tampering without authentication technology isalmost impossible.

Encryption can also handle the tampering threat. To change encrypted mail,you must decrypt the message, make your changes, and then re-encrypt it with theoriginal key. This process is more difficult than just trying to decrypt it.

Authentication: The authentication threat is a littledifferent. You can put mail on the Internet that is indistinguishable inevery way from mail really sent by someone else, but it's more difficult.Encryption--with certain key-management techniques--can also handle this threat.

For example, if Bob receives a message encrypted with a key that only heand Arnold have, Bob can be highly confident that the message came from Arnold.However, if the mail system automatically generates and exchanges keys, Bobknows only that it came from someone with a compatible mail system.

Digitally signing email without encrypting the contents is also possible sothat the recipient can detect any tampering and determine whether the messagereally came from the person who claims to have sent it. Both Privacy EnhancedMail (PEM) and Secure Multipurpose Internet Mail Extensions (S/MIME) routinelyauthenticate all messages, although encryption is optional. Digitally signing amessage requires only that you can access your own secret key; it doesn'tinterfere with anyone's ability to read the message with or without public keysor secure mail clients. The digital signature is just a special text stringadded to an otherwise normal-text email. Of course, you cannot verify thatdigital signature without the signer's public key and a secure email client thatsupports the digital signature algorithm.

Client-Based Solutions
A client-based solution adds extensions to the email system but requires nochanges to existing Internet mail servers. Messages that the extended clientssend must comply with the syntax defined in the Request for Comments (RFC) 822standard. (You can retrieve RFCs from the Internet athttp://www.internic.net/ds/dspg0intdoc.html.) The three primary standards arePretty Good Privacy (PGP), PEM, and S/MIME.

Client-based solutions have several advantages.

Client-based solutions also have some real disadvantages.

Server-Based Solutions
Instead of putting the security burden on the client software, you can placeit on the mail-server software. Specifically, with the Secure Simple MailTransfer Protocol (S/SMTP) instead of the usual unsecured SMTP protocol, you canautomatically secure mail-server-to-mail-server traffic. To use S/SMTP, twosending and receiving mail servers determine whether they both support S/SMTP.If so, they negotiate the strongest encryption algorithm they have in common.Then, they do a Diffie-Hellman key exchange to securely share common keyinformation. After the two servers conclude negotiations, all traffic over theconnection is encrypted--not just the message body, but all header information,including names, email addresses, and the message subject.

The primary application for this security approach is protecting email overthe Internet. This approach doesn't secure the client-to-server traffic,however. It is currently delivered over a private network link, sent over anon-TCP/IP network (e.g., an Internet Packet eXchange--IPX--network), orprotected by a firewall.

The advantages of server-based security are

The two major disadvantages to server-based security are that theclient-to-server link is not secure and the basic S/SMTP protocol does notaddress the authentication threat. One minor disadvantage is that you need fromfive to 25 se-
conds of CPU time--depending on key size and CPU type--toperform the Diffie-Hellman calculations on each connection.

Safe and Secure
A secure email system must protect mail-message privacy and integrity andsender authenticity. Encryption is the key to the first two. Symmetric-key andpublic-key algorithms each have a place in security systems. Neither isinherently superior or inferior; a combination of the two is more useful thaneither alone. If authentication is a concern, use S/MIME-compliant mail clientsto sign all messages digitally.

In addition, you can choose either a client-based or a server-basedsolution. Each has pluses and minuses. A client-based solution providesend-to-end (i.e., sender-to-receiver) security but requires interoperable clientsoftware at both ends. A server-based solution allows interoperability withnon-secure servers, but the client-to-server link is not secure.

A secure mail system consists of several components. Your enterprise willneed a firewall between its internal sites and the Internet (see the sidebar, "UpAgainst the Wall," Windows NT Magazine, September 1995) orat least use a non-TCP/IP protocol (e.g., IPX) internally. And use at least onesecure mail server at each site as a gateway to and from non-secure internalservers.