Secure Enterprise Email

Lawrence Hughes explains how to ensure that your email system is not open to anyone who wants to read it.

Lawrence E. Hughes

April 30, 1996

11 Min Read
ITPro Today logo in a gray background | ITPro Today

How Safe Is Your Mail System?

Many of us make false assumptions about the security of our "personal"or "private" communications. For example, when we phone a friend, wedon't think about someone monitoring the call. When we send a letter, we don'tconsider that someone can intercept it. And when we send email, we don't expectanyone to alter its contents.

The truth is that all these communications methods are subject tointerception and intrusion. Analog phone lines can be tapped. Cellular phonecalls can be picked up on wireless scanners. Letters can be intercepted,compromised, and re-mailed. And email can be monitored, altered, or forged.

Some people don't worry because they don't send particularly valuableinformation. However, since worldwide email has emerged as an importantcomponent in today's business world, people have been transmitting increasinglyimportant--and extremely valuable--information through the Internet and otherpublic networks (see the sidebar, "Internet Email Architecture," ).Fortunately, new email standards and extensions are emerging to address the needfor secure email delivery.

Concepts and Techniques
The most important technique in computer security is encryption. Secure orscrambled voice telephone lines and satellite television signals, and the secretcodes that the military uses are examples of encryption. Encryption algorithms,such as the Data Encryption Standard (DES), the International Data EncryptionAlgorithm (IDEA), and RC2, transform data until no trace of it is left. IDEA isa symmetric-key block-cipher algorithm newer than, but similar to, DES. RC2 is avariable key-size, symmetric-key block-cipher algorithm also similar to DES andpopular for exportable cryptographic systems because of its variable-length key.

An encryption key is required to return encrypted data to its originalform. An encryption key is a binary value 40 or more bits long. With a goodalgorithm, you must have every bit of the key correct to retrieve any encryptedinformation. Even if you have 55 of 56 bits correct, decryption cannot occur.The longer the key is, the stronger the security is.

No encryption scheme can claim to be secure forever. Today, a home computercan crack World War II's best encryption algorithms in just a few minutes. In100 years, some new device may crack today's algorithms just as easily.Fortunately, most secrets don't need to be kept forever. A monetaryconsideration is that the value of encrypted information determines whetheraccessing it is worth the price: If you can ensure secrecy either until no onecares about the information or so that cracking the code costs more than theinformation is worth, it's "secure enough."

For example a 40-bit key takes about $10,000 worth of supercomputer timeand two weeks to crack. Although this key may be adequate to protect mychecking account, it's probably not large enough for the accounts of a majorcorporation.

A slightly longer key of 56 bits re-quires millions of dollars to crack andshould protect the information for years to come. A 56-bit encryption key has 256--or72 quadrillion--possible keys. With 1000 computers, each trying 1,000,000 keysper second, trying them all would take 833 days. On average, you find the keyhalfway through your search.

An even longer key of 168 bits requires more money and potentially extendsthe data's secrecy for hundreds of years. With 168-bit keys, there are 2168possible keys. This number is so staggeringly large that nothing can give you afeel for it. Suffice it to say that 1000 computers wouldn't be even close totrying all the keys by the time the sun finally burns out. That's probablysecure enough for anything you want to protect.

The two basic kinds of encryption algorithms are symmetric key and publickey.

  • Symmetric-key algorithms require that both the person encryptingand the person decrypting have the same key. A real problem with how to securelyshare keys between two or more parties is that most security systems basedsolely on symmetric-key algorithms break down in the area of key management.Symmetric-key algorithms, however, are a lot faster than public-key algorithms.DES, IDEA, and RC2 are symmetric-key algorithms.

  • Public-key algorithms use two keys: a public key and a private key.The public key is available to everyone you want to have access to your system.Your private key is your secret. For example, you might use your private key todigitally sign your email; then anyone with the public key will know thatyou--and only you--signed it. Unfortunately, public-key algorithms are extremelyslow. To get around the speed issue, you can use a faster technique, such as amessage-digest algorithm, to reduce the amount of data and then use a public-keyalgorithm to encrypt that smaller amount.

One public-key algorithm, the Diffie-Hellman key exchange, lets the senderand the receiver share a symmetric key securely. Thus, you can use asymmetric-key algorithm to encrypt the message. This combination achieves bothspeed and security.

Security Issues in Email
The most common threat to email is invasion of privacy. You don't wantanyone but the intended recipient to read the message. Another threat is tomessage integrity. You don't want anyone to tamper with, or change, the contentsof the message while it's in the mail system. The third major threat is to theauthenticity of the sender. You want to ensure that a message really came fromthe person it claims to be from, not someone else. Let's look at these threeissues.

Privacy: The privacy threat is simple to understand anddeal with. In most cases, you don't want people privy to the contents of youremail. This threat is analogous to tapping a phone conversation. Unlike withphone taps, however, no laws currently restrict the interception of email. Infact, email messages are often considered the property of the organization thatowns the email system, rather than of the message sender or receiver. Your bestbet is to assume that sending non-secure email is equivalent to posting a noticeon a public bulletin board.

Rumor has it that the US National Security Agency (NSA) can monitor allemail--at least all that crosses US borders--and scan for key phrases (e.g.,bomb, kill, assassinate). If you encrypt your mail, however, an NSA snoop--orany snoop, for that matter--needs to decrypt the message before reading it. Witha strong algorithm and carefully chosen and managed keys, you can make this taskoverwhelmingly difficult, expensive, and time-consuming.

You can address your privacy requirements in two ways. You can manuallyencrypt all messages and give your recipients the decryption keys.Unfortunately, this approach puts the responsibility for security on yourshoulders. Or, you can automate encryption by using secure email servers. Withthe eventual implementation of address book servers that also support public keymanagement, and client software that can obtain public keys with email addresses(e.g., X.500), similar automation will be possible.

Secure email servers encrypt messages as they are transmitted over anunsecured channel, such as the Internet. Secure clients encrypt messages intransit. They can also store email in encrypted form, decrypting it only whenthe recipient reads it. Because both approaches are automatic, the chance forhuman error is removed. They are not, however, free from drawbacks.

Many people are surprised that deleting an email message doesn't remove alloccurrences of it from the email system. Maintaining privacy through deletion isnot a valid option.

Integrity: The integrity threat is similar to the privacythreat. Unfortunately, email is an impersonal medium. Because it lacks manytraditional cues such as handwriting, stationery or letterhead, signature, andsealed envelope, detecting email tampering without authentication technology isalmost impossible.

Encryption can also handle the tampering threat. To change encrypted mail,you must decrypt the message, make your changes, and then re-encrypt it with theoriginal key. This process is more difficult than just trying to decrypt it.

Authentication: The authentication threat is a littledifferent. You can put mail on the Internet that is indistinguishable inevery way from mail really sent by someone else, but it's more difficult.Encryption--with certain key-management techniques--can also handle this threat.

For example, if Bob receives a message encrypted with a key that only heand Arnold have, Bob can be highly confident that the message came from Arnold.However, if the mail system automatically generates and exchanges keys, Bobknows only that it came from someone with a compatible mail system.

Digitally signing email without encrypting the contents is also possible sothat the recipient can detect any tampering and determine whether the messagereally came from the person who claims to have sent it. Both Privacy EnhancedMail (PEM) and Secure Multipurpose Internet Mail Extensions (S/MIME) routinelyauthenticate all messages, although encryption is optional. Digitally signing amessage requires only that you can access your own secret key; it doesn'tinterfere with anyone's ability to read the message with or without public keysor secure mail clients. The digital signature is just a special text stringadded to an otherwise normal-text email. Of course, you cannot verify thatdigital signature without the signer's public key and a secure email client thatsupports the digital signature algorithm.

Client-Based Solutions
A client-based solution adds extensions to the email system but requires nochanges to existing Internet mail servers. Messages that the extended clientssend must comply with the syntax defined in the Request for Comments (RFC) 822standard. (You can retrieve RFCs from the Internet athttp://www.internic.net/ds/dspg0intdoc.html.) The three primary standards arePretty Good Privacy (PGP), PEM, and S/MIME.

  • PGP is an informal standard that relies on an unconventional decentralizedscheme for establishing trust. PGP doesn't fit into hierarchical--corporate orgovernment--organizations very well.

  • PEM is an Internet Engineering Task Force (IETF) standard (RFCs 1421through 1424). It supports digital signatures using Rivest-Shamir-Adelman (RSA)algorithms and various encryption algorithms. One implementation of PEM is MarkRiordan's Internet Privacy Enhanced Mail (RIPEM). Unfortunately, PEM was neverwidely adopted, mostly because of the difficulty vendors had creatinginteroperable systems.

  • S/MIME has emerged recently as the primary standard for interoperablesecure email. Essentially, RSA refined the PEM specification using the PublicKey Cryptography Standards (PKCS) so that any mail package meeting that standardis more or less guaranteed to interoperate with other PKCS-compliant products.In the next few months, you'll see release of several S/MIME-compliant Internetmail clients.

Client-based solutions have several advantages.

  • Existing Internet mail servers need no changes.

  • The solutions provide end-to-end security; the entire path from the senderto the receiver is secure.

  • You can implement client-based solutions either to automatically decryptincoming mail and store it in plain text form or to store it in the receivedencrypted form, requiring decryption each time it's read. This approach secureseven your local message store against unauthorized access.

  • Digital signatures can provide good authentication.

Client-based solutions also have some real disadvantages.

  • The client software that the sender and the receiver use must be totallyinteroperable.

  • If the sender selects encryption and the receiver doesn't support theencryption scheme, the system doesn't automatically drop back to plain textbecause that would breach security. Instead, the receiver ends up with anunreadable message.

  • The sender, receiver, subject, and other fields in the mail header are notencrypted. They are in plain text, which could be a serious security breach.

  • The user must understand a fair amount about security to use the client andmust manage public keys. For example, to send me an encrypted message, you mustobtain my public key. In the future, Internet Directory Systems will be able tolook up any email address and public key and supply them to your client; X.500is such a scheme. At present, though, obtaining and managing public keys can bea hassle.

Server-Based Solutions
Instead of putting the security burden on the client software, you can placeit on the mail-server software. Specifically, with the Secure Simple MailTransfer Protocol (S/SMTP) instead of the usual unsecured SMTP protocol, you canautomatically secure mail-server-to-mail-server traffic. To use S/SMTP, twosending and receiving mail servers determine whether they both support S/SMTP.If so, they negotiate the strongest encryption algorithm they have in common.Then, they do a Diffie-Hellman key exchange to securely share common keyinformation. After the two servers conclude negotiations, all traffic over theconnection is encrypted--not just the message body, but all header information,including names, email addresses, and the message subject.

The primary application for this security approach is protecting email overthe Internet. This approach doesn't secure the client-to-server traffic,however. It is currently delivered over a private network link, sent over anon-TCP/IP network (e.g., an Internet Packet eXchange--IPX--network), orprotected by a firewall.

The advantages of server-based security are

  • It works with all existing SMTP/Post Office Protocol version 3 (POP3)clients User Agents.

  • You don't need to worry about key management; key generation and exchangeoccur automatically when the server-
    to-server connection is established.

  • All message headers and the message body are encrypted.

  • The negotiation phase lets secure servers interoperate with non-secureservers, and domestic-version secure servers can communicate with export-versionsecure servers.

  • No users need to know that a secure server is in use; no disruption ofexisting Internet mail occurs when you introduce secure servers.

The two major disadvantages to server-based security are that theclient-to-server link is not secure and the basic S/SMTP protocol does notaddress the authentication threat. One minor disadvantage is that you need fromfive to 25 se-
conds of CPU time--depending on key size and CPU type--toperform the Diffie-Hellman calculations on each connection.

Safe and Secure
A secure email system must protect mail-message privacy and integrity andsender authenticity. Encryption is the key to the first two. Symmetric-key andpublic-key algorithms each have a place in security systems. Neither isinherently superior or inferior; a combination of the two is more useful thaneither alone. If authentication is a concern, use S/MIME-compliant mail clientsto sign all messages digitally.

In addition, you can choose either a client-based or a server-basedsolution. Each has pluses and minuses. A client-based solution providesend-to-end (i.e., sender-to-receiver) security but requires interoperable clientsoftware at both ends. A server-based solution allows interoperability withnon-secure servers, but the client-to-server link is not secure.

A secure mail system consists of several components. Your enterprise willneed a firewall between its internal sites and the Internet (see the sidebar, "UpAgainst the Wall," Windows NT Magazine, September 1995) orat least use a non-TCP/IP protocol (e.g., IPX) internally. And use at least onesecure mail server at each site as a gateway to and from non-secure internalservers.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like