The #Efail debate has caused great uncertainty among users and IT departments regarding the effectiveness of email encryption. Headlines such as S/MIME and PGP hacked were not only factually incorrect, but also led some self-proclaimed experts to advise against the use email encryption in general. The fact that the problem is not S/MIME or PGP itself was completely ignored. In reality, encryption is bypassed by getting the email client to send the plain text of the email to the attacker.
How can I send emails securely?
Contracts, invoices, applications; emails containing such and other sensitive content are exchanged daily between companies and private individuals. Every email can be intercepted, read and even altered. The consequences can be catastrophic, with data loss and misuse to financial losses and legal consequences being among the possible effects. To prevent this, there are various possibilities of email encryption. Encryption solutions greatly simplify the introduction and use of email encryption in companies. Other file types such as PDF can also be encrypted in this way.
Regardless of whether you use OpenPGP or S/MIME for encryption, the security of email encryption depends on two factors; the generation of keys for data encryption and connection security.
Emails and Email Files: Generate Keys Only Locally
The prerequisite for obtaining a certificate as required, for example, for S/MIME-based encryption, is a key pair consisting of a private and a public key. These keys must be generated on the computer on which they are to be used.
Some Certification Authorities (CAs) offer their customers to generate the key pair for them. If the customer makes use of this “service”, the private key and with it the acquired certificate has become practically worthless: No one can guarantee that a key generated on an external computer has not been intercepted, cached and thus compromised. This is because the key is not only generated on another computer but must also be transmitted to the user, at the very worst by email. Such a procedure makes it possible to read emails, making email security non-existent.
Connection Security: Choose and Apply Algorithms Correctly
With the algorithms as a central component of the encryption used, there are two areas that have a decisive influence on the security of email encryption.
The Importance of Cryptographic Methods
The correct implementation of encryption algorithms requires skill and experience on the programmers’ part. Software libraries such as OpenSSL provide support in the form of settings and options. However, incorrect use of such a library can significantly affect the quality of the encryption. The quality of the library (or its interface) also determines the effectiveness of the encryption. The famous Heartbleed Bug is an example of a faulty library. In this case, the error was so serious that the private key material was at risk.
“Good” Random Numbers
Random numbers are the basis of keys, because keys are generated by so-called PRNGs (Pseudo Random Number Generators). The more random the generated key, the better. This is also referred to as entropy. The higher the degree of entropy, the better the quality of the random number. If the number of random numbers is too small, the key can be calculated more easily. This is the case, for example, if the PRNG generates correlating random numbers.
The seed is also important. This value initializes the generation of random numbers. If the same start value is used for each generation, the result is the same sequence of pseudo random numbers. The probability of success of a brute force attack increases, because attackers can concentrate on a certain range of values.
Technologies are evolving
If the above-mentioned (warning) notes on key generation and algorithm usage are observed and the weak points are avoided, email encryption can be described as secure. However, Efail has shown that the surrounding conditions are of utmost importance. An insecure email client can allow attackers to access the encrypted content. These risks are eliminated by the gateway solution NoSpamProxy.
But technologies are evolving, including those being developed by attackers. Some people cynically say that encryption does not create security, only time. This makes it even more important to always keep up with the state of the art when it comes to email encryption.
Email encryption uses the latest technical possibilities such as modern and secure encryption algorithms and central key and certificate management. Ease of use then ensures that company-wide and error-free application by the users are guaranteed, facilitating email encryption and email security at the click of a button.