E-mail security solutions key to Internet commerce

October 26, 2001

For electronic commerce to truly flourish, it must offer advantages over existing types of transactions. Among these advantages are a lower cost, more convenience, speed and better security. Thus, problems that have been associated with e-mail security must be examined and solved.

The basis of any electronic security is cryptography -- the system of encrypting and decrypting data.

The most popular encryption algorithms are those that use symmetric or shared keys. The key you use to encrypt a message must also be used to decrypt the message. The most popular secret key algorithm is the Data Encryption Standard (DES and Triple DES) algorithm, which the cryptographic community recently replaced with the Advanced Encryption Standard (AES).

Another form of encryption uses asymmetric keys. Everyone must possess two related keys: a private key and a public key. The private key is secret, known only to the key's owner. The public key is open and should be made available to everyone.

The two keys are related in such a way that a message encrypted with one key can be decrypted only with the other key. If you want to send a secret message to me, you can encrypt it with my public key -- which you should have before sending the message. When I receive the message, I use my private key -- only known to me -- and decrypt the message.

But there can be a problem with using asymmetric keys. Specifically, if I sent you my public key, how do you know the key actually belongs to me? In the digital world, a trusted authority, known as a certification authority, certifies the public key of every individual and issues digital certificates.

Just a click of a button

Every year organizations spend significant amounts of money to protect their data from unauthorized access. Yet by a click of a button a user can e-mail valuable corporate information.

Today, e-mail is the basis for electronic transactions such as presenting invoices and purchase orders, exchanging legal documents and communicating health care data.

Organizations should immediately protect their e-mail from unauthorized access. The four basic requirements for e-mail security are:

Ease of use. An e-mail security solution that is difficult to use complicates electronic communication and inhibits implementation of business relationships. Even the most secure solution is ineffective if it is not very easy to deploy and use.

Broadest community of users. Because e-mail is the most ubiquitous form of business communication, the security solution must permit communication with the broadest community of e-mail users.

End-to-end security. A secure e-mail solution must fit into an organization's overall security infrastructure. While end-to-end privacy protection is essential, a secure e-mail solution must provide authentication of senders and recipients.

Sender control

The sender of the e-mail remains the owner of the content until the recipient takes possession. Therefore, the sender must be able to exercise additional control on the e-mail even after it is sent.

Currently there are four categories of solutions for secure e-mail:

Public key solutions. The two most popular solutions in this category are "pretty good privacy" and "secure multipurpose Internet mail extensions (S/MIME)."

These solutions require that each user have a key pair and that the public key of each user be known to every other user. These solutions are very secure but are difficult to use, have limited reach and do not provide additional control to the sender.

Key-server-based solutions. This solution employs a trusted set of servers to keep the e-mail encryption keys. Key servers do not require users (senders or recipients) to own a public key. A key server stores e-mail keys and their attributes.

The sender's e-mail software first contacts the key server and receives an encryption key. The sender then encrypts the e-mail and sends it through the normal e-mail infrastructure.

The recipient's e-mail software contacts the key server, retrieves the key and decrypts the e-mail. The key server authenticates its clients (senders and recipients). Additionally, the key server protects the privacy and integrity of all communications.

Key server solutions are easy to use, permit communication with any user, are highly secure and permit the sender to exercise control over the e-mail even after it is sent.

Password-based solutions. In this solution, the sender uses software that encrypts the e-mail message with a password and the recipient uses compatible software that decrypts the e-mail message with the same password.

While conceptually simple, this method carries a significant burden on the sender: providing all recipients with the password. Traditionally, the password is provided through an out-of-band method such as a phone call.

But these methods are often unsecure, time-consuming and geared toward very few recipients. Moreover, password-based solutions do not provide the sender any control after the e-mail is sent.

Web-based solutions. Web-based solutions do not send the e-mail itself. Instead, a sender-owned and managed server holds every e-mail. The recipients receive a uniform resource locator (URL), the Internet address that connects themto a Web server. Once connected, a recipient takes delivery of e-mail via a secure link.

While fairly easy to use, this solution is somewhat of an antithesis to the original purpose of e-mail, which is based on pushing content to the recipient as opposed to the recipient pulling content from the sender.

Gaining leverage

The Internet is inherently unsecure. Organizations that want to leverage the Internet must pay close attention to the security of applications that use the Internet.

They should seek e-mail solutions that are easy to use, permit communication with the broadest community of users, exhibit a high degree of security and provide additional control to the sender of e-mail even after the message is sent.

Jahan Moreh is the chief security architect at Sigaba, a San Mateo, Calif.-based company that provides e-mail security products, and is on faculty at the University of California, Los Angeles, where he teaches classes on information security.