Secure mail platforms must master the delivery of both messages and keys
Whether a secure message is delivered to a client inbox, a Web mail service, or an SSL-secured Web portal, the important thing is that the recipient can open and read the message without any hassle. Striving to meet both security requirements and the needs of end users, vendors of secure mail solutions offer a few different ways to deliver not only messages, but also the keys to decrypting them.
There are three basic message delivery models: online push, offline push, and online pull. Online push means an encrypted e-mail is sent to the recipient's mail client. Think of it as the message being pushed from the sender’s mail server. Online pull means that the recipient retrieves the secure mail from a Web-based mail system.
In both online push and online pull, the end user is connected to the Internet or an enterprise network while retrieving the encrypted message. For online push and pull, all of the vendors in our review use symmetric key cryptography -- i.e., the same key is used for encryption and decryption -- for a couple of reasons. First, symmetric keys are much faster and require less CPU time than asymmetric keys.
Second, symmetric keys are associated with a single message, providing for very reliable "read receipting." These keys are created using highly random number generators, then stored in a database for later retrieval. When a user authenticates and opens an e-mail while online, the same key the sender used to encrypt the message is retrieved from the database and an access log entry is created showing the date and time the key was used.
Offline push is a little more interesting than online push. With offline push, the recipient doesn’t have to retrieve a decryption key to open the message. Everything necessary to decrypt the message is included in the e-mail package. The key used to encrypt the original e-mail is itself encrypted using a key based on the user's name and password. When the recipient opens the message, the user name and password decrypts the original key, which in turn decrypts the message.
All three methods off delivering mail are considered secure, as long as the user's password is sufficiently strong enough. Because an offline push message is potentially vulnerable to a brute force or dictionary attack, strong passwords are essential. The passwords should be at least eight characters long, and use mixed case and at least one nonalphanumeric character. If you do that, there is little chance that someone will be able to break into your users' mail.
Windows 7 is suddenly telling users it isn't genuine -- and it has nothing to do with Windows being...
Windows users are reporting significant problems with four more October Black Tuesday patches
The larger design is very welcome, but there's much more to the iPhone 6 than a bigger screen
Sponsored by Rackspace
Sponsored by Nuage Networks
Sponsored by Fibre Channel Industry Association
Microsoft has applied a thin sheen to the Accompli app, but scratch below the surface, and the...
The Unicorn Club -- companies valued at more than $1 billion -- is filling up, but no one knows whether...
Looking for a new IT gig in 2015? We've compiled a list of the best and worst companies in the tech...
The online video service's switch to HTML5 could spell doom for Adobe Flash and Microsoft Silverlight ...