Protecting e-mail confidentiality
Critical data is only so secure if all your e-mail is sent "in the clear." Roger looks at the benefits and limitations of several options for encrypting e-mail and keeping information safe from prying eyes.
Follow @rogeragrimesEncrypting e-mail and other digital communication methods (e.g. IM, P2P, BlackBerrys, etc.) is taking on new importance these days as businesses open new channels for employees, customers, and partners to pass messages to one another. Today’s column will discuss the most common methods for encrypting e-mails and point out some of the advantages and disadvantages of each solution.
Proprietary built-in mechanism
Some e-mail systems, especially older e-mail products, allow e-mail to be encrypted with a single click of the mouse. Normally, you simply enable the encrypt button, input a protective password, and then send the e-mail. The e-mail is encrypted by the inputted password (i.e. the inputted password is used as the random input value to start the encryption cipher process) or protects the stronger secret encryption key that is used to do the real encryption.
These products normally only work with other users on the same e-mail system and/or require that the encryption password be shared with the intended recipient using an out-of-band method (e.g. calling them with the password or sending it in a separate email). Also, because these e-mail systems are older and proprietary, they often use flawed cryptography (if it can even be considered cryptography) or weak, no longer accepted ciphers (e.g. DES, 56-bit SSL, etc.). Proprietary e-mail encryption schemes are becoming a thing of the past.
WinZip and PKZip
Many users are familiar with the abilities of WinZip or PKZip to encrypt e-mail or file attachments. Years ago, these products were flagged as having poorly implemented encryption. This is no longer the case as long as you are using a version from the last few years. Depending on the product, these may encrypt the entire e-mail, not just the file attachment, and work across a wide range of platforms.
Usually the encryption is protected by a user-supplied password, which means the protection is only as strong as the password (as is the case with many other products). Today's versions use reliable ciphers and strong cipher keys. The biggest drawback is that the regular versions that most users own require manual encryption (sometimes external to the regular e-mail process), and the related problem of how to securely transmit the secret password to the intended receiver and only the intended recipient. Still, if you only remember the bad encryption traits of WinZip or PKZip, you haven't tried them lately.
