Email encryption

E -mail encryption is used to send confidential information as by e -mail from the sender to the receiver that no one except the sender and recipient else gets access to this information ( end-to -end encryption ).

The e -mail encryption is often associated with the e- mail signature and is used in many scenarios actually combined with it. The aim of the e- mail signature is to provide information to send as email from the sender to the receiver that no one can manipulate unnoticed on the way from sender to receiver. The e -mail signature satisfies the need for authenticity and integrity.

Often, e -mail encryption with TLS encryption is associated. However, this method is only a transport encryption between email servers, with the delivery of e- mail to the e- mail server and the collection of e- mail without encryption is done from the Mailbox server. In addition, the integrity of the e -mail can not be guaranteed, because the email is not signed.

Application forms compared

For e -mail encryption and e- mail signature, there are different application forms.

Client -based e- mail encryption and signature

The classic e- mail encryption and signing is done from client to client ( end-to -end encryption ).

Example: Alice sends an encrypted and signed message by e -mail to Bob.

Server -based e- mail encryption and signature

Client-based solutions have the disadvantage that they are too complex for many organizations ( businesses, clubs ... ). Because appropriate IT infrastructures are not available, the temptation is great to refrain entirely from e- mail encryption and signature in the organization.

In such situations, server-based solutions, the method of choice. The work of the encryption and signature is not handled by client, but instead of servers.

Example 1: Alice works in a company A and sends an encrypted and signed message by e -mail to Bob.

Example 2: Alice works in a company A and sends an encrypted and signed message by e -mail to Bob. Bob works in a company B.

The advantages of a server -based solution are therefore the following:

  • The members of the organization ( for example, the employees in the company ) do not have to deal with the issue of encryption and signature. The work is the administrator who maintains the central erected server.
  • Nevertheless, all e -mail traffic run encrypted and signed, provided that the internal users want it and the external communication partner to participate.

Disadvantage of this solution is that the administrator or a third party, the path between the sending e -mail client and the internal mail server ( encryption gateway ) to listen and read and write e- mails and can change.

Server -based solutions can offer the administrator the following services:

  • Private and public keys of internal users to automatically generate, manage and, if necessary, publish (eg for public LDAP directories)
  • Query automatically the certificates of external communication partners, validate, and possibly save it for future use
  • Exhibit fully automated Certificates

PKI -based e- mail encryption and signature

The frequently encountered method to achieve confidentiality and authenticity in the email, is the PKI -based e -mail encryption and digital signatures. PKI stands for Public Key Infrastructure. In the PKI -based e -mail encryption and digital signatures are almost always comes in the following two standards are used:

PKI -based e -mail encryption and digital signatures are used both for client-based solutions as well as server -based solutions for use.

Password -based e -mail encryption

The password -based e -mail encryption is an option that can be offered by server -based solutions. It also initiates the following problem:

  • If server-based solutions work PKI -based, then they can indeed relieve the internal communication partner the instigating organization of complex PKI, but not the external communication partner. The external communication partners must either operate even a server-based solution in their organization or, if this is not possible, run their PKI client -based. Can they not both, then an e -mail encryption is not possible, at least PKI -based.

In order to avoid that is not encrypted, can also provide password -based e -mail encryption server -based solutions in addition to PKI - based e -mail encryption. With external communication partners have a PKI, is then encrypted PKI -based. For communication partners who have no PKI, can be encrypted password -based.

Principle of operation

There are several ways to implement a password -based e -mail encryption.

For example for one of many ways:

  • Alice works in a company with a server -based solution. Bob has no PKI.
  • Alice sends a message by e -mail to Bob.
  • The server -based solution does not find certificates for Bob and chooses automatically for a password-based delivery of the message to Bob.
  • The message of Alice is in a holding pattern.
  • Bob receives a notification via email that a message is waiting for him.
  • Bob directed to a web server an account and assigns for a password.
  • Subsequently, located on hold message is automatically converted into a PDF file, the contents of the PDF file is encrypted with the password given by Bob and so protected PDF by E -mail delivered ( as an attachment ) to Bob.
  • Bob opens the PDF, the PDF reader is in his password and can then read the message from Alice.
  • Each additional message from the company where Alice works is now automatically encrypted password sent as a PDF to Bob.

Benefits for the external communication partner

  • There are no certificates on the receiver side is required.
  • The automated password management replaced for the external communication partner the complex certificate issuance process for trust centers. The only requirement is that the user (eg web browser or PDF reader ) has standard software.

S / MIME -based e -mail encryption and digital signatures in detail

As with the pure hybrid encryption also, each communication partner must generate a key pair before he can sign emails or receive encrypted e -mails. Without own key pair verifying foreign signatures and encrypting messages is only possible.

In the S / MIME world, it is common that new communication partner can sign their public key from a certificate authority. To this end, the public key is sent to the certification authority. Depending on the security class certification body shall examine more or less strictly, whether the public key actually belongs to the person who claims it. After passing the examination, the certification body shall draw up a certificate of the key by signing it with her ​​secret signing key. The certificate consists of the public key itself, the signature and administrative data. There is a public verification key with which the signature can be verified to the signature key used for signing. There is also a certificate, the CA certificate, which in turn is signed by a certificate authority for this verification key of the CA. In this way, a chain of CA certificates. The last link of such a chain is called a root CA certificate. The root CA certificate is signed with itself, so that trod in practice other ways to ensure that the root CA certificate is genuine.

Messages can be both signed and encrypted. A signature ensures that a message has not been altered, and provides information about the identity of the author. The encryption ensures the confidentiality of the message, which usually ensures that the sender and all recipients of a message can decrypt.

Areas of application

E -mail encryption and signing is among other things used in the following situations:

  • Privacy
  • Ensuring the integrity of e-mail content
  • Compliance with statutory data protection regulations in authorities and institutions
Pretty Good Privacy#OpenPGP GNU Privacy Guard Mozilla Thunderbird Android (operating system)
250955
de