Wednesday, April 29, 2015

Tabula Rosa Systems Blog Of 4/29/2015 - Email Threats And How To Protect It With Encryption

LuxSci FYI Blog from
by Erik Kangas, PhD, CEO

Email Security Threats
The Internet is a big place with a lot of people on it. It is very easy for someone who has access to the computers or networks through which your information is traveling to capture this information and read it. Just like someone in the next room listening in on your phone conversation, people using computers “near” the path your email takes through the Internet can potentially read and copy your messages.
Identity Theft
If someone can obtain the username and password that you use to access your email servers, they can read your email and send false email messages as you. Very often, these credentials can be obtained by eavesdropping on SMTP, POP, IMAP, or Webmail connections, by reading email messages in which you include this information, or through other means.
Invasion of Privacy
If you are very concerned about your privacy, then you should consider the possibility of “unprotected backups”, listed below. You may also be concerned about letting your recipients know the IP address of your computer. This information may be used to tell in what city you are located or even to find out what your address is in some cases! This is not usually an issue with WebMail, POP, or IMAP, but is an issue with the transport of email, securely or insecurely, from any email client over SMTP.
Message Modification
Anyone who has system administrator permission on any of the SMTP Servers that your message visits, can not only read your message, but they can delete or change the message before it continues on to its destination. Your recipient has no way to tell if the email message that you sent has been altered! If the message was merely deleted they wouldn’t even know it had been sent.
False Messages
It is very easy to construct messages that appear to be sent by someone else. Many viruses take advantage of this situation to propagate themselves. In general, there it is very hard to be sure that the apparent sender of a message is the true sender – the sender’s name could have been easily fabricated.  See “Who stole my email address?
Message Replay
Just as a message can be modified, messages can be saved, modified, and re-sent later! You could receive a valid original message, but then receive subsequent faked messages that appear to be valid.
Unprotected Backups
Messages are usually stored in plain text on SMTP Servers. Thus, backups of these servers’ disks usually contains plain text copies of your messages. As backups may be kept for years and can be read by anyone with access to them, your messages could still be exposed in insecure places even after you think that all copies have been “deleted”.
Because normal email messages can be forged, there is no way for you to prove that someone sent you a particular message. This means that even if someone DID send you a message, they can successfully deny it. This has implications with regards to using email for contracts, business communications, electronic commerce, etc.  See: DKIM: Fight Spam and Forged Email by Signing your Messages.
Email Encryption
Symmetric Encryption
In symmetric encryption, you and your friend share a “secret” key. Using this key, you can encrypt a message into “cyphertext”. Cyphertext looks like a random sequence of characters and is completely meaningless to anyone unless they also have the secret key, in which case they can decrypt the cyphertext back into the original message and read it.
Using symmetric key encryption, eavesdropping and unwanted backups of your messages no longer are a problem (unless the eavesdropper knows what your secret key is). It also becomes harder for someone to modify your messages in transit in any kind of a meaningful way.
An example of a popular, excellent method used for symmetric encryption is AES-256.
The problem with symmetric key encryption is precisely the fact that you and your friend must share the same secret key. Unless you meet in person, how do you communicate this key in a way that is secure? What if you want to send a secure message to someone on the other side of the world? How do you get them the secret key quickly in a way that eavesdroppers can’t detect?
Message Digests / Authentication Codes
A “Message Digest” or “Message Authentication Code” is really a very simple concept. You take your message and pass it through an algorithm that spits out a relatively short sequence of characters (maybe 128 or 256 or so of them). This sequence of characters is a “fingerprint” of the message. Any minute change in the message would produce a significantly different “fingerprint”. There is no way to “reverse engineer” the original message from its fingerprint and it is almost “impossible” (assuming that your method of making these fingerprints is sufficiently “good”) to find two messages that yield the same fingerprint (just like trying to find two complete strangers who have the same fingerprint).
An example of a good modern function for this process is “SHA2“.
Message Digests are quick ways to check to see if a message has been altered. If you have a digest of the original message and compare it with a digest of the message you just received and they match, then you know that the message is unaltered.
Asymmetric Encryption
In asymmetric encryption, also known as “public key” encryption, each person has TWO keys. Any cyphertext created using one of the keys can ONLY be decrypted using the other key. For example, say you have keys “K1″ and “K2″. If you encrypt your message with K1, then ONLY K2 can be used to decrypt it. Similarly, if you encrypt using K2, ONLY K1 can be used to decrypt it. This is distinctly different from symmetric key encryption where you only have one key that performs both functions on the same message.
For a detailed explanation and example of asymmetric encryption, see: How does Secure Socket Layer (SSL or TLS) Work?
In asymmetric key encryption, the two keys that each person possesses are commonly named the “private” and “public” keys because the “public” one is published or given out freely to anyone who wants a copy and the “private” one is kept secret. The security of asymmetric key encryption depends only on whether you can keep your private key secret.
Asymmetric key encryption allows you to do many clever things:
·         Send an Encrypted Message: To send a secure message to someone, all you have to do is encrypt it with their public key! Only the intended recipient who has the matching private key will be able to decrypt and read the message. This solves the problem of eavesdropping and the problem of sending secret keys that is inherent in symmetric key encryption.
·         Prove You Sent a Message: To prove to someone that you sent a message, you can encrypt the message (or just a piece of it) with your private key. Then, anyone can decrypt it with your public key and read the contents. The fact that your public key decrypts the message proves that only you could have sent it (or someone who has your private key).
·         Sign a Message: A message signature proves that you sent the message AND allows the recipient to determine if the message was altered in transit. This is done by using your private key to encrypt a digest of a message at the time of sending. The recipient can decrypt this digest and compare it to a digest of the received message. If they match, then the message is unaltered and was sent by you.
·         Encrypted, Signed Messages: The most secure form of communication is to first add a signature to the message and then to encrypt the message plus signature with the recipient’s public key. This combines all of the benefits of all of the techniques: security against eavesdropping and unexpected storage, proof of sender, and proof on message integrity.
Have you ever wondered how it would be if your email suddenly came to life? You are about to find out.
**Important note** - contact our company for very powerful solutions for IP management (IPv4 and IPv6, security, firewall and APT solutions:

In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” will be published soon follow by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:

 If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio  Additionally, I provide content for an online newsletter via I have also established Netiquette discussion groups with Linkedin and Yahoo.  I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications. 

Lastly, I am the founder and president of Tabula Rosa Systems, a company that provides “best of breed” products for network, security and system management and services. Tabula Rosa has a new blog and Twitter site which offers great IT product information for virtually anyone.

No comments:

Post a Comment