Email communication has become so common, users often forget that there is no inherent security in the common implementation. For general correspondence it might be acceptable to forsake security in the interest of ease of use. After all, the sharing of recipes between old friends is not always a matter of urgent security. When business users share information, whether internally or externally, that information must be kept secure. Would-be attackers can use information shared in email to devise an attack vector that forgoes the company's security plan. Email security is usually takes one of three forms: symmetric key encryption of the message, asymmetric key encryption of the message, or encryption of the message path.
<!--more-->
Symmetric key encryption, also known as private key encryption, relies on the communicating parties to use the same private key to both encrypt and decrypt the message. This encryption methodology includes popular systems such as Data Encryption Standard (DES), Tripe DES (3DES), and Advanced Encryption Standard (AES). Over time, this encryption methodology has been foiled by the increasing power of computers. The 56-bit key used by the original DES standard was eventually proven to be too weak to withstand modern computing power. 3DES and then AES were developed to replace standards that were no longer strong enough. Symmetric key encryption also requires participating parties to be in possession of the same private key. The sharing of this key requires communication outside normal channels and can be quite challenging (Whitman & Mattord, 2009).
Asymmetric key encryption uses one key for encryption and another for decryption. The decrypting key is help privately by the reader, and the writer uses the publicly available key to perform the encryption. This system allows messages to be sent easily, and requires the receiver to maintain possession of the decrypting key. This system tends to be unwieldy as the list of communicators grows. The Public-key Infrastructure (PKI) was designed to ease this burden by creating a system to maintain and verify public-key information. This system is commonly used in e-commerce applications (Whitman & Mattord, 2009).
The aforementioned encryption methods ensure the message itself is encrypted. Another method is to encrypt the communication paths the message traverses. This is most commonly accomplished with Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Both protocols create a secure channel between two endpoints before any data is transmitted (Bhaiji, 2008). The major drawback of this security methodology is that the content of the email message is still readable when not in transition. This creates several possible security flaws as any compromised system in the email communication chain can create a potential for information theft or corruption.
The preferred method for email communication depends on the parties in question. Although securing the message path is the easiest to implement, it relies on the security of the systems in which the message finally resides. Since many users download local copies of their email messages, it is difficult for system administrators to guarantee the security of user systems. Asymmetric key encryption has the benefit of relatively easy key exchange. This is the method most commonly used in secure email deployments via such protocols as Secure / Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP).
References
Bhaiji, Y. (2008). Network security technologies and solutions. Indianapolis, IN: Cisco Press.
Whitman, M. E. & Mattord, H. J. (2009). Principles of information security (3rd ed.). Boston: Thomson Course Technology.