Implementing e-mail encryption

First, it's important to recognize the fact that e-mail is inherently insecure. The three major protocols used for the vast majority of electronic mail (POP, IMAP and SMTP) are all clear text protocols that were designed without much thought to security. If you use these protocols in their basic form to exchange e-mail, you should have absolutely no expectation of privacy. Your organization's mail is subject to interception, alteration and counterfeiting by anyone on the virtual path between the sender and the recipient.

What's a security-conscious e-mailer to do?
You need to examine the e-mail security issue from two points of view. You need to protect account data (especially usernames and passwords) from disclosure and you need to protect the confidentiality and integrity of the messages sent.

Data defense
Protecting account data isn't that hard. If you're using a desktop e-mail client like Outlook, Eudora or Thunderbird with the standard POP/SMTP or IMAP/SMTP protocol pairings, use a Secure Sockets Layer (SSL) connection to encrypt exchanges with the server. This requires some reconfiguration and can only be done if your ISP supports SSL connections. You'll probably need to change the ports you use for each protocol to their SSL counterparts. SMTPS typically runs on port 465 instead of the standard SMTP port 25. IMAPS uses port 993, and POP3S uses 995.

Encrypting the session with the local server is usually easier for Web-based e-mail. Most Web-based e-mail services support SSL for at least the authentication process. Simply use the same address you normally use for Web-based mail but change the "http://" to "https://." Some services, including Google's Gmail, keep this SSL connection for your entire session while others will revert to standard HTTP after you've authenticated.

It's critical to note here that both of the SSL mechanisms described only protect communication with your local server. SSL will protect you against someone sniffing the connection between you and your server with a tool like tcpdump or ethereal, but it doesn't provide any protection beyond the local server.

Confidentiality complexity
If you'd like to protect the confidentiality and integrity of your organization's e-mail messages from source to destination, you have a slightly more complex problem on your hands. There really isn't a standardized method for exchanging cryptographic keys and encrypted e-mail messages. You must collaborate with the recipient of your messages and agree on the technology that will be used. Programs like Microsoft Outlook and Mozilla Thunderbird support S/MIME, the closest thing we have to a standard. To take advantage of this functionality, you'll need to obtain a digital certificate that contains a signed version of your public key. You can obtain such a certificate from firms like Verisign and Thawte. Thawte even offers a limited functionality personal certificate for free.

The alternative to S/MIME is Phil Zimmerman's Pretty Good Privacy (PGP). This model, based upon a "Web of trust," is also available as a plug-in for Microsoft Outlook. It's not currently available for Thunderbird users, but Mozilla says it plans to introduce PGP support in a future release. You can try PGP for free by signing up for a Web-based e-mail account with Hushmail.

Once you have it up and running, e-mail encryption promises to add a great deal of security to your electronic communications. Stay attuned to the industry as we watch the development of S/MIME and PGP toward a single standard.

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.