Note: The answer to this question is FREE and it’s at the end of this post.
Digitally signing an email is a way of assuring the recipient that the content, while not encrypted, has not been modified in transit, it’s effectively a personal cryptographic certification of the content and attributes of the mail. If the “From:” address is re-written, for example a signed mail is sent to a distribution list and then forwarded on to each of the members of the list with a new “From:” address (usually the address of the list) then the contents will have been modified and the signature will no longer match. The same is true of any content within the mail, if it is intercepted and modified in transit, then the end-user should receive a warning that the signature no longer matches. In a post-PRISM world though, more people are beginning to pay attention to how they can secure their email communication completely from prying eyes. Simply signing will not achieve this, as mails not encrypted – merely “certified” – are still sent in the clear. Full-blown mail encryption is the answer, as Edward Snowden asserted in his recent Q&A, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on“.
If you are using a webmail interface, unfortunately encryption is rarely directly integrated, in the case of Gmail, it would severely impact their business model of targeted advertising based on content (the content would be unreadable). There are options that allow you to encrypt mail content before it is pasted into the webmail interface; tools such as the Firefox add-on Encrypted Communication or Encipher.it.
Of course you still have to find a way to transmit the decryption key to your recipient, and that should be done through an alternative channel than the email itself, otherwise you simply give anyone else listening to your mail the key as well.
If you are using a mail client, an alternative is to use one of the many Public Key Cryptography solutions, such as GnuPG, the only problem with Public Key systems is complexity and key management. In order to send someone an encrypted mail, the prospective recipient needs first to have signed up for a compatible service and created their public/private key pair and you, the sender, need to have a copy of their public key in order to send them an encrypted mail that only they can read. In the “many-to-many” world of email, this management overhead can quickly become a real headache and has been the one thing that has always hindered widespread adoption of public-key cryptography.
This is one of the things that drove the inception of Identity-Based Encryption (IBE).
Wouldn’t it be nice if everyone online had a single, unique global identifier that was not secret and was publicly available?
Well, guess what? They do! That identifier is your email address, it’s public and it’s unique to you. So with an IBE solution, you can generate an encrypted email to any recipient, regardless of whether they have signed up with any service, simply by knowing their email address. Of course on receipt of your first encrypted email, they will need to sign up to generate the rest of the key pair and be able to decrypt that and subsequent messages, but matters are vastly simplified.
A PGP public key looks something like this:
mQCNAi+UeBsAAAEEAMP0kXU75GQdzwwlMiwZBUKFUDRgR4wH9y5NP9JaZfVX8shT ESbCTbGSEExB2ktEPh5//dkfftsKNlzlAugKFKTgBv20tQ9lDKfdbPVR0HmTLz0e tB5NYXJ0eSBNY0ZseSA8bWFydHlAZnV0dXJlLmNvbT6JAJUCBRAvlHhGrWQf9RQ+ wVIeqEue4+Mt/Kq7kMcQy+5sX2RBAiZTYl0n/JdY/WxflU0taq1kH/UUPkklAAUR SSUBAQX+BACnhx7OTb1SfAcJVF/1kuRPUWuGcl57eZgv4syc1O9T3YNr0terWQBT K0vFR00FdaBv9X9XwlxaBJHGeiBcmhaiOTwB912ysoteUzZHne3sHPw3MkYboAFx xHg43Cnj60OeZG2PKp/kU91ipOJP1cs8/xYOGkeoAMqDfwPeFlkBiA== =ddBN
An IBE public key looks like this “firstname.lastname@example.org”.
As far as I know, Trend Micro is the only company that offers a completely FREE single-use client, for individuals to begin sending IBE encrypted mails. Simply click the “Send Private” button from Outlook to encrypt your email message and any attachments with 256-bit AES double-wrapped in Identity-based key pair encryption. The recipient can also use the client or, if they are not using PC, they can use a simple web-based reader to decrypt those mails.
I don’t normally post blogs that advertise Trend Micro products, but I really feel that we don’t shout loud enough about this one. If you want to try it for yourself, the client is available here.