Email encryption is often touted as a means of combating spam. However, encryption alone is not much help in the fight against spam because of the way modern cryptographic protocols use public key encryption. In fact, encryption could conceivably worsen the amount of dangerous spam that gets past a spam filter if the filter cannot decrypt a message and examine its contents. To be useful, encryption must be used in combination with a closely related technology – authentication.

Fortunately, all major public key encryption solutions support encryption and authentication. In a nutshell, the basic idea behind public key encryption is that every user has both a public and private key, which are created together. The public key is shared with anyone else with whom one wishes to exchange secure emails. The point is; the sender uses the recipient’s public key to encrypt data, which can then only be decrypted by that recipient’s private key. Since the public key is, by definition, public, a spammer could theoretically use it to encrypt spam and send it to the key’s owner. Since few (if any) spam blockers are capable of decrypting this kind of message, they can’t scan for malicious attachments.

Authentication involves using one’s private key to create a digital signature and attach it to an outgoing email. Any such signature is unique to the message with which it was created, and therefore cannot be re-used. The recipient can (using the appropriate tools) verify that the message was indeed sent by a known, trusted correspondent.

Most major email client programs and server solutions support encryption and authentication, but there are two main competing protocols. S/Mime is supported by Outlook (and Outlook Express) out of the box. PGP (originally known as Pretty Good Privacy) and its derivative GPG (Gnu Privacy Guard) are used by most of the “Open” world, and are supported by most other email clients. Once configured to use encryption and authentication, the email clients hide most of the complexities of exchanging secure emails. The major differences between the two protocols are the sources of the keys and the level of trust implied by each. S/Mime keys must be granted by an authenticating agency, like Verisign or Thawte. PGP and GPG keys can be generated by the end user. In this latter case, the onus is on the users to exercise caution, and only install the public keys of people with whom they have a known, trusted relationship.

Encryption and authentication add significantly to the processing requirements of email interchange. Few organizations deal with so much confidential information that every email should be encrypted. Also, configuring email software to refuse emails from senders that cannot be authenticated may protect against some spam, but will also prohibit any legitimate email from a sender that is not yet known to the recipient.

Recommendations:

Only encrypt messages containing confidential information, and always digitally sign it when you do. Never open encrypted email from an un-authenticated sender. Maintain a spam blocker or email scanning solution that incorporates a sender reputation analysis as well as content scanning.


Source by Christopher Spence