The Critical Need for Email Security
1.
Abstract
Email security has become a hot topic in Information Technology circles as new
exploits and vulnerabilities affecting the most popular email clients and operating
systems continue to make headline news on a regular basis. Many individuals and
organisations consider email to be more valuable than phone for private and business
communications. It is no wonder that email security is a priority concern for many.
In this paper I will outline the various threats to email security, focusing on those
that are of particular concern. I will then review some of the advanced technologies in
the industry that are aimed at solving some of these issues.
2.
Introduction
In today’s electronic world, email is critical to any business being competitive. In
most cases it now forms the backbone of most organisations’ day-to-day activities,
and its use will continue to grow. I have designed this paper to explain about how
email really works, what the real security issues are, what solutions are available, and
how security risks can be avoided. I will investigate and analyse security technologies
that can be implemented to make email secure.
Email, in general is completely not secure, and it is surprising to learn just how
insecure it really is. Information Security and integrity are becoming more important
as we use email for personal and most importantly business communication. As email
becomes more prevalent in the market, the importance of email security becomes
more significant.
3.
How Email works
There are generally two ways of sending email from sender to receiver. Webmail uses
a web-based interface like Yahoo or Hotmail. This uses an internet connection to
communicate with a web server. The internet connection uses HyperText Transfer
Protocol (HTTP). When a message is sent with Webmail, the web server contacts its
Simple Mail Transport Protocol (SMTP) server and sends the message to it.
The other way of sending and receiving email is by using Mail Transfer Agents like
Microsoft Outlook or Mozilla Thunderbird.
3.1
Sending an Email Message
Sending email messages is analogous to sending letters using real post offices, and the
SMTP is the procedure which an email post office uses to figure out where to send the
letter next. When sending a message with an email program, a sender has to specify a
server so that the email program knows where to send the message. Any program that
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 1
sends an email message uses SMTP to deliver that message to the next post office for
relaying to the final destination. Diagram below how email is transferred from the
sender to the sender’s SMTP server.
3.2
Delivery of an email message from sender’s SMTP Server to recipient’s
SMTP Server
When an SMTP Server receives an email message from sender, it first checks if it has
an Inbox for the message recipient. If it has an Inbox for the message recipient, it will
send the message directly to the recipient’s SMTP server. If it does not have an Inbox,
it will forward (relay) that email message to another SMTP server closer to the
recipient. This is analogous to how a local post office forwards a letter to a regional
post office. This process is known as “SMTP relaying”. There is usually an ordered
list of SMTP Servers that expect to receive email for a particular recipient. The
highest priority SMTP Server listed is the recipient’s actual SMTP Server; the others
are backup SMTP Servers. These backup servers merely queue email for later
delivery to the recipient’s actual SMTP Server.
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 2
There are a few scenarios that determine the path an email message may take from the
sender’s SMTP Server to the recipient’s SMTP Server. Some of these are as follows:
1. The sender’s server successfully contacts the recipient’s server and sends the
email message directly.
2. The sender’s server can not contact the recipient’s actual SMTP server (maybe
the recipient’s server is busy, down, or has some other connection problem).
In this case the sender’s server tries to contact and deliver the message to the
recipient’s first backup server.
3. The sender’s server can not contact the recipient’s actual SMTP server or its
first backup server. In this case the sender’s server tries to contact and deliver
the message to the recipient’s second backup server.
4. The sender’s server can not contact any of the recipient’s servers. In this case
it will queue the message and try to send it later. It will keep retrying
periodically for several days until it succeeds in sending or gives up.
Any message delivered to the backup servers goes through the same process of trying
to contact the recipient’s actual SMTP Server, or a higher priority backup server.
Backup servers may also queue email for later sending. (Note that a recipient may
have zero or more backup servers, not necessarily two as in this example).
Once an email message arrives at the recipient’s SMTP Server and is delivered to the
recipient’s email box, the recipient may pick up the message and read it whenever
they wish. Each server that receives the message adds its “Received” stamp to the
message. This stamp identifies what server received the message, at what time, and
from what other server. This information allows the recipient to see a message’s entire
journey.
Points to note:




3.3
Most email servers communicate with each other using SMTP
No one knows how long it will take for an email message to get from sender to
recipient. This depends on how busy the servers are, how much traffic there is
on the Internet, what machines are down, and other factors.
Messages may be in queues on any number of servers for any amount of time.
Some of these servers may belong to third parties (i.e. may not be under the
purview of either the sender or the recipient).
Recipients can determine the Internet address and name of the computer from
which the messages were sent.
Retrieving Email from an SMTP Server
When the recipient receives an email message it sits in a file in the recipient’s SMTP
Server. For the email message to be viewed, this file must be accessed. There are
generally two protocols, (with some exceptions), used to retrieve email. One is called
the “Internet Message Access Protocol” (IMAP) and the other one is called the “Post
Office Protocol” (POP). In large corporate environment, specific proprietary protocol
may be used. The diagram shows how email is transferred from the SMTP server to
the recipient.
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 3
4.
The Lack of Security in Email
As I mentioned before, Email is inherently insecure. In the following sections of this
paper, I will explain how insecure email is. I will point out the insecurity in the email
delivery pathway discussed above. The following are a few of the security problems
inherent in email.




Webmail: If the connection to the Webmail server is “insecure” (i.e. the
address is http:// and NOT https://), then all information including username
and password is not encrypted as it passes between the Webmail server and
the sender/recipient computer.
SMTP: SMTP on its own does not encrypt messages. Communications
between SMTP servers may send your messages in plain text for anyone to
see. Additionally, if an email server requests a username and password to be
sent to login to the SMTP server in order to relay messages to other servers,
then these are also sent in plain text. Messages sent via SMTP include details
about which computer they were sent from and what email program was used.
These details are available to all recipients and may be a privacy concern.
POP and IMAP: The POP and IMAP protocols require a username and
password to be sent to login. These credentials are not encrypted and can be
read by anyone listening to the flow of information between a personal
computer and email service provider’s computer.
BACKUPS: Email messages are stored on SMTP servers in plain text.
Backups of the data on these servers may be made at any time and
administrators can read any of the data on these machines. Email messages
that are sent may be saved unexpectedly and indefinitely and they can be read
by unknown persons as a result.
I will now talk about the security threats to email communications. Later on, I will
discuss how these threats can be solved.
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 4
5.
Security Threats to Email Communications
There are many common security issues involved in communications and email in
particular. The diagram below summarises what happens as a message makes its way
from sender to recipient.
Some of the security threats are described below:
Message Modification: Anyone who has system administrator permission on any of
the SMTP Servers that messages visits can read, delete or change the message before
it continues on to its destination. The recipient has no way to tell if the email message
that they receive has been altered. If the message was merely deleted, the recipient
would not know if it had been sent.
Eavesdropping: It is very easy for someone who has access to the computers or
networks through which the information is travelling to capture this information and
read it. Other users of computers near the path taken by email through the Internet can
potentially read and copy messages not intended for them.
Repudiation: Normal email messages can be forged and there is no way a recipient
can prove that someone sent them a particular message. It is also possible that a
sender can successfully deny sending a message.
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 5
Identity Theft: If someone can obtain the username and password that are used to
access email servers, they can read other people’s email and send false email
messages disguising as legitimate senders. These credentials can be obtained by
eavesdropping on SMTP, IMAP, POP or Webmail connections, by reading email
messages in which this information is included, or through other means.
False Messages: It is very easy to construct messages that appear to be sent by
someone else. Many viruses take advantage of this situation to spread themselves.
There is no way to be sure that the apparent sender of a message is the true sender, as
the sender’s name could have been easily fabricated.
Message Replay: Email messages can be saved, modified, and re-sent later. A
recipient can receive a valid original message, but then receive subsequent faked
messages that appear to be valid.
Invasion of Privacy: When normal email is sent, the recipients may be able to know
the IP address of the sender’s computer. This information may be used to tell in what
city you are located or even to find out what your address is in some cases
Unprotected Backups: Messages are stored in plain text on all SMTP Servers. This
means that backups of these servers’ disks will contain plain text copies of messages.
As backups can be kept for years and can be read by anyone with access to them, the
messages could still be exposed in insecure places even after email users think that all
copies have been deleted.
Viruses and Spam: Viruses are so dangerous because they often deliver extremely
destructive payloads, destroying data, and bringing down entire mail systems. As a
result they are a major drain on corporate IT departments and users. The volume of
spam can affect system availability and may carry malicious code.
In a nutshell, the security attacks that prevent the normal flow of messages are
interruption, interception, modification and fabrication.
.6.
Cryptography
Email is like a message on a postcard that anyone can read along the way, as it is
transmitted in clear-text. When an email is sent, it is copied to at least two servers, but
often many more than that. The copies are at times included in backups between
sender and recipient. Content is inspected by various firewalls through which the
email passes, exposing it to some security threats mentioned above. The bottom line is
that emails can be intercepted by unauthorised parties with malicious intent or
accidentally. Encryption is one of the methods of defence that can be implemented to
mitigate security problems. There are many ways that emails can be encrypted.
Systems that automatically encrypt messages based on company-based procedures or
personal requirements, or manual options, can be deployed.
Although the mathematics that make cryptography work are complicated, the
principles behind it are quite simple. Every email encryption system consists of four
fundamental parts. The following is diagram and explanation of these parts:
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 6




6.1
The message to be encrypted (called plaintext or cleartext)
The message after it is encrypted (called ciphertext)
The encryption algorithm, which is the mathematical function used to encrypt the
message
The key(s), which can be a number, a word, or a phrase that is used by the
encryption algorithm.
Symmetric Cryptography
In symmetric cryptography, also known as “private key” encryption, sender and
receiver share a “private” or “secret” key. This key is used to encrypt a message into
“ciphertext”. The ciphertext looks like a sequence of random characters and is
completely meaningless to anyone unless they also have the private key. The private
key is used to decrypt the ciphertext back into the original clear-text message which is
readable. Using symmetric key encryption, eavesdropping and unwanted backups of
messages will no longer be a problem (unless the eavesdropper knows the private
key). It will also be difficult for an unauthorised person to modify messages in transit
in any kind of a meaningful way.
The main problem with symmetric key encryption is that the sender and receiver must
share the same private key. Unless they meet in person, they will have to
communicate the secret key using ways that are not really secure. Eavesdroppers may
detect the private key.
6.2
Message Digests / Authentication Codes
The Message Digest or Message Authentication Code is a concept that involves
passing messages through an algorithm. The algorithm will spit out relatively short
sequence of characters (maybe 64, 128, 256 or so). This sequence of characters is a
“fingerprint” for the message. Any change in the message would produce a different
fingerprint. The original message can not be obtained from its fingerprint and it is
almost impossible to find two messages yielding the same fingerprint. The Message
Digests are ways to check if a message has been changed. If the digest of the original
message is compared with a digest of the message received and match, this shows that
the message has not been altered.
6.3
Asymmetric Cryptography
In asymmetric cryptography, also known as “public key” encryption, each person has
two keys that are generated by a mathematical process. A message encrypted with one
of the keys can only be decrypted using the other key. A sender uses a recipient’s
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 7
public key to encrypt a message for the recipient. The recipient will use his private
key to decrypt the message. For example, say you have keys “Key1″ and “Key2″. If
you encrypt your message with Key1, then only Key2 can be used to decrypt it.
Similarly, if you encrypt using Key2, only Key1 can be used to decrypt it. The two
keys that each person possesses are known as the “private” and “public” keys because
the “public” one is published or given out freely to anyone who wants a copy and the
“private” one is kept secret. The security of asymmetric key encryption depends only
on whether a person can keep his private key secret. PGP keeps all of the public keys
for the people you communicate with in a single file called the “key ring”. Each user
has a pair of keyrings to store public and private keys.
Asymmetric cryptography should be used in combination with SSL/TLS so that the
username and password are also protected. The reason is that these credentials are not
part of the message and thus would not be encrypted along with the message.
7.
Securing Email with SSL or TLS
The simplest thing to make email more secure is to use an email provider that
supports “Secure Socket Layer” (SSL) for their Webmail, POP, IMAP, and SMTP
servers. “Transport Layer Security” (TLS) is a type of SSL that can be initiated during
a mail session. SSL must be initiated before sending the message. SSL is a
combination of asymmetric and symmetric key encryption mechanisms. If SSL is
used to connect to a server, the following things happen:
1. The server uses its private key to prove to you that it is in fact the server that
you are trying to connect to. This lets you know that you are not connecting to
a “middleman” that is trying to intercept your communications.
2. You send the server your public key.
3. The server generates a “private key” and sends it to you encrypted using your
public key.
4. You and the server then communicate using symmetric key encryption using
this shared private key. (Symmetric key encryption is faster than asymmetric
key encryption).
SSL certificates are (generally) issued by third party agencies like VeriSign. These
agencies do a background check on companies that request certificates, and only issue
certificates if the companies have a right to them. The certificate includes the name of
the company, the name of the issuing company, and the name of the server to which it
is issued. When you connect to an SSL server you can verify this embedded
information and the fact that it was issued by a third party company that you trust. If
the certificate is valid then you can have a high degree of confidence that the server
you are connecting to is the server you want to reach.
By using SSL for Webmail, POP, IMAP, and SMTP you ensure that communications
between your personal computer and your email service provider’s computers will be
encrypted. Your message contents, username, and password will be hidden from
eavesdroppers. These will be hidden between you and your service provider as
SSL/TLS is between client and server, unlike PGP and S/MIME which are for end-toend encryption. SSL services do not protect your messages once they leave your
SMTP Server and head to their destinations. So, it doesn’t really protect your message
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 8
contents, but it does completely protect your username and password from detection.
This is very important because it prevents identity theft, forged messages, etc.
SSL is very easy to use. It usually only involves clicking a few checkboxes in the
configuration of your email client. It is transparent to your recipients – you can use
SSL for these services even if your recipients do not. These measures protect you and
your password. The benefits of SSL are that you can determine if you are connecting
to the right server, and also you and the server can communicate securely.
SSL/TLS protects password and message contents to some extent, but does not solve
any of the other security problems I have discussed, like message modification,
repudiation, encryption, unwanted backups, etc. This is because SSL/TLS only
protects the message path between you and your SMTP Server and stops there. Even
with SSL/TLS, the messages are stored on the SMTP Server in plain text.
8.
Securing Email with PGP
PGP (Pretty Good Privacy) is a program that uses encryption to protect the privacy of
email and files that are stored on a computer. It can also be used as a digital signature
system to allow people to prove that emails or files have not been modified. PGP is
the widely used de facto secure email software and it employs the best available
cryptographic algorithms. PGP uses asymmetric cryptography (public and private key
encryption).
8.1
Digital Signatures
Sometimes people do not particularly need to encrypt documents, but rather want to
keep them from being changed. PGP has a powerful way of signing email to prevent
other people to distribute fraudulent messages in someone’s name or the name of an
organisation. This way is called digital signatures and it prevents people from
changing words in an email without permission. A digital signature proves that an
authorised person has sent the message and allows the recipient to determine if the
message was altered in transit.
With PGP, a message signed with a digital signature can also be encrypted. This is the
most secure form of sending email where a signature is first added to the message.
The message plus the signature will then be encrypted with the recipient’s public key.
This combines all of the benefits of security techniques, i.e. security against
eavesdropping and unexpected storage, proof of sender, and proof on message
integrity. When someone uses PGP to encrypt an email and send it to a friend, the
following occurs:
1.
2.
3.
4.
PGP creates a random session key for the message.
PGP uses IDEA algorithm to encrypt the email with the session key.
PGP uses the RSA or DSA algorithm to encrypt the session key with the
recipient’s public key.
PGP bundles the encrypted message and the encrypted session key together
and prepares the message for mailing.
PGP handles session key automatically without any user intervention.
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 9
Securing Email with S/MIME
9.
S/MIME (Secure Multipurpose Internet Mail Extensions) is an established standard
for asymmetric or public key encryption and signing of email encapsulated in MIME.
People can send and receive S/MIME-protected emails once they have acquired a
private and public key from a Certification Authority (CA) and have exchanged their
public key with their contact. Public keys can be exchanged by sending digitally
signed messages, and individuals store a contact’s key in the contact’s entry in an
address book. To send an encrypted email, the sender composes the message and his
S/MIME-enabled email software then locates the recipient’s public key and uses it to
encrypt the message. The recipient’s email system in turn decrypts the message using
the recipient’s private key.
As the sender and recipient need to have exchanged keys before exchanging
encrypted messages, S/MIME is best suited for situations that require that call for a
higher level of security. S/MIME can also be used to confirm the identity of the
sender and message data can not be modified on sending. S/MIME is built into major
mail agents like Microsoft Outlook, Outlook Express, Mozilla Thunderbird, etc. Users
will have to set the security settings so that the following can be done automatically
by the mail agent:







10.
Get a digital ID for sending secure messages.
Back up or copy a digital ID.
Move a digital ID to another computer.
Send a signed message.
Add a digital ID to the Contacts list.
Send an encrypted message.
Sign or encrypt all messages that you send.
Analysis of PGP Technology
I did an in-depth analysis of the operation of PGP. PGP is a commercial application,
but there is also a 30-day trial version that can be downloaded for free from
www.pgpi.org. I downloaded the latest freeware version (PGP Desktop 10.0) and
installed on two computers. The other computer runs on Windows XP Pro with MS
Outlook 2007 installed. The other one runs on Windows 7 with Mozilla Thunderbird
installed. Both Outlook and Thunderbird are mail agents that connect to SMTP, POP
and IMAP servers.
The first thing to do after installing PGP is to configure the email client to use PGP.
When this was done, PGP automatically created keys for me (private and public key).
PGP connected me to the Global Directory which verifies, stores and distributes
public keys. The Global Directory gives assurance that a key is owned by the email
address on the key. This allows others to verify signatures from that key and encrypt
messages to it. I then published my public key to the PGP Global Directory. After
submitting my public key, I received a message asking me to verify my key. The
screenshot of the message is below:
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 10
I completed the verification process and the server: “keyserver.pgp.com” presented
me with an X.509 certificate. The X.509 certificate is the recommended standard
certificate that defines the authentication services and certificate structure. The
certificate looks like this:
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 11
PGP asked me to create a passphrase of a minimum of 8 non-alphabetic characters. I
will have to use this passphrase each time I want to access my keys. I connected to the
Global Directory and imported public keys of people I would like to send messages
to. These keys will be imported to my keyring. A screenshot of the select key(s) looks
like this:
Settings can be set in the Advanced key settings tab which looks like below:
To send a message, I select a public key from my key ring and use it to send. PGP
messaging automatically encrypts, decrypts, sign and verifies messages according to
the policies I set. To receive a message, I have to confirm by typing my pass phrase
that I am the owner of my private key which I will use to decrypt encrypted messages.
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 12
11.
Conclusion
Email is not secure. Email encryption is absolutely critical for a variety of reasons,
including compliance with regulatory obligations to protect the integrity of sensitive
data and best practices focused on maintaining the confidentiality of corporate data.
Simply using encryption is not enough: you need to know how to use the encryption
system properly, because improperly used encryption offers little more protection or
sometimes none at all.
Organisations should put policies and make sure they are kept up-to-date to ensure
compliance. Individuals should have anti-virus software on their computers and also
archive their emails so that they sit on personal computers.
Organisations and individual should focus on encryption across applications, i.e. use
systems that are interoperable. If you use one system and the person you want to
send/receive message to/from is on another, and the two are not compatible, then you
will not be able to send each other encrypted messages.
PGP and S/MIME solve many problems, but they also create another. One
interoperability issue is that PGP and S/MIME are completely incompatible. If you
are using PGP and your friend is using S/MIME, you will not be able to send each
other secure messages.
Some email clients, such as Microsoft Outlook and Mozilla Thunderbird, can be
configured to use both PGP and S/MIME. This will enable people to correspond
securely using whatever method is necessary at the moment. Additionally, most major
email programs have support for S/MIME built in (and not PGP), so it is much easier
and cheaper to get started with S/MIME.
PGP and S/MIME keys use asymmetric key encryption to protect the contents of your
messages throughout their complete journeys. They provide:



Protection against eavesdropping and unwanted backups
Message Digests to detect whether messages have been altered in transit
Signatures to prove sender authenticity
Public key cryptography systems have one problem. Such systems are
computationally intensive and thus are extremely slow to use.
From my research and experience, more and more companies are using SSL to
encrypt communications with their email servers. I highly recommend the use of SSL
for email communications. When I installed PGP to do an in-depth analysis, the effort
needed to setup, and to train myself on using it was much larger. I think organisations
will see it as costlier than the benefit of use considering that they have to purchase
licences. The cost savings gained by using secure messaging is in having less
information leakage or modification which is very difficult to quantify, especially as
most companies assume that they do not have significant problems in this arena
anyway.
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 13
References
12.

Blum, R. (2002) Open Source Email Security. U.S.A. Sams Publishing.

Garfinkel, S. (2004) PGP: Pretty Good Privacy. U.S.A. O’Reilly & Associates.

Schneier, B. (1999) Applied Cryptography. 2nd ed. U.S.A. John Wiley & Sons, Inc.

Minai, A. (2010) Lecture Notes. [Notes from Email Security lecture, Friday 5 February].

LuxSci, FYI. (2009) The Case for Email Security. Available from:
http://luxsci.com/blog/the-case-for-email-security.html [Accessed 20th January 2010].

Richardson, T. (2009) Internet Security and Email. Available from: http://timrichardson.net/joomla15/index.php?option=com_content&task=view&id=31&Itemid=51.
[Accessed on 25th January 2010].

Ravi, R. (2010) Secure Email with S/MIME & PGP. Available from:
http://bass.gmu.edu/courses/ECE543/project/specs-F04/SMIME_JH_SN_RR.pdf.
[Accessed 25th January 2010].

http://en.wikipedia.org/wiki/Pretty_Good_Privacy. [Accessed 1 February 2010].
A Research & Investigation into Email Security
Farai B. Matambanadzo
Page 14