Keeping Your Communications Private

By Derek Zeanah

Wednesday, October 12, 2005

Lots of people need to be able to communicate securely, for personal, business, or legal reasons.  In the age of the Internet, this isn't easy.

The problem is that the standards the Internet are built around are fairly open -- they were designed to "play nice," not to keep information hidden.  There are a number of solutions we'll look at in this article, but none of them are as easy and simple as they could be.

The Simplest Solution: In-house E-mail

If your goal is to communicate with your associates at work, this can solve most of your problems.  As long as e-mail is sent and received from within your office (or from secured outside connections) you don't need to worry about someone else copying it in transit.  This has a number of downfalls, however:

• It leads to lazy thinking, and employees get used to the idea that their e-mail is secure, so it's easy to start discussing sensitive topics with anyone via e-mail, not just fellow employees in the same office.
• Sometimes people will use multiple e-mail accounts to communicate -- you might contact your employees from your home account with some regularity.  In these cases, it's easy for an employee to grab the wrong e-mail address by mistake (or cc: it when directing an e-mail to everyone involved in a discussion), which means it's going out over the same unsecured trail most e-mails take.
• This opens you up to a competitor creatively tampering with your mail server, so everything looks fine, but your e-mails are all being copied at the server and sent out to those you don't want to have them.  (I've actually read multiple accounts of this tactic in print, but unfortunately I can't find any links online -- likely because security professionals spread these stories without real names attached, and victims of this kind of attack don't want publicity.)

A Better Solution: Using a Secure Mail Provider

There are some e-mail providers out there that strive to create a secure webmail environment.  Some of these use some pretty impressive technology, like implementing PGP (discussed below) in a way that a browser applet handled all of the hard work, removing some of the hurdles that encryption can present.

The good news is that these systems are simple to use, difficult to hack, and if they're well designed a hacker can't get anything from stored data anyway (as it's secured with fairly strong encryption on the mail host's end).  The bad news is that some employees might not get it, and will assume that anyone they communicate with via the system is receiving encrypted mail.

The Most Popular Solution: PGP

PGP is short for Pretty Good Privacy, and is a set of protocols and programs that have been around for over a decade.  There are free and commercial versions of the product, and anyone in the world that wants to keep their e-mail secure pretty much uses one or the other.  They're also compatible with the secure webmail mentioned above, so this might give you a bit more flexibility.

The problem with PGP is you need to understand a little bit of theory before you can make it work.  This article should get you over the biggest hurdle so you can get up and running on your own.

There are two conceptual stumbling blocks: understanding how keys work, and understanding "trust."

In PGP, everyone has a unique key that identifies them.  The interesting thing is that each key is broken down in two components, one (called your "public key") that you hand out to the rest of the world, and another (called your "secret key") that you keep as secure as you can.  The secret behind this arrangement is this: anything enctypted with one half of your keypair can be decrypted with the other.

This allows for a few features that are limited to public key cryptography:

• You can send e-mail to someone without arranging a decryption key in advance.  You can communicate with someone you've never met or spoken to securely from the start.
• You can "digitally sign" messages by encrypting them with your secret key, so anyone with your public key can verify it came from you.  Actually PGP does something nifty where it "clearsigns" your message so it's readable by humans, but has a "hash" at the end that can be used to verify authenticity.
• You can verify the authenticity of all of your communications, because senders can choose to encrypt and sign messages.  This removes the risk that someone (say, a competitor) might send an encrypted message to you with forged headers so that it looks like it originated from somewhere else.

PGP is actually pretty secure; the best attack is called the "man in the middle," where someone between you and the intended recipient pretends to be him when he exchanges his key, then does the same to your recipient.  Now, messages you think are sent to your friend are actually passed to your competitor (or a private investigator, or opposing council), who then re-encrypts it to your intended recipient, copying the data in the mean-time.  To prevent this, PGP implements a system of trust.

By default you only trust keys that you have signed -- you must perform an explicit act to tell PGP you trust that key.  Now, someone who knows you can use your signature on that key to help them decide whether to trust the key or not.  This can work in a few ways:

• In a heirarchical organization, someone (human resources, or the security officer, or the owner) can be assigned the duty of signing all employee keys.  Whenever you receive a key with his signature, PGP knows the key is valid.
• In less heirarchical organizations, you can tell PGP how much you trust your associates.  You might give a lot of weight to any keys signed by Bob as he's a stickler for this sort of thing, but choose not to trust Billy at all.  PGP can look at the signatures and decide whether to trust a key based on how many people you partially (or fully) trust believe it's authentic.
• When in doubt, you can contact your recipient (assuming you'll recognize their voice or face) and verify the "fingerprint" on the key verbally.

That's it.  Most of the better e-mail programs support PGP (or GPG, the open-source implementation) out of the box.  Other popular clients are supported by PGP (Outlook, Outlook Express, and Eudora almost always) so you can access the tools without having to leave your mail program.