How to Protect Sensitive Email Content & Attachments for Both Senders and Recipients

How to Protect Sensitive Email Content & Attachments for Both Senders and Recipients

May 13, 2019 / in Encryption/Security / by Zafar Khan, RPost CEO

Pig Latin, Russian Spies and Email Encryption

With the recent media focus on cybersecurity, whether it is talk of Russian hackers scheming to influence US presidential elections, or the pervasive pressure to comply with GDPR or HIPAA (healthcare privacy regulations) or other consumer data privacy requirements, “encryption” is one of the solutions that is often introduced.

When sending email, email encryption can indeed protect your strategic dialog from potential exposure, and its mere use can demonstrate your best efforts to protect consumer data against data breaches. As reported by The Guardian, NSA whistleblower Edward Snowden has said, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

Not all email encryption and methods of use are equally effective, though. And, one might prefer different types of encryption depending on the situation.

“Caesar Cipher” and “Pig Latin” are Forms of Encryption

Suppose Donald wants to send a secret message to his friend William but worries that snoopy Vlad may intercept it. Donald needs a way to scramble his message so that only William can read it. A simple way to do this would be for Donald to replace each letter in his message with the next highest letter; shifting it by one (think “Caesar Cipher” or “Pig Latin“).

But, of course, that is too simple. If Vlad intercepts the message, he’ll be able to easily decipher it by looking for hidden patterns in the letters it contains. All it will take to crack the code is a little mathematics and a little trial and error.

And, of course, if Vlad uses a computer, he’ll be able to crack the code even faster. So, just shifting (as is the case with Pig Latin) the first letter to the end and adding “ay” as a suffix (turning “HELLO” into “ELLOHAY” for example) isn’t a very strong cipher. Certainly, Russian spies would crack this encryption. So, what can Donald do?

Well, he can try to think up a more complicated mathematical formula to scramble the letters and numbers. And maybe he can use a computer to apply the formula. This will help, but the problem is that if Vlad hires clever mathematicians, or if he has a powerful enough computer, he will be able to crack the code eventually. So, it looks like it’s going to be an arms race with Vlad to see who can come up with the biggest computers and the most complicated formula. But because Vlad has nearly unlimited resources to pay mathematicians and to spend on computing power, it is a race Donald and William are perhaps bound to lose.

What is Considered “Strong Crypto”?

We have established that more complex encryption patterns are more difficult for Vlad to decipher, unless Vlad can use a powerful computer to help figure out the pattern; yet they remain easy for Donald to read, because Donald has knowledge of the pattern (the decryption key). Most technicians understand that more complex algorithms are harder to “crack”, that is, they require more computing power to crack.

How does Computing Power Impact the Time to Crack the Encryption?

Let’s consider the example of using computing power to try to guess a 10 digit seemingly random alpha numeric password, such as: tjo9i0982d using a “Brute Force” attack (i.e. trial and error). This would be similar to trying to find a pattern in a universe of combinations of 36 digits (26 possible letters and 10 possible numbers). According to Gibson Research Corporation, in this example, there are 3700 trillion combinations, and the time to guess and test the right combination using trial and error in an online environment is one thousand centuries (assuming one thousand guesses per second). However, in what Gibson Research calls a “Massive Cracking Array Scenario” with one hundred trillion guesses per second offline, this password can be guessed in just 38 seconds.

Computing power does matter. But, not many, if any (today), can implement a “Massive Cracking Array Scenario”. One institution that could potentially implement such a system is the National Security Agency (NSA). In recent years, the NSA completed a $1.5 billion data center in Utah that reportedly has more than 100,000 square feet of computer and data storage equipment in a facility that spans a total of 1-1.5 million square feet.

Is Today’s Commercial Encryption Readable by the Russian Spies with their Computing Power?

This is a question that some people know the answer to. We do not. Most commercial encryption uses algorithms that the NSA has “approved” for “civilian, unclassified, non-national security systems”. These algorithms are what encrypt your email or financial transactions when using email encryption or secure HTTP web based connections with commercially available systems. Some of these NSA approved (unclassified) algorithms include DES, Triple DESAES, DSA and SHA.

Know More: Secure Email Services

So, when it comes to using email encryption to protect “civilian, unclassified, non-national security systems” and information, what are the most important considerations?

The Tech Essentials recommended way is to use RMail email encryption, as it makes it easy for both senders and recipients to protect sensitive message content and file attachments.

With RMail, you may set the “primary” method, and there is an automated secondary method. This primary method can be selected to first send using an encrypted transmission method that auto-decrypts at the intended recipient so they need to do nothing additional; and if the encrypted transmission cannot be accomplished due to the recipient system, the message automatically reverts to a secondary method.

The secondary method converts the message to an encrypted PDF, embeds the attachments in their native format into the PDF, password protects it (AES 256-bit encryption), and transmits to the recipient as a PDF attachment, along with a second email with the password. This is all automatic, determining the simplest user experience for the recipient at all times, based on the recipient system. 

Join an RMail training session live or view a recorded video.

If you would like your IT consultant to purchase RMail through Ingram Micro, pass along this link.