Email Security: Signed, Sealed and Delivered

Coping with insecure e-mail

By Simson Garfinkel

April 01, 2004 — CSO — Few organizations send confidential information on postcards. Credit card statements, medical records, job offers and personal correspondence are invariably sealed in envelopes before they are sent. Likewise, most important correspondence is put on letterhead—a practice that, prior to the wide deployment of color ink-jet printers, was actually pretty good at deterring casual attempts of fraud or forgery.

But few organizations have adopted similar measures for protecting mail sent over the Internet. Techniques for digitally signing and sealing electronic communications have existed for nearly two decades, yet their adoption has been wretchedly inadequate.

Security professionals frequently compare the sending of Internet mail to a postcard sent through the postal service; just as others can see the contents of the postcard you got from Aunt Carol, so too can network administrators read or even change the contents of your e-mail messages.

Privacy Enhanced Mail (PEM) was the first attempt by the Internet Engineering Task Force at standardizing how encrypted mail is sent and received. But while hundreds of engineers created standards and demonstration software, the system was never widely deployed.

That's when Phil Zimmermann, a computer programmer in Boulder, Colo., decided to take matters into his own hands and create his own e-mail encryption system. Called Pretty Good Privacy (PGP), it was released on the Internet in 1991, just as the U.S. Senate was considering legislation that would have made it illegal for citizens to use strong cryptography to shield their personal communications from the prying eyes of employers, police and even oppressive governments. Zimmermann hoped his program would make cryptography so widely available that it could never be eliminatedeven if it were temporarily outlawed.

PGP quickly gained traction among academics, Civil Libertarians and even computer security professionals. The program was fairly hard to use, but it was the best thing goinga single system that provided for signing and sealing messages, as well as for managing encryption keys. Minutes after downloading a copy of PGP, for example, a human rights worker in Honduras could send an encrypted report of political repression to Amnesty International's office in New York with a code that was effectively unbreakable.

But the problem with PGP went far beyond the program's clunky user interface. Exporting the program from behind U.S. borders was a felony violation of U.S. export controls, punishable by a $10,000 fine and 10 years in jail. Inside the United States, use or distribution of the program violated civil law, since the public-key encryption technology on which PGP relied was patented by RSA Data Security (now just RSA Security). As the 1990s proceeded, RSA crossed both legal and political swords with Zimmermann and his PGP program. Most companies were afraid to touch it.

• Print