Email Encryption Techniques

Why is cryptography needed in email?

Encrypted email communications are not only an essential requirement for the security of data, but also mandatory as part of regulatory compliance for many organisations in verticals such as banking, financial services, payments, and healthcare where customer data cannot be allowed to fall into wrong hands. 

What are the different stages during which an email is vulnerable?

• On the sender’s client or device before or after it is sent
• In the connection between the sender’s device and their email provider
• On the servers of the sender's email provider
• In the connection between the sender’s and the receiver’s email provider
• On the servers of the receiver’s email provider
• Finally, on the client or device of the receiver

These points can be grouped into 2 sections: When the email is on a server or client device (data at rest) ; sent between clients and servers (data in flight)

What is the importance of encryption key size in security?

An encryption key is one most fundamental part of the encryption process. The longer a key is, the better security it provides. Encryption key length is specified as a logarithm in the form of bits. Symmetric key systems typically use a key length of between 128 bits and 256 bits. Asymmetric key systems use much larger key bit sizes (1,024, 2048 or 4096 bits) so not only do they reduce risk of sharing keys but also offer improved encryption security. 

Why is symmetric key still used despite better security in asymmetric key cryptography?

Main issues regarding the asymmetric method is encryption feasibility which depends on the key length and the computing power needed to encrypt and decrypt the information. There needs to be a trade off between computation power and key length. Symmetric is normally used for internal communications and asymmetric encryption for external. 

What is the modern email encryption process?

Emails require end to end email encryption (covering both data at rest and data in flight). 2 types of models are commonly used:

• Gateway based model - A specific software operates on the company's network and is directly responsible for encrypting all emails. All mails undergo same screening process regardless of the type, content or length. This method encrypts the data at rest on the company’s servers and the data in flight between the servers and clients. However, this does not cover the data at rest on the sender’s or receiver’s devices.
  
  
• Client-based model - The encryption software runs directly in the email client on the sender’s and receiver's devices. Sender is responsible for encrypting emails and provides flexibility of being able selectively encrypt important mails. While providing true end - end encryption, it involves a human element, creating the potential for error. 

What are the three main encryption standards irrespective of type of model?

• SSL and SMTP over TLS or STARTTLS - Server-to-server method of encryption that rely on SSL certificates. This is the standard method for email providers to secure messages passing between servers or data in flight so this method on its own does not offer end-end encryption.
  
  
• S/MIME or Secure/Multipurpose Internet Mail Extensions - Uses email certificates on the sender’s and receiver’s email clients. A security certificate from a Certificate Authority (CA) or a public CA is needed to use this method. It combines a digital signature with encryption to secure an organisation’s email traffic. This llows for true end to end email encryption.
  
  
• PGP or Pretty Good Privacy - This uses public keys like public-key encryption rather than certificates. It authenticates the sender of an email and encrypts the text inside the message body, allowing for end-to-end email encryption. However, both the sender and receiver require a software client or a plug-in to process PGP keys.