December 26, 2019
Email is the earliest form of communication on the Internet. For some businesses, it is a part and parcel of their corporate life. But as much as it is the most popular and convenient way to communicate, in equal measure it is the most unsafe one for sharing sensitive data.
One of the key problems with electronic mailing is privacy.
Emails are sent in plain unencrypted text by SMTP, a protocol developed in 1982. It was designed only to transfer text, not for protecting confidential information and providing security.
The majority of email providers do not procure proper ways of encrypting emails or their attachments. This could damage emails, comprising sensitive data, as well as affect privacy of the users who send them. There are many internet threats: starting with man-in-the-middle attacks, phishing, social engineering techniques, human factor, and finishing with data spoofing, packet injection, email credentials hijacking, cyber infections, and many others.
In order to secure privacy and provide integrity of data, encryption comes into play. Different types of encryption can be used to verify that private information stays untouched.
Encryption is about scrambling up the contents of a message. It is done so that only the individual who has a key can decrypt it. To decrypt it, you need to use two keys: public and private. Both the sender and the recipient have this pair. The encryption keys are the digital codes that allow encryption/decryption processes to happen.
When an email is being encrypted on the recipient’s side, it uses the sender’s public key to read the email. But the recipient’s private key is the one that decrypts the email.
Keys are the core element in encryption. Without them – encryption is impossible. And it is essential for both sides -the sender and recipient- to have full control over them.
Though encryption algorithms is pretty standard, some of the solutions they are applied to have nuances.
PGP (Pretty Good Privacy) is an encryption software used to encrypt emails, preventing access to digital data.
PGP is ”an encryption program that provides cryptographic privacy and authentication.” A PGP encryption is based on symmetric encryption algorithms. In a nutshell, the matter of this method of encryption boils down to this: you have a public key, the one that you share with recipients of your email; and you also possess a private key, the one that you keep to yourself. Now, when you get an email, you can decrypt it only with your private key.
PGP also supports digital signatures. PGP signs encrypted emails with your private key. In this manner, recipients of the email can see whether the content of the email has been modified or not. If even one letter in the message was changed, the signature would be considered invalid.
Differences in versions. Being originally open-source software, PGP comes as part of several commercial programs. One of them is a GPG, or GNU Privacy Guard.
This free software lacks features in comparison with the paid product, for example, a support of RSA encryption algorithms. Such version discrepancy of PGP complicates its administration and leads to unreliability of security.
Problems with incompatibility. To perform the proper encryption, both the sender and the recipient must have compatible versions of PGP software installed. Due to the different supported versions, text information in messages cannot be fully decrypted, or can be decrypted only partially.
Each version of PGP differs from the previous ones. This means that in the updated version methods of encryption can vary. For instance, if you encrypt a message using PGP with one method of encryption, be ready for an addressee, using PGP with a different version, won’t be able to read your message.
Chosen-Ciphertext. Man-in-the-middle can intercept encrypted message. One corrupts the message by using a mathematical manipulation. This attack does not require the attacker to decrypt a message. That is, the attacker injects “garbage” into the encrypted message. After that decryption of the message becomes unavailable for performing. The attacker can expose the single-session key in the inserted “garbage”. Thus, one can apply that key to decrypt the message without having credentials.
Private Key. In PGP your credentials, private key and password, can be accessed. It requires attacker physically access your device and change your key (i.e., write to your disc) twice.
Unsigned Data-Injection. The PGP displays emails or files with unsigned data as signed. This vulnerability compromises the ability to use digital signatures to verify the integrity of files and email.
Key Validity. A PGP key may have more than one user certificate. And can be used for more than one email address. An “attacker” can add a false certificate to a legitimate public key. If that certificate is not signed by the key’s owner, the key itself will appear valid. As a result, the recipient can encrypt email and send it back to the attacker. Still, the email didn’t reach the intended recipient. In this case, the attacker uses this vulnerability to disrupt secure communication between two PGP users.
EFAIL. Probably, the main vulnerability of certain implementations of PGP named EFAIL was discovered in may 2018. It is said that EFAIL could reveal the plaintext contents of emails encrypted with it.
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides encryption and signs emails with digital signatures.
Imagine, you want to send someone an encrypted message in Outlook. For this you have to digitally sign your email. Digitals signatures are provided by a so-called certificate authority (CA). CAs use individual private keys – one for signature and one for encryption.
When you sign an email, you then send this unencrypted email to the recipient. Once the recipient gets your email, Outlook checks for the digital signature, thus verifying the sender.
Encryption may be performed with a public/private key pair only, without the need to use the certificate implementation. Such encryption processes for some users can be a reason to avoid S/MIME encryption.
But setting up S/MIME with Outlook in order to encrypt messages involves some preparations. And a considerable amount of time. Also, due to the compulsory certification, not all users can take comprehensive advantage of S/MIME in their day-to-day email communication.
Keeping that in mind and taking all the deficiencies into consideration, StealthMail uses a completely different approach for encrypting and transferring sensitive data.
StealthMail does not send confidential data over untrusted email servers. This is because when data is in transit, it can be compromised. Instead, StealthMail sends only a Stealth Link. In such a way your content remains intact and preserves its integrity. At the same time, data stays encrypted in a secure company’s perimeter.
With StealthMail, email communication goes through the dedicated secure channels: contents of the message comes to the users’ inbox in an encrypted state and get decrypted after user authorization (and gets encrypted again right after they have finished working with an email).
StealthMail is a solution that ensures the confidentiality of your email correspondence and protects your data from the known internet threats.
StealthMail Add-In is an enterprise-grade software solution. The solution is transparent to its users. This means that employees can continue using Microsoft Outlook as their primary mail client: the service is installed as an add-in.
StealthMail eliminates restrictions through secure email communication by:
With all the outside threats to privacy, email encryption is not something unreachable nowadays, but is an absolute must for business email communication.
The StealthMail solution not only gives you comprehensive privacy while emailing, but guarantees the full confidentiality of your business email correspondence by preserving sensitive information on your side.
Alongside with true email privacy, the solution’s seamless integration with Outlook gives your emails an all-new level of secrecy and security.
To get more broader understanding of how StealthMail works, please download datasheet at https://StealthMail.com/en/info.