E - Mail Security

Anybody can read your e-mail, if this has not happened to you; that is only because nobody wants to read your e-mail. As e-mail travels from one location to another, enroute to its final destination, it is stored temporarily at various stations. At each halt, there is a chance of someone reading the message. Someone can even intercept and cannibalise your message. There is no guarantee that the message you receive is what was written by the real sender.

However, such intervention can be prevented to a large extent by e-mail encryption and digital signatures.

Encryption is a way of effecting changes in the plain text to hide its substance. Excrypted plain text results in the generation of unreadable junk - like data, ciphertext. It ensures that only the person who knows the rule by which the data has been encrypted can understand the text. The process of reverting ciphertext to original plain text is decryption.

Cryptography is the science of using mathematics to encrypt data and cryptanalysis is the science of analysing and breaking the encrypted text.

There are two major types of cryptography: Single key and Public key cryptography. In single key cryptography - also known as conventional cryptography - the same key is used to encrypt aria decrypt the information. This means the sender and receiver must both know the key. But to make encryption effective you need a different key for every person you communicate with and you must trust each person holding your secret key. And this is possible only between those having some kind of relationship. Moreover, a secure exchange of secret keys become rather expensive.

A new cryptography has been developed to put an end to this dilemma. It uses a pair of keys for encryption: a public key to encrypt the data and a corresponding private key for decryption. You advertise your public key to world and keep the private key secret. Anybody who knows your public key can send encrypted data to you that only you can read (not even the sender can read the data once it is encrypted).

Conventional encryption is faster than public key encryption. However, there is a hybrid variety system that combines the advantages of both conventional and public key system - PGP (Pretty Good Privacy) is an example.

E-mail encryption is enough to ensure, the privacy of messages. But how does one make sure that the e-mail you receive from your friend has been really sent by him. Moreover, you need to send the public key to the recipient if you want to use the, encryption technology. How can the recipient be sure that this public key is yours? Postal mail can be verified by the signature. The internet has introduced the concept of a Digital ID - a kind of digital passport to validate your identity in electronic transactions. It functions like a physical cerificate and uses public key encryption techniques. A digital ID consists of a public key, a private key and a digital signature. This should be added to your mail account.

You send the mail digitally signed to transmit your public key to the recipient. Your addresse should be using mail clients with the necessary security features (like Outlook Express). The receiver can use the signature to verify your identity and use your public key to encrypt the messages he / she sends you if you want to send an encrypted e-mail, you should possess the public key of the recipient.

E-mail Software The mail clients bundled with IE and Netscape have built-in encryption support. There are also a number of standalone e-mail encryption packages (like invisiMial - http://www.invisiMial.com, PGP - http://www.pgpt.com).

One of the major handicaps of the encryption process is lack of standards in the protocols. If you encrypt a message with one protocol your recipient must use a package that supports the same protocol. The two most widely used protocols are S/MIME - Secure Multipurpose Internet Mail Extensions and Open PGP.

If you have an independent encryption programme, you can use the software to create a digital signature. Otherwise, you can obtain a digital ID from certificate authorities (CA). You can visit their web site and follow the download instructions. VeriSign (http://www.verisign.com), Thawte (http://www.thawte.com) are two CAs. Since VeriSign uses the S/MIME protocol, you can send a message with a VeriSign signature to Outlook Express users.

Here is an illustration with Outlook Express:

1. Install a digital ID.
2. Attach the ID to your e-mail account. Go to Accounts, then Tools, then Mail, select Account.
   Click the Properties button, select Security tab.
   Check the box " Use a digital ID when sending secure messages from".
   Click the Digital ID button and Select the certificate.
   
3. To digitally sign a message, compose the message and click at the Sign option. At this point you will get the Sign icon at the right end of the address box indicating that the message is signed.
   In Outlook Express, when you receive a signed message the signed icon is displayed. By sending a signed message you are sending you public key to the recipient so that he / she can send encrypted messages. Even if your recipient is using an e-mail package, which lacks security features he / she can still read the mail - the signature will simply show up as an attachment.
4. The next step in making e-mail communication secure is to encrypt the message. This can be done only if you have the recipient's digital ID. When you receive a digitally signed message, lane sender's digital ID can be stored in you address book. Once the ID is stored the system will automatically recognise it when you try to encrypt. So, if you have the digital ID to encrypt the message, simply click at Encrypt button at the message window. The Encryption icon will be displayed at the right end of the address panel.

When you receive an encrypted or signed message, the client automatically decrypts the message and displays the encrypted and / or signed icons as the message is viewed.

Apart fromthe e-mail security there are other risks out there in cyberspace, site collecting details about you, mailcious programme codes entering you system, etc. These will be discussed later.