|
|
|
 |
Focus: E-mail Encryption and Digital Signatures
|
|
|
|
|
|
|
|
 |
What is the purpose of e-mail encryption?
|
|
|
E-mail encryption ensures that electronic messages can only be read by the desired recipients, and thus remain confidential. This protection is especially important for sensitive data. The encryption process turns an e-mail into an encoded message with a seal of authenticity.
Various cryptographic algorithms such as symmetrical and asymmetrical encryption are used to encrypt and decrypt e-mails. A cryptographic algorithm is considered secure when it is difficult to decrypt a message without the encryption key—even when the algorithm being used is known. In practice, "difficult" means that the message cannot be decrypted within a reasonable timeframe.
|
|
|
What does a digital signature do?
|
|
|
A digital signature ensures that an e-mail's content has not been modified (message integrity), and that it actually originated from the indicated sender (authenticity).
In the European Union, guidelines for the implementation of electronic signatures are defined by Directive 1999/93/EG.
|
|
|
What are certificates and keys?
|
|
|
Encryption certificates (public keys) are used to create and verify digital signatures, and to encrypt data that only the user of a corresponding private key can decrypt. Unlike private keys, public keys do not need to be protected from unauthorized access, and in fact should be made available to everyone.
Encryption certificates (public keys) are certified by a trusted third party. A public key and corresponding private key together create a “key pair.”
The private key is used to digitally sign data and to decrypt data encrypted with the public key. Private keys must thus be carefully safeguarded by their owners.
A certificate contains:
- A clearly identified serial number
- The clearly identified name of the owner
- The public key of the owner
- Usage notations and validity timeframes
- The digital signature of the trusted third party
A common standard for certificates is X.509.
Encryption and digital signatures can be implemented together or independently within the enterprise.
|
|
|
What is the difference between symmetrical and asymmetrical encryption?
|
|
|
Symmetrical encryption uses private keys to secure each individual communications channel. Each private key is used for both encryption and decryption.
Asymmetrical encryption uses public and private keys (key pairs). Messages are encrypted with the receiver’s public key. The receiver must then use his or her corresponding private key to decrypt the message. The major benefit of this approach is that the public key of each participant within the network must be made available only once for all to use.
|
|
|
What is the best way to encrypt, decrypt and digitally sign incoming and outgoing e-mail?
|
|
|
Encryption, decryption and digital signature endorsement should take place centrally on the mail server—iQ.Suite makes this possible—and be in compliance with corporate guidelines. This allows businesses to check e-mails for viruses and other negative content before encryption/decryption and delivery. When client-based encryption solutions are used, running such checks centrally is not possible because incoming and outgoing e-mails are already encrypted by the time they get to the server.
With iQ.Suite, each outgoing e-mail is first scanned for viruses and content and then archived before being encrypted and delivered. The process is slightly different for incoming e-mails: first decryption, then virus and content checks, and then archiving and delivery. In this way, all important security checks are made with minimal administrator effort before an outgoing e-mail leaves the house or an incoming e-mail reaches its recipient.
|
|
|
What are the benefits of server-sided encryption?
|
|
|
Implementing server-based encryption with iQ.Suite requires significantly less effort and is much more cost-effective than implementing traditional client-based encryption. Client-based encryption solutions require creation and management of a separate key for each user on each client machine. iQ.Suite’s server-based approach completely eliminates this administration effort. It also eliminates the need to train users to use encryption functions correctly.
Another important benefit: Client-based encryption can lead to serious compliance problems. For example, when an employee leaves the organization, that employee’s encryption key becomes invalid—with the consequence that the entire body of the employee’s e-mail correspondence can no longer be accessed to resolve legal issues or meet the requirements of an audit. Server-based encryption requires only one key for each cryptographic algorithm being used in the company, rather than one key for each user, making it impossible for this problem to occur.
|
|
|
How can encrypted communication with external personnel be accomplished?
|
|
|
Even when server-based encryption is being used, communications partners are free to use either server-based or client-based encryption. Client-to-server or client-to-client encryption is necessary, for example, when communicating with freelancers or other external personnel. In this case, the only requirement is that both communication partners use the same encryption algorithm.
|
|
|
What role does encryption play within the context of E-mail Lifecycle Management?
|
|
|
From the time they enter the business to the time they are archived or deleted, e-mails go through numerous processing steps. One such step is the security check, which in addition to spam and virus checking includes encryption, decryption and digital signature endorsement. Additional steps in the e-mail lifecycle (ELM) include e-mail classification, compliance and archiving.
|
|
|
What are the most important considerations when implementing e-mail encryption?
|
|
|
- Security requirements of the organization (corporate guidelines)
- Selection of encryption software. The detailed knowledge of the principles, mechanisms and functionality of the various encryption algorithms and the encryption software currently available on the market is absolutely essential!
- User-friendliness and user acceptability issues
- Ability to be administered
|
|
|
How does iQ.Suite help when implementing e-mail encryption?
|
|
|
iQ.Suite’s server-based, automated encryption and decryption processes provide a reliable and robust implementation of encryption that complies with corporate guidelines. The selection of encryption algorithm plays a less important role with iQ.Suite because all of today's standard algorithms—PGP, GnuPG and S/MIME, for example—are supported.
Because encryption takes place on the server, users don't have to interact in any way with the encryption process, eliminating the possibility of user error. Administration effort is also minimal: the administration of keys and certificates is centralized on the server and is for the most part completely automated. Clients require neither installation nor administration of encryption software.
|
|
|
How are iQ.Suite Crypt and Trust used for encryption and digital signatures?
|
|
|
iQ.Suite’s server-side encryption is provided by iQ.Suite Crypt. This module makes it possible to use any common cryptographic algorithm—PGP, GnuPG or S/MIME for example—on its own or in parallel. Which algorithm is to be used for which user can also be configured in iQ.Suite's rule-based framework. iQ.Suite Crypt eliminates the need to create a private key for each user, and the need to create and maintain an administration-intensive Public Key Infrastructure. Existing PKIs can, however, be easily connected to iQ.Suite. And when special, high-security communication requirements exist—between specific departments, for example—it is also possible to use individual encryption keys.
Certificates can be created and administered using iQ.Suite Trust’s own certification function. Registration and certification processes thus become independent of external authorities and can be implemented according to corporate guidelines. This approach makes these processes easier to administer and in the long term less expensive. iQ.Suite Trust can be used in combination with iQ.Suite Crypt or used on its own.
iQ.Suite Crypt and iQ.Suite Trust both offer centralized, server-based e-mail security that requires no end-user interaction. The large investment required to create and maintain an encryption key infrastructure is eliminated, as is the need to distribute software and educate users. A combined solution providing integrated encryption, spam and virus protection ensures secure and integrated e-mail business processes that increase worker productivity.
|
|
|
|
|
|
|
|
|
