Continued from page 1
We are familiar with paper world and it has some benefits. You can usually see if someone has already opened your mail. The Post Office can often cope with wrong addressing and still get it to right place. You believe that delivery service is going to behave in way that you expect and you know that a proof of delivery from them is accepted by authorities.
E-mail is rather different. There is no way of telling who reads mail unless you take actual steps to make it impossible. The e-mail Post Office can’t cope with any address errors whatsoever. It has no idea if any of addresses on mail are correct and can’t tell if they have been altered. There is no plain envelope to stop people reading contents and it is possible for hackers, government agencies and almost anyone else to read mail. Proof of delivery is worth paper it is printed on.
An impossible dream?
No. E-mail can be made secure, but you have to take a few things into account.
The first thing to understand is that you can’t do much about addresses, or subject line. Nothing about these can be made secure. Don’t ever believe them when you read them.
Different systems may allow you to secure message text of e-mail, but you have to be very certain what that security is, when it is added, when it is removed, and how you would prove it had been secured afterwards. These are fundamental to you if you are going to rely on security mechanisms later as proof that something happened.
The second thing to understand is that you can never (with current systems) send anything secret to someone you don’t know. It’s not possible. You have to have a ‘public key’ of theirs before it can be done. You can’t, with conventional systems, send information to ‘anyone’ in a particular group, function or business. You have to send to specific individuals.
The third thing to understand is that protection that you apply to an e-mail has to be something that recipient can deal with. E-mail systems don’t currently relate keys used for information protection to recipients of e-mail, and don’t know what algorithms recipient is likely to have. This is because there are far too many unnecessary choices forced onto users of these systems and services (or set by administrators who are making choices based upon their own prejudices rather than looking at usability). If you use something recipient can’t process you are wasting your time. But you can’t afford time needed to sort this kind of problem out.
Problem solving strategies
Most of difficulties identified can be avoided by ignoring e-mail systems completely and concentrating instead on information to be sent. This could be anything – a Word document, a text file, some HTML, a graphic or even a video. Whatever you do should not alter its content, and it should not be possible to remove your security before information is securely in computer of recipient.
This means that your protection software is going to have to protect file in such a way that an attacker cannot remove protection without you being able to detect it. (That’s not same as pretending a fake document is real. Since much of information you get is not protected, today you make value judgments on what is ‘right’ based upon your own feelings, or you ‘phone sender and ask them to confirm what they actually sent. So removing protection and making subtle changes to documents that you might then believe is perfectly feasible.)
The recipient is then in a position where their first step is to check authenticity of file they have received. That avoids any possibility of misunderstanding what is protected and what is not. The file is thing that is protected, and not other parts of e-mail that may, or may not be correct.
Once recipient has checked that file is authentic they can go ahead and use a copy of it that has had protection removed. This is an essential step, because they must not be able to alter, or add to, file that they received and still have it claim that it was ever authentic (unless, of course, you have some system that maintains a copy of each different thing in file, protected by each person that has altered or added to it).
This approach may not seem as ‘elegant’ as having everything automated, but it is a lot more secure, and prevents any mistakes or misunderstandings about who has signed what, and therefore what can be relied upon.
ArticSoft (www.articsoft.com) have over 30 years experience in the field of computer security, and 15 years experience of securing information on personal computers and messaging systems. Our CEO Steve Mathews, is one of the authors of BS7799 (now ISO/IEC 17799) and is well recognized in the security industry.