How Does Secure Email Work

Basics of communication

When you talk to someone, your voice is the signal, your mouth(voice cords) is the transmitter of the message, the air is the medium to transfer your message and that other’s ears are the receiver. That way they can hear and understand what you are saying.

In the technology world: we (humans) are the generators of the messages, our devices are their transmitters, the air or cables are the transfer medium, the end devices are the recipients, and the end user is the reader/listener.

That means there is another layer in this communication, our devices.

What is more, with the digital communication, the devices, at the lowest level communicate with 0s and 1s, or high and low signal level. They, then read those 0s and 1s (bits) and translate them in human language.

OK, so this is simplified a lot. The real communication that’s going on can not be described in a sentence. If we want to go into how everything works, it will take a graduation time.

Client-Server Communication

So, you sit down and write an email. You do that from your phone App or your Desktop App. That App is called a Mail Client. That App is installed on your Operating system and your operating system connects it with the hardware and the transmission medium.

Then you send your message, and where does it go? Through your OS, the hardware and the transmission medium it goes on the Internet.

And it doesn’t just flow around. It follows certain rules and paths so that it gets to your Mail Server first.

Your Mail server then reads who the message is for, and again by certain rules, sends the message to the recipient’s mail server. This mail server, searches for the end user and sends the message to their inbox.

The whole Internet is based on this Client - Server communication. So, we see here, not only our devices are between us in our communication, but other devices, too. Because those servers in between are devices in a Data Center.

Then on the devices there are the Apps that are developed from some company, the Operating system, and the computer/smartphone hardware.

TCP/IP  stack

TCP/IP was developed during the 1960s as part of the Department of Defense’s (DoD) Advanced Research Projects Agency (ARPA) effort to build a nationwide packet data network. It was first used in UNIX-based computers in universities and government installations. Today, it is the main protocol used in all Internet operations, is said here.

All the rules that the messages follow to get formed , transmitted, received and read by the end user are defined within the TCP/IP stack. It’s a set of layers in which different protocols are grouped based on their functionality, that two entities have to follow so that they can understand what they are communicating.

The layers are the functionalities and in the TCP/IP stack there are four defined:

• Application – defines which application protocol is being used (HTTP for web, SMTP/POP3/IMAP for email, FTP for transferring files, SSH for secure connecting to another device…)
• Transport - ensures the complete delivery of the data and guarantees the integrity of the data via error correction and similar functions.
• Internet - handles packet routing via logical addressing and switching functions.
• Network Interface – defines physical media and data conversion functions that make up the bit stream of packets from one device to another

So, the message to be transmitted, a protocol from each layer has to be selected. And that is why systems do not use a single protocol to do the transmission, but protocol suite – a set of cooperating protocols.

Email protocols

The email protocols are located at the top layer – application layer – on the TCP/IP stack. There are three protocols that Email clients and Email servers use to communicate between each other:

• SMTP or Simple Mail Transfer Protocol is a plain text Internet protocol for electronic mail (email) transmission. It is used by Email Clients for sending email messages to a mail server for relaying and for communication between the email servers.
• POP3 is the Post Office Protocol version 3 protocol which is being used to by the Email Clients to receive emails from the Email Server. The communication via POP3 lets your Email Client download email messages on your local computer and read them even when you are offline. After downloaded, those messages are removed from the Email Server.
• IMAP or the Internet Message Access Protocol is, just like POP3 a mail protocol used for retrieving emails. However, IMAP doesn’t download the messages locally, but lets them being stored on the server and accessing email on a remote web server from a local client.

While the POP3 protocol assumes that your email is being accessed only from one application, IMAP allows simultaneous access by multiple clients. This is why IMAP is more suitable for you if you’re going to access your email from different locations or if your messages are managed by multiple users.

Secure Email

As we said in the SMTP definition, it is a plain text mail transfer protocol and that makes email prone to disclosure of information.

Because email is not real-time communication, the messages are stored in your mailbox locally or on your mail server and transferred to other mail servers and end users through relay email servers.

That means that in order your email messages to be effectively secured, they have to be fully protected with encryption at rest and in transit.

Email messages in transit and at rest may have slightly different risk profiles, but attackers will attempt to gain access to valuable data whether it’s in motion, at rest, or actively in use, depending on which state is easiest to breach.

That is why full encryption is the safest and most effective way to protect your most sensitive data in every state. So, three things should be encrypted:

• your actual email messages
• the connection to/from your email provider and
• your mailbox.

Fully Secure Email system

Encrypting Email Connections

If someone, by any chance, gets access to your network traffic and sniffs it, they can intercept your traffic and read your email, copy your credentials, or even duplicate files.
To be certain that no one who intercepts your email messages will be able to read them, first your connection from your computer to your email provider  and vice versa has to be encrypted. That means that there needs to be transport layer security set up.
By encrypting your traffic using SSL (Secure Socket Level) or TLS (Transport Level Security) you can protect your data’s confidentiality and your own privacy.
This encryption can be

• symmetric - both ends will use the same key for encryption and decryption of the session, or
• asymmetric to securely exchange a session key, and then use that session key for symmetric encryption to provide the fastest encryption/decryption.

Most of these protocols can help defeat “Man in the Middle (MitM)” because they include a hashing algorithm to ensure no data was altered in transit, and the attacker will alter the signature which can be alert for the attack.

However, when data is encrypted only in transit, it can be compromised if the session key gets compromised. And, what is more when the session ends and another session should be set up with another email server, so that the message is transferred to the end user’s email server, the data can travel unencrypted, if the next hop doesn’t support transport level security. And not every email server supports transport level security.

That brings us to the Application level security of email messages.

Encrypting Email Messages

To protect your email messages even more using application level email encryption should be implemented. It can reduce the risks of eavesdropping your communications and cyber thefts.

To do this, your email client should implement encryption software that will to protect the content from being read by other entities than the intended recipients.

Protocols for email encryption that are used on the application level are

• PGP and GNU Privacy Guard (GnuPG)
• S/MIME

PGP

PGP stands for Pretty Good Privacy. It was developed originally by Phil Zimmerman, it provides cryptographic privacy and authentication for data communication.

It is used for signing, encrypting and decrypting emails, files, directories and whole disk partitions to increase the security of email communications. PGP is useful for two things: Privacy and Security Authenticity.

It is a public key cryptography that combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric or session key. Each symmetric key is used only once. The session key is furthermore encrypted with the receiver’s public key. Then the message and its session key are concatenated and sent to the receiver. The session key must be sent to the receiver so they know how to decrypt the message after it is decrypted with the end user’s private key.

S/MIME
It stands for Secure/Multipurpose Internet Mail Extensions and it is a standard for public key encryption and signing of MIME data.

S/MIME provides two security services:

• Digital signatures
• Message encryption

These two services are the core of S/MIME-based message security.

What is different from the PGP encryption is that S/MIME works with digital signatures. The encryption with the sender’s public key is performed after the message is digitally signed with the sender’s private key.

So, in order S/MIME to be used, one must obtain and install an individual key/certificate either from one’s in-house certificate authority (CA) or from a public CA. The accepted best practice is to use separate private keys (and associated certificates) for signature and for encryption, as this permits escrow of the encryption key without compromise to the non-repudiation property of the signature key.

However, this requirement for certificate implementation can be obstacles to deploying S/MIME: due to the requirement of a certificate for implementation, not all users can take advantage of S/MIME, as some may wish to encrypt a message, with a public/private key pair for example, without the involvement or administrative overhead of certificates.

Secure Swiss Data Secure Email

Taken all this security measures in to practice we’ve developed a secure email solution :

• Our Mobile Apps and Webmail App use transport layer security for encrypting the connection between the mail client and the server.
• Email messages sent to Secure Swiss Data users are encrypted using the military grade PGP encryption.
• Email messages to other providers are encrypted using symmetric encryption using a defined passphrase.
• And, what is more, the mailbox and all the data are kept encrypted at rest using PGP encryption on the server, located in Switzerland, sheltered by the Swiss Federal Data Protection Act.

So, whether it is your private data that you care about or your corporate communications, you can subscribe and support us to develop more features to our end-to-end encrypted email service and Enjoy your Privacy.