Introduction
The use of email in communication is widespread throughout the world. This is both in business and personal communication due to its convenience like high speed. It however has risks associated with it such as the fact that deleted messages in an individual’s computer may still be stored in some server, the possibility that messages can be read and modified in transit before they reach their destination, and login usernames and passwords are stolen and used by hackers. These lead to eavesdropping, identity theft, false messages, and repudiation among others. Several methods of enhancing email security mentioned below have been developed through research but one key question unto which is most appropriate in protecting sensitive data remains. This paper is based entirely on the article S/MIME V3 White paper by eB2Bcom and is an analysis of several facts already stated in the concerned article.
Primary Enhanced Mail (PEM)
Privacy Enhanced Mail (PEM) consists of extensions to existing message processing software plus a key management infrastructure. It is compatible with Request for Comments RFC822 message processing conventions and transparent to Simple Message Transfer Protocol mail relays (S/MIME V3 White Paper, 2010, p. 2). PEM uses symmetric cryptography and public key management is based on the use of certificates as defined by the International Telecommunications Union — Telecommunications Standardization Sector (ITU-T) Directory Authentication Framework.
Pretty Good Privacy (PGP)
PGP also uses encryption and decryption of e-mails to increase the security of e-mail communications. Created by Philip Zimmermann it follows the Open PGP standard (RFC 4880) for encrypting and decrypting data.
Secure Multimedia Internet Mail Extension (S/MIME)
S/MIME like the above-mentioned aims at protecting the email data from unintended sources. The program specifies the application/pkcs7-mime type for data encryption: the whole MIME entity to be enveloped is then encrypted and packed into an object which subsequently is inserted into an application/pkcs7-mime MIME entity.
S/MIME v3 ESS
As stated in the paper being analyzed, this is the latest version of S/MIME and has a number of Enhanced Security Services (ESS) such as secure mailing lists that allow just one digital certificate to be used when sending a secure message to all members of a mailing list, signed certificates binding the signer’s certificate to the signature itself, signed receipts that provide proof of delivery of the message and successful verification and security labels.
TrustedMIME
TrustedMIME is developed by SSE according to the industry standard S/MIME protocol. It plugs into clients’ email, providing the user with 128-bit encryption and up to 2048-bit digital signatures. It supports both Microsoft (Outlook, Exchange, and Messaging) and Lotus Notes platforms. TrustedMIME is based on a chosen Public Key Infrastructure (PKI) but users can generate their own self-signed Public Key Certificates in its absence.
Analysis
Cryptography can generally be divided into public and private key cryptography. On the one hand, private key cryptography involves sharing by users of both the decryption and encryption private key. The major hindrance in private key cryptography is the distribution of the private key in large network situations The principle behind public-key cryptography is that of one-way function f were; given x, f(x) can easily be determined but the vice versa is in computationally practical. The advantage of a public key cryptology system is the lack of need for key distribution hence flexibility in other words as the hardware increases larger keys are simply used, unlike the private ones where new keys must be generated and disseminated. Public cryptography though is generally slower
The major limitation of PEM is its incompatibility with MIME, the standard Internet mail format. It uses the public key directory. Since there was no centralized online public key directory in 1989, PEM was designed to operate without any and each signed message includes all of the certificates in the Chain needed to verify the message signature. Two users though cannot securely interchange messages after downloading PEM software, because they first need to have their public keys certified by their local CAs, and their CAs need to be certified by a Policy CA, which itself needs to be registered by the Internet Policy Registration Authority (IPRA). The system was simply designed to work during that period and it solved the problem.
PGP usage has spread since the software was freely available to academics and researchers in the US from inception, and a non-copyright version is availed to the rest of the world. Its advantage is no certification infrastructure is required for usage in a secure manner. The method of key distribution, and the associated web of trust that users build for themselves, is difficult to achieve when numerous users are involved as afore-mentioned under private key cryptography.
The parts of the S/MIME protocol used are of different informational RFCs and require the use of weak cryptography (40-bit keys). The S/MIME v3 standard consists of five parts, Cryptographic Message Syntax (RFC 3852), Cryptographic Message Syntax (CMS) Algorithms (RFC 3370), S/MIME Version 3.1 Message Specification (RFC 3851), S/MIME Version 3.1 Certificate Handling (RFC 3850), and Diffie-Hellman Key Agreement Method (RFC 2631). There is also an Enhanced Security Service for S/MIME (RFC 2634) additional protocol, which is a set of extensions to S/MIME to allow signed receipts, security labels, and secure mailing lists. Both RFC 3852 and RFC 3370 extensions use either S/MIME v3 or S/MIME v2. On the other hand, S/MIME v3 finds use in secure mailing lists only. It is important to note that not all e-mail signatures handle all S/MIME signatures. At times, the appearance of time.p7s attachment on e-mail occurs, and this tends to confuse the users. S/mime, like any other secure webmail signing technique, depends on a browser for code execution, in readiness for the generation of a signature.
The kind of cryptography used in securing a communication channel determines the level of protection ensured. While the public key and private key cryptography each have their own pros and cons, both can be fused in security systems to exploit the better side of each. An example of such a process is according to Vocal Technologies (2009, para. 5), “‘digital envelope,’ in which private key cryptography is used to encrypt a message m, yielding cipher-text c. The secret key s is then encrypted using public-key cryptography, yielding k. The encrypted message and key pair (c, k) may then be sent securely, where only the recipient may recover s from k. The secret key s may then be used to quickly decode cipher-text c, yielding original message m.”
Conclusion
Several factors such as the sensitivity of the data in transit, the cost of installing the security system and maintaining it, the size of network the system are to cover and the impact on users come into play in determining the type of security system incorporated by an individual or firms. Based on the methods of operations of the various standards, the S/MIME v3 ESS is appropriate for large networks, and for smaller networks, the PGE is suitable.
References
S/MIME V3 White Paper. (2010). E-mail security.seB2Bcom ( 2010). S/MIME V3 White Paper: Web.
Vocal Technologies. (2009). Security Overview: Web.