Page 10 - Cyber Warnings - November 2015
P. 10
End-to-End Encryption for Emails. An Organizational Approach
by Dr Burkhard Wiegel, Founder and CEO, Zertificon Solutions
The threat to electronic enterprise communication used to be beyond the firewall. With the
increased use of mobile devices for business email, the need to secure communication from sender
to recipient and within the corporate network has raised the awareness for industrial scale end-to-
end encryption.
There are risks and pitfalls associated with the existing concepts of end-to-end encryption. Many
solutions are available which deliver personal simple client-side encryption or just transport layer
encryption which are not suitable for organizations. This paper will introduce an alternative
organizational approach for secure end-to-end communication.
Secure Channel versus Content Encryption
When discussing email encryption the topic of Transport Layer Encryption (TLS) always arises. TLS
has become a popular and established technology but it is often mistaken for a full-blown end-to-
end encryption solution. TLS however, only secures the communication between two mail relay
servers and not the actual message content. Not only is the message content unencrypted during
transport but also whenever it is stored. This includes temporary storage on mail relay servers as
well as mid-term to permanent storage in users' server-side mailboxes and archives.
Any hackers who can make it through the firewall can simply help themselves to whatever they find.
In case of sync, pop or push services emails are also unprotected on the client device. TLS gives
the appearance of being secure, but does not deliver enterprise level security. Even VPN and other
secure channel methods which secure the transport but not the content have the same security
problems as TLS. It is always better to secure the message.
End-to-end encryption appears to be the only solution which provides real security and
confidentiality. After the NSA scandal, security experts who were vocal in the media, called for the
comprehensive adoption of end-to-end encryption but never came up with realistic day in, day out
solutions which could be rolled-out throughout companies.
Enterprise Email Encryption Status Quo
Modern encryption is based upon asymmetric keys which commonly utilize a Public Key
Infrastructure (PKI) such as S/MIME or OpenPGP. Not surprisingly, these two systems are
incompatible. Although they both rely on the same cryptographic concepts their trust models are
very different.
OpenPGP relies on a peer based “web of trust” in which users vouch for each other. S/MIME on the
other hand relies on a hierarchical trust model where a higher entity vouches for a lower entity and
states how this trust is established (e.g. identity checks).
Certification Authorities (CAs) sign the public keys and from that moment on a public key becomes
a certificate. The CA publishes the certificate alongside up to date status information relating to the
10 Cyber Warnings E-Magazine – November 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
