Are you thinking about email encryption? You know you really should at the very least consider it. Why? Well it’s become pretty clear that snooping on emails is not just technically possible but is actually happening on a wide scale and it’s not just restricted to the security services of the UK, USA and other governments, Google also appear to be using it’s ability to view emails of users of their Gmail service. It really might be about time to implement a secure solution.
What’s A Good Email Encryption Solution?
Unless you are a cryptographer you are going to have some difficulty sorting the “wheat from the chaff”. Hopefully I can be of some help here in pointing you in the right direction. Beware marketing hype, the most common thread when talking encryption is something like this; “the best military grade encryption”. What I ask you is “military grade encryption”? I guess we are supposed to take from that the encryption is the most robust, but unfortunately there is no such thing as “military grade” encryption. Take it from me, as someone who was responsible for developing and supplying encryption products for the UK Ministry of Defense, there is no single standard of encryption for the military. Differing levels of sensitivity of data require differing levels of encryption. Understandable if you think about it. So steer clear of vendors who make these kinds of claims.
Which Algorithm, How Many Bits?
There are many algorithms to chose from DES, Triple DES, RSA, Blowfish and AES to name but a few. But remember the relative strength or weakness of any form of encryption is in the implementation. The Advanced Encryption Standard (AES) is a specification for encryption established by the US National Institute of Standards and Technology (NIST) and has been the de facto algorithm for the US government since 2001. It is also in use extensively worldwide by organizations small and large. Based on the Rijndael cipher it has a block size of 128 bits, with a choice of key lengths of but serious players would only be using 256 bits.
So it would seem that a product using AES with a key length of 256 bits would be a sensible choice, providing we are assured of the implementation of the algorithm.
But How Secure is AES?
Bruce Schneier a highly respected cryptographer and developer of Twofish, a competing algorithm for the AES award said of attacks on Rijndael that they would be developed at some point in the future, but and I quote “I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic”. I think we can draw from this that AES is secure enough for most of us, there is never an absolute where security is concerned.
Given what we have learnt here, we need to look for a product that utilizes the AES algorithm with a key length of 256 bits and is implemented securely (certified by an independent industry accepted authority) and is simple to use.
This year’s winner of the UK IT Industry Awards, Cloud Provider of the Year 2013, Egress Technologies have developed email encryption software called Switch that has all of the attributes we have discussed here plus the ability to keep control of your data once it has left the protection of your PC or network. The fact that the recipient can’t forward your encrypted email to someone else without your permission has added benefits and can be amended in real time.
About the Author
Andy Campbell has over 20 years experience in the area of encryption products. As managing director of Reflex Magnetics Ltd a UK developer of security software, he was instrumental in forging a close relationship with the MoD and CESG, before selling the company in 2006. Reflex’s Disknet and Data Vault products were used extensively by both the UK’s armed forces and NATO.