Email is one of the most common forms of communication now. Everyone uses it. In an age where email is also used as a weapon by threat actors to spam people, it’s important to understand email encryption and how it can protect you and your privacy. Let’s start with the basics of encrypting emails.
Symmetric Encryption
This is a type of encryption that involves a “shared-key”. Let’s say that Indy wants to send a message to Sallah, but is concerned that the message stay private and therefore, secure. If anyone grabs the message while it is in transit, then they can read it and expose Indy’s secrets. With symmetric encryption, the email message is encrypted using a specifically chosen key. This key can be a phrase, a set of numbers, or anything that Indy chooses. If an attacker grabs the message, they won’t be able to decrypt it and read its contents without the decryption key. The same key that was used to encrypt the message, also decrypts it. Therefore, Indy has to get the secret key to Sallah in order for him to decrypt the email. Maybe he sends a separate email, or maybe he sends it over a separate secure messaging channel like Signal or Wire. The image below shows an example of what is being discussed.
An encrypted email service that excels in symmetric encryption is Proton Mail. You can actually create an email account for free! Any emails that are sent between your account and another Proton Mail user’s account will automatically be encrypted. You can encrypt any email message and choose the encryption key that you can share with the recipient for decryption. You can also set timers on the emails that you encrypt so that they are unavailable after certain periods, such as 24 hours or 7 days.
One of the benefits of using symmetric key encryption for email is that it uses less computing resources as it is a less complex encryption mathematically compared to asymmetric encryption. This also means it is a faster process. One of the drawbacks is that the secret key must be shared. Therefore, if the secret key is intercepted while it is being shared, then the attacker who intercepted it can easily decrypt the email message.
Asymmetric Encryption
This type of encryption is a little more complicated. This is also known as “public key encryption”. Using the same example of Indy sending a message to Sallah with secrets, he may be concerned that the encryption key will be intercepted if he uses symmetric encryption. Therefore, this will involve a key pair. The email message will be encrypted using a public key. That key encrypts the message, and it is sent to the recipient, who can decrypt it. However, because of the mathematical equation that is used, the same key will not be able to decrypt the message for the recipient to read. Instead, there will be a private key that is used to decrypt the message. Only the recipient will have that private key. This means that anyone can use the public key to encrypt a message, but only the intended recipient that holds the private key will be able to decrypt and read the message. If the recipient, or attacker who intercepts the message, attempts to decrypt the message with the public key, it will not work. The image below is an example of public-key cryptography.
An application for public key encryption with emails is OpenPGP. This works on email clients such as Outlook and Thunderbird. It takes some configuration on the side of the user, but is well worth it. A list of the software that can be used with OpenPGP can be found here.
A benefit of asymmetric encryption is the enhanced security as well as authentication. The private key will never leave the recipient, and therefore there is significantly reduced chances of interception by an attacker. The sender can digitally sign the email with their key, thereby confirming that they are the one who truly sent the message. One drawback is the amount of computing resources used for this method of cryptography, as the mathematical equation is much more complex than that of symmetric encryption.
The Bottom Line
Email encryption is meant to protect users and their privacy. There may be sensitive information that needs to be protected from malicious threat actors. Encrypted email can prevent unauthorized access to your data. It can also help with compliance for regulatory bodies such as H.I.P.A.A. in healthcare or P.C.I. in the financial processing industry. It also helps to ensure users have more control over their information. Email encryption is something that is available to all users, not just corporations.