Email Encryption Types

e-ignite:  Communicate Securely

There are two main types of email encryption:  S/MIME and OpenPGP (Also known as PGP)

S/MIME is a form of encryption that is included in several email clients by default (such as Outlook Express and Mozilla Thunderbird) and relies on the use of a Certificate Authority to issue a secure email certificate. 

To use S/MIME, you get a certificate issued by one of these authorities that you "install" on your computer.  You then email anyone you are likely to want to send encrypted email to and Digitally Sign your email.  Once the other person has a copy of your Digital Signature, they are able to use their S/MIME certificate to encrypt email to you.  You need to have both the sender's certificate and the recepient's Digital Signature on your computer in order to send encrypted email.

The advantage to this is that it's most likely that you've already got the functionality in your mail client, however, it's not as flexible to use as GnuPG (PGP), you must have a copy of the recepient's Digital Signature before you can encrypt an email and by the same token, you need to have sent your Digital Signature to everyone who is likely to want to send you encrypted communications.  Furthermore, you need to trust that the certificate authority (eg. VeriSign, others are available) have verified the sender's identity before giving them a certificate.  Crucially, a certificate from a Certificate Authority usually costs around $20 per year. You need to renew the certificate every year (so you need to send your Digital Signature to everyone each year), and you can't normally specify the certificate's properties such as key size or algorithm - default S/MIME certificates tend to be only 1024bit, where OpenPGP allows you to specify your own key size up to 4096bit.

For full instructions to set up S/MIME on your computer, click here.


OpenPGP (PGP):
OpenPGP (also known as PGP - PGP is the commercial version, where OpenPGP is a free, open source equivalent) takes a de-centralised approach to email encryption.  It does not rely on trusting a Certificate Authority, rather the users create encryption keys themselves. This allows you to choose key size (minimum 1024bit, maximum normally 4096bit), you can choose an encryption/signing algorithm (eg. RSA, DSA or El Gamal) and you are able to set your own expiry date. This can be anything from 1 day to a key that never expires.  There is also a trust model known as the Web of Trust:
If you implicitly trust someone (for example, the person who's key you have is that of a family member or close friend and they have given their key to you) then you can sign their key. Someone who implicitly trusts you will therefore be able to trust your family member's key also. An excellent description of the web of trust is available here.

OpenPGP is completely free to use, so you can have as many or as few keys as you like without ever having to pay anything for them.  OpenPGP does not require you to send your public key (similar to a Digital Signature as in S/MIME) to all your likely recepients, although this is still possible - in fact, you can upload them to a keyserver.  When someone wants to email you securely, they only have to search a keyserver to find your public key and then they can send you an encrypted email. You can also sign an email, and this will confirm that:
a) The email is from who it claims to be;
b) The email has not been tampered with (if it has been altered, it will have a "bad" signature)
although as stated above, you do not have to sign an email to distribute your public key.  If you do upload your public keys to a keyserver, it is mirrored on many other keyservers around the world, so even if a keyserver is down or is inaccessible for any reason, people will always be able to send you encrypted email. Of course, you can store all your contact's public keys on your computer so that you do not have to constantly retrieve keys.

In order to use OpenPGP, you will need to download GnuPG and a plugin for your email client, but once these are installed you are able to sign, encrypt, verify and decrypt emails with the click of a button.  It is available on most platforms, so you are able to communicate securely between Windows, Mac, Linux and Unix environments.

For full instructions to set up OpenPGP on your computer, click here.

Please note: S/MIME and OpenPGP are not compatible - you can NOT encrypt email using an OpenPGP key to an S/MIME signature or vice versa.

Copyright | e-ignite is powered by | About e-ignite