Email Encryption to Protect Sensitive Message and Attachments

Email Encryption to Protect Sensitive Message and Attachments

July 02, 2020 / in Encryption/Security / by Zafar Khan, RPost CEO

Pig Latin Will Remain a Legal form of Encryption

As today’s technological and political environments are becoming ever more polarized, it is useful once again the think about these trends in the context of America’s foundation—i.e. the reason for celebrating Independence Day in America.

Privacy and constitutional rights continue to be debated publicly, which most would agree is healthy, and with today’s political, health, security, and economic challenges, technological tinkering is once again in the spotlight.

June’s refresh of the decade-long political attempt to require backdoors to tech encryption – while good intentioned – may, as some fear, facilitate overarching technical surveillance and encroachments to personal privacy. This Independence Day gift comes in the form of the US Senate’s June Lawful Access to Encrypted Data Act (aka the “LEAD Act”). But, this is only one of today’s newfound privacy challenges – and may not even be the most significant.

Compare government back-doors to encrypted messages with mobile phone geo-tracking to enforce quarantines (or whatever is next) — think Chinese government mass overlay of facial recognition surveillance tied to mobile phone geo-location to combat virus outbreaks.

Tech Essentials first explored the concept of technology-enforced quarantines (read “Have No Fear, High Tech Quarantines are Here!”), and we first explored the concepts related to encryption and NSA eavesdropping concerns several years ago when Edward Snowden was blog/email-encryption-to-protect-sensitive-message-and-attachment/grabbing all the headlines.

Any notion of privacy may already be a thing of the past.

While the LEAD Act has honorable intentions, as described in the Senate’s press release, privacy advocates fear that the financial incentives proposed by the government to fund legal attempts to find “back-doors” may be misguided and dangerous. Moreover, the requirements to disclose encrypted content to any US Government requester at any level of government may just leave US-based encryption services no stronger than a souped-up version of Pig Latin.

To give you a break from talk of viruses and facemasks, and in the spirit of Independence Day, we thought we would explore this topic in more detail – a light read for your backyard BBQ—if your state or locality hasn’t banned these yet.

“Caesar Cipher” and “Pig Latin” are Forms of Encryption

Suppose Donald wants to send a secret message to his friend William but worries that snoopy Vlad may intercept it. Donald needs a way to scramble his message so that only William can read it. A simple way to do this would be for Donald to replace each letter in his message with the next highest letter; shifting it by one (think “Caesar Cipher” or “Pig Latin“).

But, of course, that is too simple. If Vlad intercepts the message, he’ll be able to easily decipher it by looking for hidden patterns in the letters it contains. All it will take to crack the code is a little mathematics and some trial and error.

And, of course, if Vlad uses a computer, he’ll be able to crack the code even faster. So, just shifting (as is the case with Pig Latin) the first letter to the end and adding “ay” as a suffix (turning “HELLO” into “ELLOHAY” for example) isn’t a very strong cipher. Certainly, Russian spies (ahem, Vlad) would crack this encryption. So, what can Donald do?

Well, he can try to think up a more complicated mathematical formula to scramble the letters and numbers. And maybe he can use a computer to apply the formula. This will help, but the problem is that if Vlad hires clever mathematicians, or if he has a powerful enough computer, he will be able to crack the code eventually. So, it looks like it’s going to be an arms race with Vlad to see who can come up with the biggest computers and the most complicated formula. But because Vlad has nearly unlimited resources to pay mathematicians and to spend on computing power, it is a race Donald and William are perhaps bound to lose.

What is Considered “Strong Crypto”?

We have established that more complex encryption patterns are more difficult for Vlad to decipher (unless Vlad can use a powerful computer to help figure out the pattern), yet they remain easy for Donald to read, because Donald has knowledge of the pattern (the decryption key). Most technicians understand that more complex algorithms are harder to “crack”, that is, they require more computing power to crack.

How does Computing Power Impact the Time to Crack the Encryption?

Let’s consider the example of using computing power to try to guess a 10 digit seemingly random alpha numeric password like tjo9i0982d using a “brute force” attack (i.e. trial and error). This would be similar to trying to find a pattern in a universe of combinations of 36 digits (26 possible letters and 10 possible numbers). According to Gibson Research Corporation, in this example, there are 3700 trillion combinations, and the time to guess and test the right combination using trial and error in an online environment is one thousand centuries (assuming one thousand guesses per second). However, in what Gibson Research calls a “Massive Cracking Array Scenario” with one hundred trillion guesses per second offline, this password can be guessed in just 38 seconds.

Computing power does matter. But, not many, if any (today), can implement a “Massive Cracking Array Scenario”. One institution that could potentially implement such a system is the National Security Agency (NSA). In recent years, the NSA completed a $1.5 billion data center in Utah that reportedly has more than 100,000 square feet of computer and data storage equipment in a facility that spans a total of 1-1.5 million square feet.

Is Today’s Commercial Encryption Readable by the Russian Spies with their Computing Power?

This is a question that some people know the answer to. We do not. Most commercial encryption uses algorithms that the NSA has “approved” for “civilian, unclassified, non-national security systems”. These algorithms are what encrypt your email or financial transactions when using email encryption or secure HTTP web-based connections with commercially available systems. Some of these NSA approved (unclassified) algorithms include DES, Triple DESAES, DSA and SHA.

Is Today’s Commercial Encryption Readable by the US Government with their Computing Power?

One might assume it is; after all, if we are using NSA approved algorithms, one might assume they know how to decipher. So, then what is the goal of the LEAD Act?

Perhaps the goal is to simply make it more convenient for the government to decipher encrypted information.

The bottom line is: people may need to start (re)thinking about how to control their own data. When it comes to using email encryption to protect “civilian, unclassified, non-national security systems” and information, what are the most important considerations?

The Tech Essentials-recommended way is to use RMail email encryption, as it makes it easy for both senders and recipients to protect sensitive message content and file attachments.

And, RMail for Outlook lets you send-and-receive email encrypted with a variety of settings so you can adjust your levels of security based on your perceived message sensitivity. It also lets sender and recipient download messages to your local computer, keeping it out of — LEAD Act-accessible — online encrypted storage. With the right settings, a copy is not maintained in any cloud server that would be susceptible to LEAD Act searches at your cloud service provider.

Further, with RMail, it is simple — you may set the “primary” method, and there is an automated secondary method. This primary method can be selected to first send using an encrypted transmission method that auto-decrypts at the intended recipient, so they need to do nothing additional. If the encrypted transmission cannot be accomplished due to the recipient system, the message automatically reverts to a secondary method. Or, you can choose on a message by message basis (or automated based on certain message content) to send outbox-to-inbox end-to-end encrypted.

This is what Marshall & Sterling insurance uses – click here to hear their thoughts as to why, expressed at Optimize!2020.

Just some non-COVID food for thought as we celebrate our nation’s founding this weekend (or celebrate the best we can given the circumstances). Happy 4th of July, and please stay safe.