home > publications > articles

Published August 2008 by the Illinois State Bar Association, Standing Committee on Legal Technology
© 2008 Illinois State Bar Association

E-mail Encryption

by Benjamin Gerber and Adam Nelson

Last year in this publication we advocated that you consider strengthening your firm’s information security practices and provided a list of practices to follow (“Information Security for the Solo and Small Firm Attorney.” June 2007.). Among the desired security mechanisms mentioned were Whole-Disk Hard-Disk Encryption and File Level Encryption.

In this article, we will look at another use for cryptography in your everyday activities, encryption of communications, specifically of e-mail and e-mail attachments. We will then explain how to get started using encryption features in two of the most popular e-mail clients, Outlook and Thunderbird.

Why

E-mail encryption features provide confidentiality and integrity for message content and authentication of and non-repudiation for senders. This can be useful when communicating with your client and/or opposing counsel. Most of what we do is confidential and encryption will ensure that the messages remain so. Below we will focus on the need for confidentiality features.

Unless both the sender and receiver are on the same internal office mail server, e-mail messages transverse the Internet in plaintext. In this respect, e-mail is often likened to communicating via postcards, except all the intermediate carriers (servers) and the space between them is not governed by the post office. In addition to messages being stored at the receiving location, and often the sending location, they may also be cached along the way.

While attorney-client privilege limits the use of information shared between you, your clients and external parties for other legitimate purposes, the attorneys’ obligation to protect sensitive and personal data goes beyond this. Whether or not you fall under the purview of privacy regulations that require a higher level of due diligence in protecting personal and sensitive data, measures you take to do so will differentiate you to your clients as an attorney they can trust with their sensitive information. This may also be beneficial to the court. Through the use of encryption you can establish a high level of care.

For e-mail exchanges not covered by privilege, but intended to be private, are messages truly private if we do not take decent measures to protect them? Are we giving up the right to consider messages private at all? Certainly if communicating via postcard or by posting signs in your front yard remove the expectation of private communication, might this be said of e-mail sent in plaintext?1

Without encryption, e-mail communications can be read by:

• Your e-mail hosting provider, including all system administrators and possibly even vendors transporting or holding backup tapes
• Anyone involved in the infrastructure between the origin and destination servers (relay servers and networks)
• The receiver’s hosting provider (perhaps it is Google’s Gmail which also scans message content to display applicable ads)

Password protected files

We have noticed a trend in the increase of legal practitioners utilizing password protection mechanisms when sending documents via e-mail. While this demonstrates awareness of the risks and an effort to mitigate them, it must be noted that many file password protection mechanisms offer no real security and can be overcome by opening files with applications that do not support the password mechanism, or the passwords can be removed or recovered using easy to use utilities. (Proper encryption options for files will be covered in a later article).

Encrypting e-mail passwords

TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) is the same technology that allows us to encrypt data sent via a web browser (such as when you log into your bank’s website), and provides us with the ability to secure our IMAP or POP e-mail when it is retrieved from and sent to our mail server. This will not protect mail sent to users on other mail servers or the messages stored on a mail server; however, it does protect your password used to receive and send mail from being transmitted across your network and the Internet in plaintext.

TLS and SSL are often used for point to point encryption. Point to point encryption solutions address the encryption of data on or in between systems; the data is unencrypted (and optionally re-encrypted) whenever it reaches or leaves systems throughout an architecture.

In order to use this option, TLS or SSL must be supported by your e-mail hosting provider. If you are using an IMAP or POP e-mail account, the following instructions can be used.

… [text removed] …

Encrypting e-mail content

There are two prevalent and standardized implementations of e-mail encryption. Both of these options provide message level security. The major advantage message level encryption provides is an end-to-end security context—as the message flows from system to system it remains encrypted.

Whichever option you select may depend on what others you communicate with on a regular basses are using, since both parties must be utilizing the same standard to exchange encrypted e-mail. If you have diverse correspondents, you can use both. Both S/MIME and OpenPGP require exchanging public keys (for S/MIME the public key is contained in a certificate); you must send your public key to those who will send you encrypted messages and you must have your correspondents’ public keys before sending them encrypted messages. It is possible to automate this key exchange, as we will explain below for S/MIME configuration.

Below we will refer to “signing” and “encrypting” a message. Signing adds a signature to the message, providing a level of assurance that it came from you and that it was not modified after you sent it. Encrypting a message prevents the message from being read by anyone other than the intended recipients. Messages can be signed or encrypted, or both signed and encrypted.

S/MIME

S/MIME (Secure MIME; MIME, Multipurpose Internet Mail Extensions, is how e-mail clients exchange non-text portions of messages) is built in to many e-mail clients (including Outlook and Thunderbird). Because it does not require installing and supporting additional software it is often the choice of many large organizations.

To get started with S/MIME, you will first need a digital certificate, your organization or firm may have their own certificate authority (CA), or you can obtain one from a third party certificate authority, such as Thawte (http://www.thawte.com/secure-email/personal-email-certificates/) or CAcert (http://www.cacert.org).

It is common practice to use separate certificates for signing and encrypting messages in large organizations. This allows for the encryption certificate to be kept in escrow without compromising the integrity and non-repudiation achieved when signing messages with a certificate only in the sender’s position. It is not required that you use separate certificates.

Assuming you have obtained a digital certificate from a certificate authority and have followed their directions to install the certificate, the following instructions can be used. (Installing a certificate is a fairly automated process; it will usually involve going to a link provided in an e-mail. Use Microsoft Internet Explorer to install a certificate that can be used with Microsoft Outlook; use Microsoft Internet Explorer or Mozilla Firefox to install a certificate that can be used with Mozilla Thunderbird.)

… [text removed] …

OpenPGP

PGP (Pretty Good Privacy) was originally developed by Phil Zimmermann (http://www.philzimmermann.com) in 1991. Modern PGP implementations utilize the OpenPGP standard.

GPG (GNU Privacy Guard), also known as GnuPG (http://www.gnupg.org), is a modern free and open source implementation of OpenPGP. Gpg4win (http://www.gpg4win.org) provides GPG and related utilities for easy installation on Microsoft Windows.

PGP Corporation (http://www.pgp.com) offers a commercial implementation amongst other cryptography products.

Thunderbird

Enigmail (http://enigmail.mozdev.org) is an add-on that provides OpenGPG features for Mozilla Thunderbird, it uses GPG. Enigmail is available on the official Mozilla add-on site (https://addons.mozilla.org/en-US/thunderbird/addon/71).

There is excellent documentation (http://enigmail.mozdev.org/documentation/), covering installation, configuration, and use. The short “Quickstart Guide” (http://enigmail.mozdev.org/documentation/quickstart.php) will get you well on your way. Consider just sending your correspondents your public key via e-mail rather than posting it to the keyserver, to avoid unnecessarily publishing your e-mail address and potential SPAM.

Outlook

Gpg4win (http://www.gpg4win.org) includes GpgOL, a plug-in for Microsoft Outlook to use GPG. GPG and GpgOL are all you need to use OpenPGP in Outlook; however, unlike the other options discussed above, GpgOL is still a bit too quirky to meet the stability and reliability needs of your firm.

SafeLogic (http://www.safelogic.com) offers cGeep (http://www.cgeep.com/outlook-email-encryption.html), an add-on for Microsoft Outlook that is easy to setup and use.

Popular Webmail: Gmail, Yahoo, Hotmail…

If you use a free webmail provider for your e-mail (if you prefer webmail, consider Yahoo or Google’s paid options that allows you to use your own domain and removes ads), client-side encryption can still be easily used with a browser add-on. FireGPG (http://getfiregpg.org) adds a contextual menu to Mozilla Firefox that allows for using GPG features from within the browser. It is specifically designed to work with Gmail’s webmail interface (other poplar webmail providers’ interfaces may also be supported in the future). If you use Microsoft’s Windows Live Hotmail, the free Windows live client (http://get.live.com) supports S/MIME.

Alternative Webmail

Hushmail (http://www.hushmail.com) has both free and premium e-mail accounts. Their webmail interface includes built in server-side encryption of e-mail (using OpenPGP) that automatically encrypts e-mails sent to other Hushmail users (or users who have uploaded their public key to Hushmail’s keyserver) and offers the option to encrypt e-mails using a password to other recipients.

If your organization hosts its own webmail system, or is considering doing so, the Horde Project’s (http://www.horde.org) IMP Webmail Client (http://www.horde.org/imp/) (also part of the Horde Groupware Webmail Edition http://www.horde.org/webmail/) includes support for both OpenPGP (using GPG) and S/MIME. All Horde applications are free and open source.

Be aware that while webmail providers (including Hushmail) that provide encryption may offer a great deal of convenience over using encryption tools on your own computer (such as those discussed above), the content of the message is not kept confidential form the e-mail hosting provider.2

Encryption is an important tool for any attorney or technologist. We recommend you consider some of the tools mentioned above for the use in your home or office.

---

At the time of writing, Benjamin Gerber, CISSP, CISA, CPP, CIPP/G, was a Senior Managing Consultant and the Privacy Services Competency Co-Lead with the Security and Privacy Practice at IBM.
He is now a Principal in the Privacy Strategy group at The MITRE Corporation.
He can be reached at privacy.us/contact or .

Adam C. Nelson, Esq., CIPP/IT, is a member of the Technology Committee of the Illinois State Bar Association and is on the Board of Editors of the Privacy & Data Security Law Journal. He is a Senior Managing Consultant in the Security and Privacy Practice at IBM and the Privacy Services Competency Lead.
He can be reached at .

Published August 2008 by the Illinois State Bar Association, Standing Committee on Legal Technology
© 2008 Illinois State Bar Association

PrivacyConsultant.com