Email Encryption: The Art of Secrecy
By Stephanie Jordan
The first documented use of cryptography took place 4,000 years ago in ancient Egypt. The earliest recorded military use came as Julius Caesar (desirous of communicating with his troops, yet not wanting the enemy to be able to decipher his directives) safeguarded his messages from interception by using encryption. Caesar's encryption, now known as substitution cipher, simply shifted the alphabet letter positions by three, then substituted the resulting letter for the original. Not very encrypted, certainly not by this century's standards—or even last century's for that matter. Throughout the ages, encryption has been used to transmit sensitive information in an attempt to keep it private. Much like the use of Native American Indians in World War I (the Choctaws) and World War II (the Navajos) for their ability to "codetalk" to curtail German eavesdropping on phone lines, email encryption secures messaging as it travels the Net. If the message ends up with someone other than the intended, the message cannot be decrypted. The trouble was, in the not so distant past, the intended recipient may not have decrypted the message either.
Andrew Krcik, VP of marketing at PGP Corporation, describes the previous generation's encryption as technology that really wasn't 'there yet'. "A lot of people dove into the pool, but many hit their heads on the bottom. It was a completely manual process. You had to buy a bunch of servers, hire a bunch of staff and train them. You had to go out and get certificates, which were purchased from a company like VeriSign. Then, you had to manually hand them out to all employees. Once you had all the infrastructure together, you still did not have any applications. You still had to go out and train your users on how to use email encryption at the desktop client level—when it was to be used, how to find keys, etc. It was just too hard." According to Krcik, many people put a lot of investment in PKIs (Public/Private Key Infrastructures). They built the infrastructure, but then did little with it. While some success was seen internally, not much external messaging security was achieved.
In 2002, PGP Corporation was formed (with the reacquisition of PGP assets) by a team of encryption experts and securemessaging veterans. With the vision to optimize the widely accepted PGP technology and products used commercially since 1995, Krcik says they had two primary guidelines. The first was to make the technology completely transparent to the user—like anti-virus—something that just happens in the background. It had to be managed centrally and based on policies. They understood, from the first generation, that dependence on the user is a failed strategy. The second guideline was to make the technology fit on top of the email infrastructure, without being disruptive.
"We now have PGP Enterprise Platform—a centralized server. With it, you can perform all your key management centrally. It provides fully automated operation, including all your policies for encryption throughout the corporation and all your reporting. This consists of a number of encryption applications—email at the gateway and at the desktop, instant messaging, support for handhelds (like Blackberries), laptop security, file folder security and other nonmessaging products," says Krcik.
Others also realized that encryption must become easier to use. "Our approach, and the approach of many of us, has focused more on the usability than the cryptography and the strength of the encryption," says John Thielens, CTO of Tumbleweed Communications. "You have to look at the net security yield. If you take the level of the security of a solution, you have to multiply it by its usability and adoption factor to actually calculate how much net value it's bringing to your business, or to your problem." Thielens believes that email client vendors have not kept pace. Even though there is encryption, typically S/MIME, built into Microsoft Outlook, Microsoft Outlook Express, Lotus Notes or even some of the webmail clients, it is just not usable enough. "In the past," says Thielens, "encrypted email just hasn't worked out."