Using encryption for correspondence in America is older than the country and as American as apple pie, so much so that Thomas Jefferson even invented an encryption device during the Revolution and later used it for dispatches while he was ambassador to France.
Public Key Encryption
Protecting the exchange of information through correspondence has always been a primary goal of encryption. After millennia of scientific and mathematical analysis, the array of possible codes and ciphers is multifarious and bewildering, from the highly secure one-time pad to the hard-to-detect book cipher. For today’s typical computer user, the cryptographic choice is likely to be public-key encryption, which is widely available for email in two forms: S/MIME and PGP.
Public-key encryption has the advantage of addressing two basic needs: 1) it preserves the confidentiality of data in transit and 2) it allows the recipient to verify the identity of the sender. This is accomplished by “encrypting” and “signing” a message, each of which may be done separately or in combination.
In some ways, S/MIME is the easier of the two standards to implement and the more transparent to the user, so although PGP has other advantages, I am going to defer a discussion of PGP to a future post.
The guiding principle behind S/MIME is that users are issued cryptographic certificates that are signed by an “authority” who guarantees the genuine nature of the certificate and (in varying degrees) the identity of the user. Obtaining a certificate with significant identifying information, particularly for an organization, can be an expensive proposition, but it is possible for individual users to obtain certificates suitable for email encryption and verification for free from providers such as Comodo.
Each certificate contains a public key and a private key. At the risk of oversimplifying, you use your private key to sign and encrypt messages you are sending to someone else. Your public key is used by other people to send messages to you. You should always protect the physical security of your certificate, because no one else should ever have access to your private key.
Download Your Certificate
When your obtain your certificate, providers of certificates will typically install it in your browser, and it will need to exported from your preferences and saved in a “.p12” or “.pfx” file. For example, in Firefox, go to Edit>Preferences>Advanced>Encryption>View Certificates. Click on View Certificates and then Your Certificates. You should see your certificate listed. Click on Backup and then enter a pair of arbitrary passwords (don’t forget them!) when prompted. Your certificate will now be saved as a *.p12 file suitable for importation into your mail program of choice.
Settings in other browsers will vary, but they should follow the same overall pattern.
Installing Your Certificate
Most popular email software is already equipped to handle S/MIME encryption, including Microsoft Outlook, Mozilla Thunderbird, and Apple’s iPhone.
Instructions to import your certificate from your *.p12 file into particular mail clients are readily available on the Internet, for example, for multiple clients, for Outlook 2007, for Thunderbird, and for iPhone.
I have even had some success with the Penango plugin for Firefox that allows you to encrypt mail in Gmail, although my experience has not been wholly trouble free.
Signing and Encrypting Your Mail
At this point, signing your mail with your certificate should be no more difficult than toggling a button on your mail client (or changing a setting on your iPhone). Signing your mail will confirm for the recipient that your message has not been tampered with and that your unique key identifies it. (You will have to verify independently that your email address is really yours.)
Encryption is slightly more complicated, but not much. In order to send someone an encrypted email, you first need to have their public key.
The usual way to obtain someone’s public key is to have them send you a signed message, in which case your email client will normally automatically import their public key. Then, when you send a message back to their email address, if you click the “encrypt” button, your email program will automatically use that public key to encrypt the mail so that only the person who possesses that key can read it.
- Disclaimer: Except where noted, these are the observations of a computer user, not a computer expert, based on personal use and experience; you are encouraged to do your own research and, if in doubt, to seek the advice of a professional. The foregoing information is provided “as is” with NO WARRANTY of any kind, including but not limited to merchantability or fitness for a particular purpose. While this information is intended to be helpful, I disclaim any liability, express or implied; if your computer is hacked, cracked, or spontaneously combusts, it is your sole responsibility.