In our increasingly digitized world, the business landscape relies less and less on analog solutions with each passing day. what we now call “snail mail” was once the only way to communicate officially through written documents. now, virtually every business uses email for important communications. And just as it has always been extremely important to protect physical mail, many types of email encryption for security purposes have become vital to every business.
We are a long way from the first fax machines, first invented in 1843. More than 100 years later, in 1971, the first email was sent. Fast forward to 2020, and the sheer volume of emails sent every day makes protecting them a key element of any company’s cybersecurity. To protect the content of an email and the security of both its senders and recipients, you need encryption.
5 different types of email encryption
Email encryption is an incredible innovation in cybersecurity. It uses the technology of cryptography, which has been around for millennia, and adapts it to protect communications in the digital age. At its core, cryptography works by generating a secret code. however, unlike the passwords of yesteryear, this code is indecipherable to a human. at least, without proper access.
Encryption is absolutely essential to keeping your emails and your business secure.
but it is also a complex field of cyber defense, with different types of best practices to consider. In the sections that follow, we’ll break down five of the most essential types of email encryption. then we’ll also delve into some other email security methods to use in addition to, or instead of, the strongest encryption options.
so it’s worth noting that encryption isn’t the only way to keep your emails secure. There are also other mechanisms used by individuals and companies to prevent cyberattacks through email.
what types of email security are there?
Encryption is a way to protect email in case it has been compromised and come into the possession of someone who shouldn’t have it, either through theft or as a result of negligence. but there are also measures to prevent emails from reaching cybercriminals and other parties who shouldn’t be reading them.
The most common and useful forms of email security fall into three categories:
- gateway
- encryption
- authentication
Of these three, the biggest and most important part is encryption. gateways and authentication are attempts to prevent emails from being stolen. but without encryption, any intercepted or otherwise compromised email would become an immediate security risk.
with encryption enabled, the thief may not even be able to read the stolen mail.
Encryption also comes in several different forms, and there are multiple tools and protocols that can come into play, sometimes even in combination with each other.
each encryption security type for email
encryption is an extremely complex and dynamic field. it has to be, as it relies on the inability of humans to crack the codes used for encryption. That said, the basic mechanics of how encryption works are broken down into relatively simple parameters.
In general, there are really only two main variants of email encryption. these are then broken down into several similar but distinct tools or protocols. the two main categories are:
- transport level encryption: where the content of emails is protected during its transport between sender and receiver, but not (necessarily) before or after transit . this form of encryption is slightly less robust, but is also often more affordable.
- end-to-end encryption, in which the content of emails is protected in the end points. any outgoing email is encrypted when it leaves the sender and is only decrypted when the email is received by the recipient. this is the most robust option, but the additional protection it provides also tends to come at a higher price.
By discussing the various tools and protocols that use any of these encryption types, we’ll provide more detail on how each model works in practice.
#1: shocks
This is one of the most prolific forms of transport-level encryption.
uses Transport Layer Security (tls) forms, which is the successor to the now-deprecated Secure Sockets Layer (ssl) protocol. specifically, starttls is an opportunistic tls command that can update a plaintext connection to a secure, encrypted one.
the starttls command for the simple mail transfer protocol (smtp) is defined in rfc 3207. smtp is a standard that has been used for a long time to define standard practices for sending email, and receiving email. Emails are also often guided by the Internet Message Access Protocol. (imap) and the post office protocol (pop3). starttls is defined for imap and pop3 in rfc 2595.
how does it work? The starttls command requests encryption of messages while they are in transit, so neither the sender nor the recipient (or their resources) need to take any action to view the content of the message. this is a great way to counter attacks like passive monitoring, but it can leave email content vulnerable to “man-in-the-middle” attacks.
To address this vulnerability, there is…
#2: danish or mta-sts
As noted above, the starttls cipher is an excellent benchmark for any email communication. the protection of messages while they are in transit can even be combined with other types of encryption that we will detail below. however, it leaves your messages vulnerable to interception by an attacker who has taken control of the system.
Two countermeasures are available to help maximize the security of starttls and the encryption of all transport levels:
- dns-based authentication of named entities (dane)
- message transfer agent strict transport security (mta-sts)
The first, dane, is a key component of a (dnssec). dane is defined for smtp in rfc 7672. it prevents “striptls” (literally a hacker stripping of tls) by allowing the sender and recipient to use tls.
The second, mta-sts, was written by a group that included some of the largest and most widely used email providers on the market. works like dane, but uses the certificate authority (ca) and trusts first use systems (tofu) instead of dnssec.
Most email is protected by starttls or another form of transport-grade encryption. But when those measures aren’t enough, robust end-to-end options also offer premium protection.
Here are some more articles to help you:
-
how to improve your cybersecurity
What are the different types of data breaches?
#3: bit message
this protocol has played an important role in encryption since it was first released in november 2012. its original author, jonathan warren, based the overall design of the system on the then-new cryptocurrency bitcoin. was released under the mit liberal license.
Shortly thereafter, it experienced a surge in popularity following the 2013 revelations of email surveillance by the US government. Concerned individuals and businesses looked for a simple way to prevent agencies like the National Security Agency (NSA) from spying on them. Enter bitmessage’s revolutionary peer-to-peer authentication.
some qualities of bitmessage that make it a powerful security tool include:
- decentralization
- hermetic encryption
- hidden sender and recipient
- trustless framework (zero trust)
- proof of job (pow) requirement
bitmessage is extremely useful and popular, but it’s far from the only end-to-end encryption option. it is often more suitable for individuals or smaller businesses than larger companies.
#4: gnu privacy protection
Also known as gnupg or gpg (not to be confused with one of the following items on this list), gnu privacy guard is an intricate hybrid model for encryption. how does it work exactly?
uses both public-key and symmetric-key cryptography, for ease and speed, respectively. it works by generating asymmetric pairs of keys: one for the sender and one for the recipient. public keys can still be exchanged and thus compromised, so it’s important to practice strong identity protection to prevent a hacker from impersonating either party and stealing email content.
gnupg is notably free software developed as part of the gnu project. as such, it shares the principles of that general framework, including freedom of use, exchange, study and modification. furthermore, it has received a large part of its funding from the German government. gnupg complies with the protocols stated in rfc 4880, which also governs pgp.
which brings us to the next point.
#5: pgp and s/mimo
These are two of the most important and widely used protocols for end-to-end email encryption: the vast majority of email clients allow some combination of pgp and s/mime.
pgp stands for “pretty good privacy”, but its reputation far outweighs its name. pgp was developed by phil zimmerman and first released in 1991. now, it is a gold standard for email encryption around the world. it works by mobilizing a series of algorithms to combine hashing, compression, and cryptography using symmetric and public keys.
what does all that mean? the encryption and decryption process looks like this:
- starts with a data and a randomly generated key
- the data is encrypted using the random key, locking it
- the random key is also encrypted with the public key itself from the receiver
- the locked data and the encrypted key are now collectively an encrypted message
- the receiver’s private key unlocks the data, allowing random decryption of the key
pgp works on a web of trust concept that establishes the legitimacy of ownership of a public key by degrees of separation between individuals. this is a decentralized model, but centrally managed public key models are also available.
Enter secure/multipurpose internet mail extensions, also known as s/mime.
s/mime requires that an individual user obtain a key directly from a particular ca, either internal to the company or public. in this way, its relationship to pgp is similar to that of mta-sts to dane: it’s essentially the same functionality, just using a different paradigm.
Encryption is one part of email security, but it’s not the only thing to invest in.
other types of email security
Email encryption exists to protect the content of your email from being stolen and used to harm your business and your stakeholders. which includes both the text and media content of emails, as well as important metadata that may not be readily apparent.
but this form of theft is not the only danger that email presents. another big? social engineering.
Emails are often sent by attackers in an attempt to obtain important information from an employee. These emails are disguised to look like normal emails that you would receive from your superiors, peers, or any other innocuous party. but downloads and links within them can lead to security breaches that could cause irreversible damage to the person and the company.
To protect yourself from phishing and other similar attacks, you’ll need a firewall to begin with. but that is often not enough. you should also consider architectural solutions.
robust web filtering
rsi security’s proactive web filtering services go beyond the basic functionality of a firewall. By using Cisco’s innovative umbrella technology, once known as OpenDNS, you can prevent media and links in emails from opening malicious websites. That way, even if a careless mistake leads to a wrong click, your business may not be harmed by a small mistake.
cisco umbrella proactively scans all incoming data beyond the perfunctory verification it needs to pass through your firewall. is an effective and affordable solution for businesses of all sizes. however, to optimize it for your needs, you will need intensive analysis and training.
That’s where we come in. rsi security will provide an in-depth consultation to fully prepare your company for the cisco umbrella, guiding you through the entire implementation process.
professional cybersecurity you can trust: rsi security
rsi security is dedicated to helping businesses of all sizes with cyber defense practices and solutions. We know how important email security is, and we also know how easy it can be to intercept or compromise email.
We are your first and best choice when it comes to protecting your email. But that is not all. We are industry leaders with over a decade of experience providing a wide variety of cybersecurity services, including but not limited to:
- architecture and implementation
- compliance advisory services
- incident management
- penetration testing
- virtual cis
No matter what kind of cybersecurity concerns you have, we can help, whether it’s intuitively understanding your system or fixing known vulnerabilities.
Contact rsi security today for solid guidance on all types of email security and encryption, as well as solid solutions for any cyber defense issues facing your organization.