back

Email Encryption

with OpenPGP 44 M

Episodes
Episodes
  • Email Encryption
    • Email Encryption Overview
    • OpenPGP with Windows

Email Encryption Overview

12 M

  • Episode Description
  • Transcript

[MUSIC] Greetings, salutations and welcome to ITProTV. I'm your host Daniel Lowrie. I'm here with Don Pezet today. How you doing, Don? >> I am doing great. How about yourself, Daniel? >> I can't complain but sometimes I still do. [LAUGH] >> Well, you can complain all you want. But nobody's gonna listen. >> Right. >> So, [SOUND] what do we got on our agenda today, Daniel? >> Today we are going to be looking at end-to-end encryption, and why we would want to do that, and all the goodness thereof. So Don, what is encryption actually? >> Yeah, you know this is something that's really creeping up in the news a lot lately, that people are starting to recognize that you can't trust the networks that we use. You really never could, just people are kind of realizing this now. So we need something to help us put that trust back into our networks, and encryption is what does it, right. Encryption, at its heart if we just kind of break it down to its basic function, is any method we can use to secure our data so that nobody can read or tamper with it, without us either being aware or without it even being possible at all. So some way to ensure that there's nobody sitting in between. So if I'm sitting here and I'm talking to you, Daniel. >> Right. >> We're having a conversation. >> Right. >> Anybody in this room could hear the conversation, and they'd know what was going on. So what if we had a code? >> What if I said, Daniel, the black sparrow flies at night. >> [LAUGH] >> Well, that might not mean anything to anybody, but to us we might have a code that says hey, you wanna grab pizza for lunch? >> [LAUGH] >> It doesn't have to be important data, right? >> Exactly. >> But that's a very basic form of encryption, and email is an area where that's really needed. >> Yeah, and email, cause it goes over the wire. People can steal it, they can grab it. And you want that data to be encrypted so even if they do steal and grab it, they are not gonna be able to see what they're looking at. They're just going to see a bunch of gibberish and skull duggery. >> Yep. >> Skull duggery. >> Yes [LAUGH] >> That's going to be our word of the day. We're gonna get t-shirts printed with that one. So when we deal with things like encryption now, for those of you that have watched our security plus shows, or CISSP shows, we talk about the CIA triad, right. The confidentiality, integrity, and availability of security. Whenever you deploy a security technology, it should provide at least one of those things. Well, encrypting your email actually provides two of the three things, so this is one of the better solutions. The first one is confidentiality, and confidentiality just says, if I send an email to somebody, I want to ensure that only the recipient is able to read it, and nobody else. The includes the email servers and Internet service providers that are in between me and them. That's the servers that my company hosts, the servers that their company hosts, and anybody in between. Nobody should be able to read that email, except for the recipient. And email encryption achieves that. >> Awesome. And the second part of that triad that Don was just talking about is integrity. That means that our data is exactly what we put up. We send out an email, that email reaches the other end and it is good, we know it is the exact same email that I sent before. It hasn't been intercepted, modified in any kind of way, and you get it with confidence and you can open that email and know that that's your data. >> Yeah. And that's pretty important, cuz it's easy to tamper with email. >> Yeah, we don't want that to happen. [LAUGH] >> Now, the third one is availability, and encrypting your email doesn't really provide availability there, right? Availability is ensuring that a service is functioning when you need it. Well, that really comes down to redundancy and other technologies like that on the mail servers, themselves. So we're not gonna get that one. >> Yeah. >> We do get two of the others. And that means that this is a great security technology to deploy. All right? Daniel, why do we even need to worry about encrypting our email in the first place? If I send an email to to you. >> Yeah. >> You get it. It goes in your mailbox. It doesn't go in anybody else's mailbox, right? So why bother encrypting it? >> Well, you would think that that would be plenty. That's all you need. The server sends you an email. Who cares about looking at your email? Well there are certain situations where you may want to keep that data secure. It may be private information. It could be Social Security cards, birthdates, mother's maiden name, your favorite band, whatever the case may be, you wanna keep something secured. You might work for a government agency, could be in the military, you might work for an RND company where that research is intellectual property you don't want other people getting a hold of that RND and then creating a competing product. So, that is the reason that we'd like to encrypt our emails. >> And the thing we have to remember is that the email infrastructures on the internet, it was developed over thirty years ago, and it was a much different world back then. Right, networks were a lot safer and simpler, and people didn't worry about security like they do. So all email transported on the Internet is transported using a protocol called SMTP. The simple mail transport protocol. >> And SMTP sends email in plain text. It doesn't do any encoding or encrypting by default. It can be set to do encoding, but that's not encryption. Encoding just means it makes it more compact, so it's smaller, and more reliable. But anybody can decode if it's uuencoded or Base64 or any of those crazy things out there. It's super easy to reverse those. So when you send an email, it's traveling across the network in plain text. That means any email server and any network or Internet service provider, anybody in between you and your destination, they can capture that traffic with like a packet sniffer, and they can read your emails right there, while that data is in transit, it is in plain text. Compounding that, once it gets to a server, most of our servers will store it in plain text. If you're using SendMail, or Microsoft Exchange, or any of the various email servers that are out there, the majority of them store the data in plain text. Sure it might be in a database, but it's not secured in that database. So the data can be accessed and people can read your email, whoever is an administrator for that server. So we need ways to ensure that when we throw an email out there. That it is secured end to end. Now let's talk about that Daniel. >> Yeah. >> Because as our data, as our email moves across the Internet, it passes through a few different places like servers- >> Right. >> and clients and all that so, we have to think about all those different steps along the journey, which is where the end-to-end term comes from, right? >> That is correct. So what types of encryption do we have, Don? I'm sure there are multiple types of encryption, we have server based encryption and different other types of things like that. Give us an overview of what kind of encryption we have. >> All right so, when you talk about encryption it may be something that you have to provide, it may be something that you're service provider provides. I guess that's why they call it providers right? >> [LAUGH] Providers. >> So they might do it. And so you'll hear about people say like, oh yeah, our email server stores all of your emails fully encrypted, right. Well, what does that do for you? Well, what they're doing is what's called data at rest. While your data is stored in their mailbox server, it's encrypted, right. But when they send the email along, when they forward it to somebody else, whoever the destination is it's gotta use SMTP. And it's gotta be unencrypted at that point. So the email might be stored at rest encrypted, but that server based encryption does not help you within transit. And in transit's where your data's really at risk. And that's that next solution is, is your service provider might say well we secure your email in transit too. They might use SSL or TLS, technologies like that coupled with SMTP to encrypt the data as it moves from server to server. But the problem there is they only control security from their server to the next hop. If you have to pass through more than one server, they don't have control over that. SMTP wasn't designed to handle that, and so the encryption technologies that are tacked on to SMTP are exactly that, they're tacked on. They're hacks that are just added and they're not terribly effective. So you can't really guarantee, even when you use a service like Google, right. Gmail, where they do SSL to the web based email box, and then they do encryption on their database on the back end, well Google's got the keys for that. You're trusting them. They can read your emails. That's how they show the relevant ads in your mailbox, right? They actively read your emails. So you're trusting somebody else to do that. And most of us, we want more, right? We want something where, we don't have to trust anybody but ourselves, right? What was it, was it Ben Franklin who said two men can keep a secret if one is dead? Right? >> [LAUGH] Yes, that's exactly right. >> So that's how email should be, right? >> That's exactly how email should be. So Don, is there a type of encryption that we can use that would ensure when it's static, when it's still. And also in motion? >> Absolutely. >> Awesome. >> And what we have to do, is we have to take charge of the encryption ourself, right? You can't trust your email service provider. You can't trust your Internet service provider, your network. You can't trust any of that stuff. Can trust yourself. >> It pays to be paranoid in this business. [LAUGH] >> [LAUGH] Sad, but true, right? >> Yes, it is. >> This is gonna be my quote episode. >> [LAUGH] >> It was Kurt Cobain who said, just because you're paranoid doesn't mean they're not after you. >> Doesn't mean they're not following, yeah. [LAUGH] >> [LAUGH] So, that's how this is. We need some kinda technology that will do that, and that's what this tech skills series is all about. We're gonna highlight, or Daniel's gonna highlight, >> Yeah. >> Several of the different technologies out there that we can use. Where we control the encryption. Now it's encrypted even before it gets to the mail server. And even before it crosses the Internet, it's encrypted. So we get end-to-end encryption. It's encrypted from the point that it leaves your machine to the point that the recipient reads it. And everybody in between is not able to access that data. >> Yes sir. And the type of encryption that we're gonna be using to cover that is PGP, which has been the standard encryption for quite a while now. >> A long time. >> A long time. It started off as an open source product, then it got bought and became a closed source product. And the guy that actually created the PGP encryption algorithm, created the new open source using the same basic idea. And that is freely available to all of us, which is what we're gonna use to do that type of encryption. >> So in this series we're gonna start out by showing that one right, OpenPGP. That's probably the best of the solutions that we'll talk about. And we'll get a chance to see that from Windows, as well as Linux, as well as Mac OS. Right, so seeing these different platforms all use PGP, and the cool part about it is, it's not tied to just email. You could actually encrypt anything you wanted, files, whatever it is that you wanted to transmit, not just emails. >> Yeah. >> So very versatile, very good technology, and really the one we recommend. But it's not the only one, right? >> It's not the only one. They also have S/MIME, which is kind of plugin for emailers or email clients. And the last one would be, just third party solutions. There are web-based OpenPGP ports that you can go in. You can put your file into it. They'll do all the work for you, and then you can send your file. So you don't have to install any software, run any commands, or do any kind of thing like that. They take all the guesswork out of it. They just say send us your files, we'll encrypt them, bada bing bada boom you're good to go. >> Yeah and those are the good solutions. But I don't recommend them, not because they're bad, but because for example, S/MIME, it's very dependent on your email client. So if you use Microsoft Outlook or if you use ThunderBird or whatever, they have that S/MIME support built in. But if you use something else, it might not have that support, and that's a problem. Same thing goes for the third party solutions, the third party solutions usually only work in one particular scenario. So, for example it might work with your web based email, but not with a client running on your own machine. So they start to put these requirement on there, and it makes them difficult to use. Versus OpenPGP, which you can use pretty much anywhere. >> Right. >> And your encrypting that data yourself. So there's some neat technologies out there. We just wanna make sure we highlight them all. And then you can chose which one's appropriate for your solution. >> Awesome. Well Don, I think that covers our overview- >> Yeah. >> of encryption, and PGP and the different types of encryption that we're gonna be using. Anything else to add? >> That's about it, so let's stop jabbering about it and jump into the technology. So we'll wrap this overview right here, but stay tuned. Coming up next is actually getting the stuff configured and I think we're gonna start with Windows, right? >> We're gonna start with Windows, make it easy for the users out there. I mean, Windows is the standard operating system on a lot of desktops, so that's where we'll go first. >> All right, so stay tuned. We'll be back with more email encryption. [MUSIC]

Just you? Training a whole team? There's an ITProTV plan that fits.

With more than 4,000 hours of engaging video training for IT professionals, you'll find the courses you and your team need to stay current and get the latest certifications.