I have been going over YouTube watching videos on eMail encryption and everyone seems to explain it from a different perspective. Some do it for a CompTIA exam while others just provide a primer.
Here is what I understood:
Step1: You compose an email that you want to send. Without encryption, it will be simple ASCII text that will be visible to anyone along the way.
Step2: You generate a digital signature to make sure that nobody gets to re-transmit your email and claim it was you. Digital Signature is generated using Sender’s private key which is usually a hash of the password and is then combined with the original message to form one long hash string. These signatures are one-time-use-only and a new one is calculated for every email.
Step 3: You encrypt the compose of your email using Receiver’s public key so that the only person who can read it is the intended receiver using their private key
Step 4: When you hit the send the email, what is transmitted now is gibberish to everyone apart from the intended receiver who will decrypt is using their private key
And there are various ways to do it like PEM, PGP, etc.
Correct me where I am wrong or refine where necessary.
4
With email encryption there are two possible options (over-simplified):
- End to End encryption
- Point to Point encryption (eg TLS)
When to use each really depends on the purpose of encrypting the email. Do you want to prevent someone eavesdropping while your mail is being sent or to you want to ensure that only the intended recipient can read the email?
Point to Point
If you want to prevent someone on your network from eavesdropping than you would want to consider encrypting the transport. What this means is that the contents and the headers of the email still remain in plain-text, but the transmission between your mail software and your mail server are encrypted.
The mail server will likely store the plain-text email ready to be forwarded to the next mail sever in line for delivery. How this is done depends on the configuration of the mail server and the protocols available between it and the next mail server. It may be sent in plain text, over an un-encrypted channel.
The key to know here is that the email will be plain-text between you can all the intermediate mail servers that may handle the email.
End to End
If you want to prevent anyone other than the intended recipient than you want end-to-end encryption as you’ve described in your question.
This form of encryption is where you and the recipient agree on way that you will be securely communicating and use this method to perform the encryption and decryption. In your question you’ve described a PKI (public key infrastructure, asymmetrical encryption) way, but there is nothing preventing you from also using a pre-shared key and using symmetrical encryption.
There are a few plugins, such as PGP & GPG, that allow you to encrypt, sign, verify & decrypt email that has been sent using PKI methods.
Your scenario
You are essentially correct in your scenario.
- Compose an email in your favourite email client.
- Sign the email using your private key, this will add a digital signature block to the email.
- Retrieve the recipient’s public key using a number of methods:
- Key server
- Copy on local disk
- Downloaded from a website
- etc
- Encrypt the contents of the email with the recipient’s public key
- When you hit send, the contents that was encrypted is now unknown to all that the email passes through. The sender, headers, recipient and other fields will still be available to someone eavesdropping over the wire, unless point-to-point encryption is employed as well. The mail server will always have a “plain-text” copy of this information as it needs it to be able to deliver the email.
0
Encryption and signing are two separate things. You can send a signed email that is not encrypted, and you can send an encrypted email that isn’t signed.
For the most part, you are correct. But the entire email is not ‘gibberish’, only the contents. The header remains unaffected, with the exception that the content-type may change.