With the rampant Internet eavesdropping happening from many sources including government agencies (e.g. NSA) and criminals, it should be the top priority of a company to safeguard its email communication. Any potential leaks into company’s confidential data can have a detrimental effect on the company, which could potentially shut down its operations.
PGP to the rescue
Fortunately, there is a solution to securing email communication using end-to-end encryption. OpenPGP (PGP stands for Pretty Good Privacy), a widely accepted email encryption standard in the world defined by the Internet Engineering Task Force (IETF), is a protocol that uses public key cryptography. This protocol provides standards for message encryption, signatures and key exchange.
How does PGP work?
OpenPGP works on the principle of a key pair – a public key and a private key. One can generate a key pair using any OpenPGP tool. A password needs to be input during key generation process in order to generate a passphrase, and it is important than one should not save plain text passwords on the machine. Generated public key is shared with the world, and can be used to encrypt the message, but not to decrypt it. On the other hand, private key can only be used to decrypt the message. As a result, only the recipient can decrypt the message, and not any one else, which enforces confidentiality of the message. This kind of encryption mechanism is called asymmetric encryption. This is different than the symmetric mechanism method where a shared key is used to encrypt and decrypt the messages that could lead to security loopholes.
Another robust security architecture of OpenPGP involves maintaining authenticity of the message. In this case, sender will create a cryptographic hash of the message (also known as signature) using his own secret key, and send it to the recipient along with the encrypted message and the public key used for signature. The recipient will then decrypt the signature using the public key used for signature, and verify it with the hash of the message. This prevents anyone from tampering with the message, there by enforcing authenticity. Internet security should be the topmost priority of a company to prevent cybercrime, and OpenPGP seems to be the way to go. There are several vendors who provide OpenPGP based solutions that can be used to increase email security. One popular commercial implementation, gpg4o by gpg4o.de, provides support for popular email clients such as Microsoft Outlook, and guarantees encryption and maximum confidentiality in email communication. Other popular OpenPGP based solutions include enigmail, PGP Desktop, PGP Universal, GPGMail, and KMail.