Secure my email - encryption and digital signatures

Kristian Fiskerstrand's blog


Do you write down sensitive data on the back of a postcard? Why not? Because you know, that anyone dealing with the mail underway; postal workers, the delivery guy, or anyone peeking in your mailbox, can read it. The same goes for e-mail, except then it's done electronically in a matter of seconds.

Why do you put a piece of mail in an envelope? Breaking a sealed envelope is a felony in most countries. The solution for emails is even harder to break through, it is called encryption.

And you are probably familiar with your bank sending you sensitive information in a security envelope. They do this, so that even in a sealed envelope, you can't hold it against the light to read the contents. But how would you know that your bank was the actual sender? That is where for emails, a digital signature come in. It allows you to verify who sent it.

An encryption algorithm, or a digital signature algorithm can be of different strengths. The most common way to describe the strength is in the term bits. Just like it takes you more time to finish a 5000-piece puzzle compared to a 10-piece one, it takes more time to break an encryption of a grander size. On a modern computer a 56-bit puzzle can be solved in a few days, a 256-bit puzzle would take decades or even centuries to solve.

Most are familiar with the proverb "There is no use closing the door, once the horse has left the barn". The same is true regarding email security, you have to participate in a pro-active way to make sure your communication is secure.


The first recorded person to utilize secure communication was Julius Caesar. He used a shift cipher with a key of 3. This means that an A get turned into a D, a B get turned into a E et cetera. There are however some controversy to this matter as sources indicate that other substitution ciphers were used prior to this. His nephew Augustus was known to use a shift cipher with a key of 1, that is A get B, B get C et cetera.

It is unknown how effective the Caesar cipher was at the time, but it is likely to have been reasonably secure, not least because few of Caesar's enemies would have been literate, let alone able to consider cryptanalysis, that is the art of deciphering an enciphered message.

Intellectual property

Industries focus increasingly on protecting its proprietary interest. Yet many doesn't focus on securing the technical aspect of the day-to-day operations, mostly due to the lack of knowledge on the subject.

There are known examples where a company with armed guards at the front gate and thick steel doors placed an open wireless access point in the window of the structure. As a result of this, the same data that was protected by armed guards was available to anyone in a car across the street with a wireless-enabled laptop.

There are several examples throughout the history of how important ensuring privacy can be for the strategical outcome. One example is communication during wartime, for instance it was of importance for the outcome of World War II that the German Enigma cipher was broken at Bletchley Park outside London. Alan Turing played a major role in this.

European Union and Data Retention

The Civil Liberties, Justice and Home Affairs Committee of the European Parliament (LIBE) approved Commission proposals for a Directive on data retention the 24th November 2005. This was subject to a few controversial amendments.

The directive give police a right to view computer and telephone traffic. The initial draft also include a section about internet service providers (ISP) having to keep a copy of emails, but due to practical issues (storage capacity) this seem to have fallen out in the final draft. This none the less show that government want access to the traffic and should be an incentive to at least consider encryption in order to avoid Big Brother situations as found in Eric Arthur Blair (writing under the pseudonyme George Orwell)'s 1984

How you can use digital signatures

Using a digital signature can be useful in many contexts, but say a client contact you to set up a website. If you then ask for an OpenPGP key to be submitted, and require that any later correspondance dealing with the configuration of the website to be digtially signed you can save yourself a lot of trouble.

This way you can make sure that it actually is the same person requesting the changes that pay for your services in the first place. If you would have to rely on the email address, which can be easily spoofed. Or you would have to do text-analyzis and word-recognition, which isn't really all that easy if you don't know the other person too well in the first place.

Another good use of digital signatures is signing of software packages, or files that are to be downloaded. You can then use the signature to verify that the file has not been altered, as was the case with BitchX, an Internet Relay Chat (IRC) client, that came under attack using Domain Name Server (DNS) poisioning, so people downloaded a copy of it that contained spyware.

One of the most popular methods to digitally sign and encrypt emails is using OpenPGP, which we will try to help you start using.

» Read more details » Skip details: Tell me about OpenPGP