 |
| Image from Pixabay |
I
stumbled into the new year coughing and sniffling, and paracetamol/acetaminophen,
cough drops and tea with honey are still my best friends. Reluctantly I float
along on the waves of this epidemic. Now that we have put the corona pandemic
behind us, it seems that the flu and cold viruses finally saw their chance to
strike the old-fashioned way again. Many of you will now nod in agreement. Sigh
– if only human defenses worked as efficiently as the virus scanner on your
computer.
But
no, I'm not going to talk about malware today. The reader's post contained
questions in response to the previous Security (b)log. It contained a passage
that began: “Our internal mail offers the ability to encrypt sensitive
messages.” Colleague Monique has now enabled this option by default, but she
receives an error message when she tries to send mail to her private address.
She would like to understand what's going on.
It
may have been a bit mean, but it was precisely in view of this possible
question that I had included the word "internal" in the quoted
sentence. This means that you can encrypt mail that remains within the
organization – that is, mail to a colleague. As soon as you send email outside,
e.g. to your private address or to a customer, we are dealing with external email.
There are two reasons why you cannot encrypt that mail.
Information,
such as email, is encrypted to ensure that unauthorized persons cannot read the
information. Only those who have the key can decrypt and then read the message.
Before we send an email from our organization out into the world, we want to
check whether that email does not contain any trouble, such as viruses (well,
viruses again, right). But if the email is encrypted, then that is not possible
- even a virus scanner cannot read encrypted messages. The same goes for
attachments. That is why encryption of external email is not allowed.
Incidentally, this works in both directions: incoming mail, which is encrypted,
is also rejected. That's a pity: encryption is, after all, just like scanning
for viruses, a security measure. Here one security measure gets in the way of
the other.
The
second reason why external email encryption isn't working is in the error
message Monique received: "Can't find this recipient's certificate in the
address book." Yes, nice, but you can only understand this message if you
know how encryption works. In the professional literature, this is always the
time for Alice and Bob to appear. This couple wants to exchange encrypted email
with each other. To this end, some preparations need to be made. You need keys
to encrypt and decrypt, don't you? Two per person, to be exact: one public and
one secret, which have a mathematical relationship to each other. They form a
key pair. And then it works like this. When Alice wants to send an email to
Bob, she encrypts it with Bob's public key. The great thing is that a public
key, which is literally available to anyone in the world, cannot be used to
decrypt the message. This can only be done using the corresponding secret key,
which is held by only one person: Bob. If Bob wants to reply to the email, he
in turn uses Alice's public key to encrypt his reply. And because only Alice holds
the corresponding secret key, only she can read Bob's email.
Alice
and Bob do not have to perform all these actions manually. All they have to do
is tick 'encrypt' in their mail program. That email program needs access to the
public keys of people you want to email with. These public keys are available
in the form of so-called digital certificates, which, in addition to the public
key, also state that this is actually Bob's public key. In Monique's case, that
certificate isn't available: her private address probably doesn't have a
certificate at all, and if it did, it wouldn't be included in our internal
address book because we don't allow encryption of external mail anyway. Hence
the message about the missing certificate.
Monique
had an additional question about signing email. She also ticked that option,
but, as she writes: “I see no visible added value and therefore do not
understand it.” The word “visible” is spot-on. Digital signing also uses those
key pairs. Alice uses her own secret key to sign her mail, and Bob uses her
public key to verify that the message really came from Alice and that it hasn't
been tampered with along the way. The mail program also does that for you unnoticed,
as long as nothing is going on. Only when something is wrong will the mail
program sound the alarm.
So if
Monique sends an email home, she cannot encrypt that email. That's not too bad,
because of course she doesn't send business information home. Maybe a shopping
list or something. I sincerely hope there is no cough medicine on it…
And in the big bad world…
- personnel data has been leaked in a ransomware attack on The Guardian.
- Royal Mail also suffered a ransomware attack.
- aviation in the US came to a grinding halt due to (according to the official account) a simple mistake by an engineer.
- Threema isn't the super-secure chat app it wants to be after all.
- Threema is probably still a lot more reliable than Telegram.
- physical security and cyber security intersect in our energy supply.
- Of course, artificial intelligence is also used for less noble purposes.
- the data of frequent flyers of KLM and Air France may be on the street. [DUTCH]
- Russian cyber attacks on Ukraine may be war crimes.
- you can get rich by hacking a Tesla. [DUTCH]
- you still have to check a few things if you want to outsource your IT.
.jpg)
No comments:
Post a Comment