Need help with encrypting email, PLEASE!

Does anyone have any experience with sending and receiving digitally-signed emails? I need to send an important email and would prefer it be encrypted. Any suggestions? It needs to be very user friendly on the receiving end because I have no way of knowing how computer literate the person is on the other end. Thanks in advance.

Hope this helps, Darko. I'm expecting your secret plans to invade us at any time. I'd be a great 5th column.

Darko,

How E-mail Encryption Works (hope this is not too basic in relation to what your looking for).

Most e-mail encryption technologies generally use asymmetric encryption which is based on a pair of mathematically related keys, one of which is used to encrypt and the other of which is used to decrypt binary data. The key pair consists of a public key that is distributed openly to others and a private key that is available only to the user. This same key pair can be used to provide authentication of the sender’s identity, confidentiality of the message content, or both.

To provide authentication, a sender encrypts a message with his/her private key. Because the public key is available to anyone, anyone can decrypt it using that sender’s public key. This does not protect the contents of the message – but because only messages encrypted with that particular private key (which only the sender has) can be decrypted by that particular public key, the recipients can be confident that the sender is whom he/she claims to be. This use of public key cryptography is known as a digital signature. The digital key is stored on a digital certificate, which is issued by a “trusted third party” such as Verisign.

A one year e-mail certificate from Verisign is around $20

Their web site is: http://www.verisign.com/products-services/security-services/email-security/index.html.

I think you can still get a free personal e-mail certificate from Thawte at http://www.thawte.com/email/index.html.

To provide data confidentiality, a sender encrypts the message with the recipient’s public key (which is available to everyone). Only the recipient has the private key that goes with that public key, and only that private key will decrypt the data, so the data is protected from being read by anyone else.

To use e-mail encryption, both sender and recipient need to have compatible encryption software. To create a digital signature, the software uses the private key and the message contents (in its binary form) to generate a number that is then hashed (run through an algorithm that creates a numerical summary). Any changes made to the message will invalidate the signature, because the message content is used to create the digital signature. The software on the recipient’s computer determines whether the signature is valid, and usually displays an icon showing a good or invalid digital signature.

To encrypt the contents of your e-mail, you need to have the recipient’s public key.

If the recipient’s software (e-mail client or Web mail site) is not compatible with the encryption technology or the MIME/SMIME standards, your digital signature will come through looking like a garbled bunch of random characters.

If you want more information on asymmetric encryption (with pictures) IM me with your email address and I will send you a public white paper I wrote that has a good explaination of it. While the paper is oriented toward hardware cryptography, it does explain an asymmetric key exchange and digital signature in more graphic terms.

This site also has a really good general overview on email encryption: http://www.emailprivacy.info/home

It explains encryption, digital signatures, SSL and re-mailers.

This is also pretty interesting:

http://www.emailprivacy.info/test_your_email

Here is a site with a ton of free, shareware and other encryption programs:

http://www.mnsi.net/~jhlavac/security/encryption.htm

Good Luck - Rose

Darko - one more outstanding link: http://www.schneier.com/

Sweet. Thank you Rose!

And thank you Taco.

I think this is where the problem may be. Email encryption is NOT user friendly.

Two ways to go about it.

If you will be corresponding with that person on a frequent basis, you should both get PGP (the free version - do not buy it from Network Associates), establish keys and learn how to use the program. After you get it installed and running, it is fairly easy to use.

The other way would be for you to get PGP and create an encrypted message without the other person having a need for the program or a key. But the only way for them to open the message would be for them to have a passcode. For that, you would have to call them, snail mail it, or deliver it by alternate means.

Another problem with PGP is that in order to download it, you must live in the USA because of encryption export restrictions. The site will attempt to determine your location by your IP address.

Here are a couple of links to check out:

http://web.mit.edu/network/pgp.html

http://wolfram.org/writing/howto/gpg.html

I personally use the MIT version and key server, but it seems the other site has some user friendly software and tips.

If you need further help, let me know.

- T -

Or you could just write your secret messege in lemon juice on the back of a letter and use snail mail. Of course there's no secure way to let them know you're doing this.

Thank you Tito. I will explore those links as well.