Information security in e-mail

An unencrypted electronic mail message can be read by all those who are capable of listening to the traffic in the network through which the message is transmitted.

The confidentiality of electronic mail communication can be ensured by encrypting the messages before sending them. Furthermore, e-mail messages can be signed digitally, when it is possible to make sure of the identity of the sender and the integrity of the message, i.e. delivery of the message from the sender to the recipient unchanged. To ensure the identity in a trustworthy manner, the certificate-based methods of signature shall be used.

Encryption of a message:
In systems based on public key encryption (see asymmetric encryption) the sender encrypts the message by the recipient’s public key. Thus the message can be opened only by one who has the recipient’s private key in his possession. So, even if a third party could capture the sent e-mail message, this third party cannot read the very message.

Signature of a message:
By means of digital signature the integrity of the message during transmission and the signer’s identity can be assured. The sender of the message undersigns his message by his own private key and the recipient can identify the sender by means of the sender’s public key.

There is various commercial software available for encrypting and signing e-mail messages. One of the most commonly used software is PGP (Pretty Good Privacy), which is based on public key encryption. According to the name, the protection PGP offers is fairly good and usually sufficient. However, the PGP does not guarantee the interconnection between the sender of the message and his public key. It is possible that the sender’s public key in possession of the recipient does not belong to the sender, but to some third party. One solution to this might be Public Key Infrastructure (PKI), where personal certificates tie up the user and his public key in a trustworthy manner.