Electronic mail security

Electronic mail, or e-mail, has become an important communications tool. Businesses have accepted it with great zest, the Internet has allowed it to explode with growth, and its ease of use has made it an integrated part of our personal lives. Even commercials now show dads and moms using e-mail to let their grown kids know they love them and to remind them to take their vitamins.

E-mail has become fun and easy, and many take advantage of being able to send a quick message without having to get caught up in the "how are you-how are you" courtesies of a phone call. And compared with traditional (snail) mail, you can't beat the speed of transmission.

The statistics of e-mail are staggering: ten years ago, systems administrators measured e-mail load by the number of users; five years ago by the number of messages; today, by the number of gigabytes sent daily. The average number of messages per day is estimated at 45,000,000. The Electronic Messaging Association predicts this number will triple to nearly 70 million by the year 2000. The cultural impact of e-mail communications is potentially greater than that of the telephone and will rival that of paper. Wow!

But e-mail, like our more traditional modes of mail transmission, has security problems. Security of any type of mail has been a problem since ancient times, that is, when literacy. became widespread. Today the tremendous volume of e-mail in transit provides a tremendous amount of opportunity for e-mail eavesdropping. (If this is a revelation, note that it is even easier to eavesdrop on cordless telephone calls unless the phones are equipped with a digital security feature which scrambles unauthorized access.)

For those concerned about the security of your e-mail, author Bruce Schneier has come to your rescue. His book entitled, E-MAIL SECURITY-How to Keep Your Electronic Messages Private, addresses headon what you need to know to ensure e-mail privacy. It will also show you how to protect your privacy through encryption, which basically seals your messages in "electronic envelopes."

Bruce Schneier is very qualified to address this hot topic. He is a highly regarded security consultant and president of Counterpane Systems. In addition, he is contributing editor to both Dr. Dobb's Journal and Computer and Communications Security Review, and a monthly columnist for the Computer Security Institute Newsletter. He is also a frequent lecturer and has authored two other computer books, Applied Cryptography and Protect Your Macintosh. And guess what, he can be reached by e-mail at schneier@ counterpane.com.

E-MAIL SECURITY is organized into two sections, Part I: Privacy and Electronic Mail, and Part II: Achieving Electronic-Mail Privacy. This 365-page book also has a hefty Appendix section which makes up over half of the book's contents weighing in at 189 pages. Part I-Privacy and Electronic Mail

Part I is made up of eight chapters that provide an introduction to the aspects related to privacy. This includes the state of e-mail, encryption, authentication, certificate messages, and patent and export issues. This sounds technical and it is; however, the author has organized the information so that each chapter is supported by the information introduced in the prior chapter(s). Unless you have some expertise in e-mail technology, it is not recommended that you skip around these chapters.

If you are looking to learn, Chapter 1-The Problem does a very good job of explaining how e-mail works, and how it can be accessed in transit by those other than to whom it is addressed. The remainder of the chapters in Part I rely on this information to expand on e-mail privacy.

Part II-Achieving ElectronicMail Privacy

Part II contains five chapters that focus on implementing e-mail security. It opens with a short chapter on privacy requirements and features, which is followed by four chapters on e-mail security programs.

The two security programs highlighted are PEM (Privacy Enhanced Mail) and PGP (Pretty Good Privacy). PEM is actually a (proposed) Internet standard, and PGP is a high security cryptographic software application for computers. In addition to providing a good introduction on each, this Part compares the two and discusses attacks against each which means to exploit a weakness. Both PEM and PGP are also exclusively addressed in the Appendix.

Appendix

The Appendix is divided into two parts; Appendix A-PGP and Appendix B-PEM. Both parts are very technical and can only be understood by those who are familiar with cryptographic software and IAB protocol for the Internet. (If you have questions as to what that all means, this is not the reading material to be used as an introduction.)

Appendix A provides two volumes from Philip R. Zimmermann's PGP User's Guide; Volume I: Essential Topics, and Volume II: Special Topics. Volume I provides a review of everything from how PGP works and how to use it, to security system vulnerabilities, and legal issues. This is recommended for all PGP users. Volume II covers advanced topics that were not covered in Volume I and is recommended for the more serious PGP user.