Electronic Mail Security (Book Review)

  • April L. Dmytrenko
  • Records Management Quarterly
  • July 1997

Electronic mail, or e-mail, has become an important communications tool. Businesses have accepted it with great zest, the Internet has allowed it to explode with growth, and its ease of use has made it an integrated part of our personal lives. Even commercials now show dads and morns using e-mail to let their grown kids know they love them and to remind them to take their vitamins.

E-mail has become fun and easy, and many take advantage of being able to send a quick message without having to get caught up in the “how are you–how are you” courtesies of a phone call. And compared with traditional (snail) mail, you can’t beat the speed of transmission.

The statistics of e-mail are staggering: ten years ago, systems administrators measured e-mail load by the number of users; five years ago by the number of messages; today, by the number of gigabytes sent daily. The average number of messages per day is estimated at 45,000,000. The Electronic Messaging Association predicts this number will triple to nearly 70 million by the year 2000. The cultural impact of e-mail communications is potentially greater than that of the telephone and will rival that of paper. Wow!

But e-mail, like our more traditional modes of mail transmission, has security problems. Security of any type of mail has been a problem since ancient times, that is, when literacy became widespread. Today the tremendous volume of e-mail in transit provides a tremendous amount of opportunity for e-mail eavesdropping. (If this is a revelation, note that it is even easier to eavesdrop on cordless telephone calls unless the phones are equipped with a digital security feature which scrambles unauthorized access.)

For those concerned about the security of your e-mail, author Bruce Schneier has come to your rescue. His book entitled, E-MAIL SECURITY-How to Keep Your Electronic Messages Private, addresses head-on what you need to know to ensure e-mail privacy. It will also show you how to protect your privacy through encryption, which basically seals your messages in “electronic envelopes.”

Bruce Schneier is very qualified to address this hot topic. He is a highly regarded security consultant and president of Counterpane Systems. In addition, he is contributing editor to both Dr. Dobb’s Journal and Computer and Communications Security Review, and a monthly columnist for the Computer Security Institute Newsletter. He is also a frequent lecturer and has authored two other computer books, Applied Cryptography and Protect Your Macintosh. And guess what, he can be reached by e-mail at schneier@counterpane.com.

E-MAIL SECURITY is organized into two sections, Part I: Privacy and Electronic Mail, and Part II: Achieving Electronic-Mail Privacy. This 365-page book also has a hefty Appendix section which makes up over half of the book’s contents, weighing in at 189 pages.

Part I-Privacy and Electronic Mail

Part I is made up of eight chapters that provide an introduction to the aspects related to privacy. This includes the state of e-mail, encryption, authentication, certificate messages, and patent and export issues. This sounds technical and it is; however, the author has organized the information so that each chapter is supported by the information introduced in the prior chapter(s). Unless you have some expertise in e-mail technology, it is not recommended that you skip around these chapters.

If you are looking to learn, Chapter 1—The Problem does a very good job of explaining how e-mail works, and how it can be accessed in transit by those other than to whom it is addressed. The remainder of the chapters in Part I rely on this information to expand on e-mail privacy.

Part II-Achieving Electronic Mail Privacy

Part II contains five chapters that focus on implementing e-mail security. It opens with a short chapter on privacy requirements and features, which is followed by four chapters on e-mail security programs.

The two security programs highlighted are PEM (Privacy Enhanced Mail) and PGP (Pretty Good Privacy). PEM is actually a (proposed) Internet standard, and PGP is a high security cryptographic software application for computers. In addition to providing a good introduction on each, this Part compares the two and discusses attacks against each which means to exploit a weakness. Both PEM and PGP are also exclusively addressed in the Appendix.

Appendix

The Appendix is divided into two parts; Appendix A-PGP and Appendix B-PEM. Both parts are very technical and can only be understood by those who are familiar with cryptographic software and IAB protocol for the Internet. (If you have questions as to what that all means, this is not the reading material to be used as an introduction.)

Appendix A provides two volumes from Philip R. Zimmermann’s PGP User’s Guide; Volume I: Essential Topics, and Volume II: Special Topics. Volume I provides a review of everything from how PGP works and how to use it, to security system vulnerabilities, and legal issues. This is recommended for all PGP users. Volume II covers advanced topics that were not covered in Volume I and is recommended for the more serious PGP user.

Appendix B is from a series of focus group meetings dedicated to e-mail security. The representatives are part of the Internet Research Task Force, and the Internet Engineering Task Force. This standard defines message encryption and authentication procedures to provide privacy-enhanced mail services for e-mail transfer on the Internet. Appendix B presents four parts that focus on a variety of aspects and issues related to privacy enhancement for Internet e-mail.

E-MAIL SECURITY is a book designed for those who embrace email as a form of communication and are concerned about security issues. Terminology is tossed around (and around), but the author does a good job of presenting it in a manner that can be comprehended in at least the first half of the book.

In Parts I and II the technical information is supported with fairly easy to understand definitions, analogies, and diagrams. He also uses, very creatively, a troupe of players named Alice, Bob, and Eve. This intriguing threesome represents the sender (Alice), the receiver (Bob), and the eavesdropper (Eve). Together they help explain how email works, how security can be invaded, and how to secure e-mail. But no matter how simply stated or examined, the security side of e-mail technology is not simple.

This book does have a significant amount of very technical mumbo, and oh-golly those acronyms. Example: “The inner workings of SHA are very similar to those of MD4, indicating that the cryptographers at the NSA took the MD4 algorithm and improved on its security.” The Appendix section, in particular, requires the reader to have a thorough understanding of computer technology.

So E-MAIL SECURITY is not only a very technical book, but also very informative and enlightening. Any reader will understand how easy it is to obtain unauthorized email access and the variety of precautionary methods available to secure e-mail messages in transit. It is an important book to read if you are dealing with e-mail or company security issues, have some involvement/responsibilities in information or system’s management, or desire a greater understanding of another aspect of technology.

Categories: E-Mail Security, Text

Sidebar photo of Bruce Schneier by Joe MacInnis.