Email encryption: how far down the rabbit hole should you go?
Email encryption comes in different varieties. That's why SmartLockr gives you an easy-to-understand overview of how to secure your data using...
Encryption is a phrase you hear more and more when it comes to secure email and protecting digital information. For many people, encryption equals security. If something is "encrypted", then no one can access it, right? Unfortunately, this is not entirely true, as it depends on which form of encryption is used. Because in addition to standard encryption, you can also choose end-to-end encryption and zero-knowledge end-to-end encryption.
When sending out an invitation to a family party, the type of encryption does not matter. That data is likely not that important. But if you're sending sensitive data by email, you don't want anyone to be able to access it, certainly not hackers and preferably not the government either. Exactly what encryption means, how it works and what to watch out for if you want to use encryption, is written out for you in this blog.
What is encryption and how does it work?
- What is encryption?
- Basic encryption
- End-to-end encryption
- How is an identity verified when end-to-end encryption is used?
- Zero-knowledge end-to-end encryption
- How is an identity verified with zero-knowledge encryption?
- Laws and regulations where encryption is essential
- How encryption can be easy for everyone
What is encryption?
Encryption can also be called encoding. In essence, you scramble the information (in an email), so that it's no longer readable. With encryption, you make digital files so unrecognizable that only someone with the right key can see the contents. In technical terms, the encrypted version of a message is called a 'cyphertext'.
For example, if you encrypt the phrase "I'm in the mood for pizza," it looks very different when encrypted. As if you put your text in a blender and added a bunch of random letters and characters. For example, encryption can turn that sentence about a pizza into the following: 'h2sLa=&J$ngYK oq^f.dy9s'. No matter how hard you try, you're never going to guess what that encrypted sentence means.
In encryption, a message is scrambled with an algorithm. The original content is then unrecoverable if you don't have the right key.
Encryption is math
Encryption is nothing more than using a mathematical formula (algorithm) to scramble a message. And only if you know how to reverse that algorithm, will you be able to see the contents of emails or attachments. That's why the algorithm is also called the key. End of story? No, because there are different forms of encryption.
You have encryption where you send the key along with the encrypted message, there is encryption where you have two keys, a public one to encrypt the message with and a private one to open it again. And then there is another form of encryption where you only prove you have a key, but never show it. The latter sounds mysterious, but if you see what forms of encryption there are and exactly what they do, hopefully it will become clear to you. We list the three main forms of encryption for you below.
Want to know right away if you are already doing a good job with encryption, or if there are still areas for improvement for your organization? You can!
Basic encryption
We begin with the basic form of encryption. With standard encryption, an email is encrypted only during transmission. That seems safe, but every time the email is saved, it is decrypted first before being saved. Each server between the sender and receiver decrypts the email and the data to store it. Only when the server forwards the message again, the message is re-encrypted and sent to the recipient.
By the time the email has reached the recipient, a number of servers have already decrypted, stored and forwarded the email. And every server in this process is vulnerable. For example, the servers may have been hacked, allowing a hacker to read along. Also, someone managing the server could, in principle, view the content. And in some cases, governments can even access the information on a server.
So standard encryption is never enough if you are sharing sensitive information or if you just want to keep everything you do private.
An example of standard encryption (and how weak it really is)
You are going on vacation and need someone to occasionally empty the mailbox and water the plants. It's just a small town and everyone knows each other. You trust everyone with your mail and house key. And you know you're using a secure service for email because it says everything is encrypted. You email all the neighbors and mention that the key is behind the name tag to the right of the front door. Done!
Yet after a few days on the French South Coast, you get nasty news; someone has ransacked your house. They used the key that was hanging behind the name tag. How is that possible?
If you email without the proper form of encryption, someone can intercept the contents of your message without you realizing it.
Unfortunately, ordinary encryption is simply not enough if you want to email data that could be sensitive or harmful. One of the servers involved in processing your email, as well as your neighbor's responses, turned out to be hacked. The hacker saw her chance and became an opportunistic intruder. She knew exactly when you were on vacation and where you had hidden the key. Some neighbors had even replied when they were not there themselves, so the burglar hacker could choose the ideal time.
This example really won't happen to you that quickly in the real world, but it does show you the weakness of standard encryption. Fortunately, end-to-end encryption already makes things a lot more secure.
End-to-end encryption
Do you want assurance that no one can read your message, even if a server is hacked or your email is intercepted? Or do you want to be certain that even a government cannot read your message? Then end-to-end encryption is indispensable. You are probably already unknowingly using this form of encryption every day. WhatsApp, Signal, Messenger, Telegram and almost all other major messaging apps make use of end-to-end encryption.
Once a message is encrypted, with end-to-end encryption, only the recipient can decrypt the message
In this form of encryption, a message (or email) and any attachments are encrypted before they are sent. And decryption only happens on the intended recipient's device. From start to finish, the message is encrypted, even if it is stored somewhere during its trip. And the key? Only the recipient has that. No one can unlock the message en route.
Even someone with access to the servers that handle e-mail traffic cannot read the contents of a message because everything is stored there in encrypted form as well. Only the sender and the recipient have the correct key on their own devices to open the messages. To check that it is the correct recipient, a clever key system with two keys, called public and private keys, is used for this.
Verifying sender and receiver identities with end-to-end encryption?
The verification of senders and receivers in end-to-end encryption is not even that complicated on paper. The sender and receiver both have 2 keys: a private key and a public key. An important part of this system is that one person's public key and private key are associated.
The only way you can open an email that has been encrypted with your own public key is with your private key.
The public key is publicly accessible through the system you both work with, and it tells someone exactly how to encrypt information so that the recipient - and only the recipient - can decrypt the information again with his or her private key. This way, you can always be sure that only the recipient (who therefore has the correct private key) can unlock the message.
An example of end-to-end encryption
Suppose you want to send an end-to-end encrypted message to Daniel. You've finished typing the email, entered Daniel's email address, and click send. Before sending, the email is encrypted on your device with Daniel's public key. Once Daniel receives the message, his private key decrypts the email again. And the servers that forward the emails also store the message encrypted. They can't do anything else, because they don't have Daniel's private key. The message is now sent with end-to-end encryption!
If Daniel wants to send you an encrypted message back, it works exactly the other way around. His e-mail program looks for your public key to encrypt the reply before sending. And since only you have your own private key, you are the only one who can read the reply!
With end-to-end encryption, an email is encrypted with the recipient's public key. This is done before sending, so the email makes the entire journey encrypted.
So with end-to-end encryption, your information is safe even if a server is hacked. Only if you are careless and, for example, do not lock your computer when you are away from it, can someone get to your encrypted messages.
End-to-end encryption already sounds very secure, but how can you send messages securely if you are not both using the same service? In that case you cannot use the public key of the recipient, and you cannot verify the identity that way. Fortunately, there is a solution for that too!
Zero-knowledge end-to-end encryption.
This strongest form of encryption doesn't even involve public and private keys anymore. You can still decrypt the messages you've received only if you can prove your identity to the recipient. But how can that be even more secure without those two keys, as with standard end-to-end encryption?
With zero-knowledge end-to-end encryption, no passwords or keys are sent to the server. In a nutshell, you can say that this form of encryption works with statistics. The identity of the recipient is verified by asking them a question that can only be answered if they know the correct password. The password itself is not sent, only the answer.
How does zero-knowledge end-to-end encryption work?
Imagine two caves. A long corridor connects the caves. You can enter the cave on the left side (A) or right side (B). In the middle of the corridor between the caves is a door that can only be opened with the correct password. Only the recipient knows the password for that door. If you don't know the password, you can never walk into one cave and come out through the other.
But with that, how do you verify identity? Surprisingly simple actually! Check out the four pictures below to see how zero-knowledge encryption roughly works.
The recipient walks into one of the two entrances, without the sender seeing if they have chosen the left (A) or right (B) entrance. The sender then tells the receiver which exit to walk out of. If this is the same side the receiver walked into, then they are in luck. But if the sender picks the other exit, then the receiver must use their key to open the door in the middle.
The sender may have just happened to choose the exit that the receiver had chosen as the entrance. If you only do this game once, that chance is an even 50 percent. So how can this be safe? To make it secure, the sender and receiver therefore play this game not once, but hundreds of times. The probability of someone correctly guessing 10 times in a row is already less than 0.01%, and at 25 attempts it is already 0.003%. At 50 attempts it is by now 0.0000000000000000089%! Even with all the luck in the world, you are not going to manage that. Only the receiver with the key can walk out of the right exit every time.
Only after the recipient has proven their identity often enough does the message become readable.
After numerous successful attempts, the sender is sure they have found the correct recipient. Only then does the recipient gain access to the message. Fortunately, this little game goes on behind the scenes at lightning speed, so as a recipient you hardly notice anything from this form of encryption.
Smartlockr uses zero-knowledge end-to-end encryption
It won't come as a surprise that this last form of encryption is the most secure. That's why it's the default at Smartlockr. And what is also good for many organizations to know is that with Zero-knowledge end-to-end encryption you can share your data securely, even if you fall under the U.S. cloud act. We could write a book about that cloud act, but in our free webinar with AVG/GDPR and data security expert Alexander Hanff, you'll learn exactly how to keep your data out of U.S. hands with zero-knowledge encryption, even if you work in the cloud.
Rules and laws where encryption is essential
Now that you know what encryption is, you must be wondering if you really need encryption. The answer is short: Yes! And even more so if you work with sensitive data, such as personal data, financial data or medical data. After all, with the right kind of encryption, no one can access your messages or files.
Encryption is essential in keeping your data safe. At Smartlockr, we use zero-knowledge end-to-end encryption by default. You don't even have to press a button for that!
You probably don't need encryption for all your emails. But you're better off using it by default anyway. That's why encryption is always on with Smartlockr. This makes Smartlockr very suitable for organizations and institutions that work with private information, such as healthcare institutions, governments as well as the financial and legal sectors.
By choosing a platform where zero-knowledge end-to-end encryption is standard, you comply with the strictest privacy laws and standards, such as the European GDPR. And you also immediately protect your data from the impact of the Cloud Act!
Encryption can should be easy for everyone
Encryption seems complicated, but this is all taken care for the end user behind the scenes by Smartlockr. But it is an important part of online security for everyone. However, it is good to be aware that anywhere it is claimed that encryption is used, that does not mean the data you share is adequately protected. Only with zero-knowledge end-to-end encryption can you be sure you are using the best security.
Want to know if your organization is required by regulations to use encryption and what form of encryption is appropriate? Request a free, no-obligation consultation with one of our consultants, and you will know exactly where your organization's data security stands.
