More on the PGP Email Webcast
PGP recently held a webcast on email data protection to cover considerations about email protection along with information about the latest product release.
We didn’t have time to address all of the questions during the webcast, but I wanted to circle back and provide answers to the remaining questions from the Q&A.
Q: Does PGP have a client available?
A: Yes, PGP Desktop Email is a client-based approach towards email encryption. It provides end-to-end email encryption ensuring that information says protected all the way from the sender to the recipient, no matter what networks or systems it traverses.
Q: Can the PGP platform handle different encryption policies between internal and external email?
A: Yes, the policy engine in PGP Universal Server uses a rule set that’s similar to setting up a chain in a firewall policy. You can set up policies to handle the email routed internally differently that email routed externally.
Q: What are the security considerations for a) sending a password protected Word document B) using a natively protected PDF and C) using PGP for encrypting email?
A: When using a password protected Word document, the sender must choose a password and deliver it to the recipient along with the encrypted document. Obviously, both cannot be sent in the same message because it defeats the purpose of protecting the document in the first place. Thus it introduces the problem of how to safely share a secret through some other means. The problem may be bearable if there is only one recipient, but it gets far more complicated as the number of documents increases and as the number of sender/recipient combinations increases.
A password protected Word document also does not have the ability to provide tamper resistance. An attacker that knows the correct password could fraudulently modify and re-encrypt the document to the same password.
A password protected PDF uses a password as well, but the key difference here is the password management performed by PGP PDF Messenger. Instead of the sender setting the passphrase during the creation of the document, the recipient sets their own passphrase, thus removing the burden of managing a shared secret. As email passes through the gateway, it is encrypted and protected with the recipient’s passphrase.
With an end to end solution, such as PGP Desktop Email, neither user needs to exchange the secret information used to decrypt the file. By using public key cryptography, each user keeps their own secret key and distributes their private key, thus getting around the issue of sharing a secret and password management. PGP Desktop Email provides protection for the email from the sender’s computer all the way to the destination, thus protecting the data no matter where it travels. In addition, with the digital signature capabilities, the recipient knows that only the sender could have created the email, thus preserving the fidelity of the data and confidence that the information is reliable.
Q: In your experience, how hard is it to train personnel on how to correctly use PGP? Incorrectly used encryption usually means it was unencrypted.
A: For PGP Desktop Email, the users typically have a passphrase that protects access to the private key. Based on policy, the organization may choose to have the user enter the passphrase once per session, or more frequently for more security conscious organizations. For deploying PGP Universal Gateway Email, there is no training at all necessary for end users – it’s completely transparent to them. Training requirements are very small – in most scenarios there isn’t end user training necessary outside of a notification of how to use the new environment.
Q: Can open source encryption software allow intercepted email to be read?
A: The open standard RFC4880 defines the format for OpenPGP, and supported by a number of products. An open source implementation of the standard is available through Gnu Privacy Guard (often known by its initials GPG), which is interoperable with PGP email encryption. The answer to your question is no, even users of compatible software would not be able to intercept and decrypt the information without possession of the private key. The private key is what makes the difference between interoperability and unauthorized access.
Q: How would you go about encrypting an email in a small office where email is being provided by an ISP such as Verizon, Time Warner or AOL?
A: For many of our users who have a small deployment, they often start with PGP Desktop Email. PGP Desktop email can be run in a standalone environment (without needing a server), thus making it possible to deploy in small/medium businesses rapidly. The mail servers provided my ISPs typically provide access to email via the standards SMTP (for sending email) and POP3/IMAP (for receiving email). PGP Desktop Email supports these standards and the information stays encrypted as it passes through your ISP’s mail server.
Q: Is PGP a hardware or software solution? Where is the appliance (if hardware)?
A: PGP’s server software (PGP Universal Server and PGP Universal Gateway Server) is a software-based solution. The software runs as an appliance, meaning that administrative work is done through a web based interface and not through a shell.
Q: Can I use the same client license that is used on a laptop for a BlackBerry?
A: Those are actually two different products. The software running on a laptop is PGP Desktop Email, which is separately licensed from the Support Package for BlackBerry.
Q: Is PGP Universal Server location independent of the mail server location? For example, if the mail servers are located in the cloud, can we implement universal server locally?
A: Yes, there are a number of ways to deploy PGP Universal Server and PGP Universal Gateway Email. You can use set up Universal Server in parallel to an email server or in line with the mail stream. The location of the mail server can be in any location, including in the cloud.
Q: Where is the proxy? Is it on a server or at a PGP hosted location?
A: It depends on which proxy you are talking about. PGP Desktop Email runs as a local email proxy, meaning that it actually runs on the user’s computer. The email client connects through the local proxy, which in turn provides the email encryption services. PGP Universal Gateway Email is a standalone email server proxy that automatically encrypts email as the mail flow passes through it. In both cases, PGP does not host the proxy but rather provides the software for an organization to set up their own.
Q: How does the recipient receive the passphrase to open the PDF?
New recipients receive an invitation to set their passphrase. Once the recipient registers the passphrase, PGP PDF Messenger can encrypt the message and deliver to the user.
Q: What isn't all email being encrypted by default?
Policy in PGP Universal Server can encrypt all email by default. It depends on the organization to set an appropriate policy for their particular needs.
Q: How does incoming encrypted email get through Anti-virus/anti-spam engine?
If you’re referring to a gateway-based anti-virus/anti-spam engine, there are several approaches that you can take. The first solution is to put the anti-virus/anti-spam products in line with the email gateway, so it continues to process email after decryption. If you’re using desktop email, a different approach is necessary. Because the email arrives at the gateway encrypted, it must be decrypted before being processing by the anti-virus/anti-spam system. This can be done by using PGP Universal Server / PGP Universal Gateway Email features for using the Additional Decryption Key (ADK) to produce plaintext to handle integration with message hygiene solutions.
Q: Will HTML Stripping corrupt the message or make it unreadable?
A: The PGP message uses a MIME encapsulation to transport the message. If your organization is using some type of HTML stripping solution, it should apply only to the MIME types that contain HTML data, and leave other MIME types untouched.