International Journal of Computer Information Systems,

Vol. 7, No.4, 2013

E-mail Security: Issues and Solutions

Sarika Choudhary/ M.tech (Network security) Rajesh Ghusinga/ B.tech (Civil Engineering)
School of Engineering and Sciences Indian Institute of Technology
BPS Mahila Vishwavidyalaya IIT, Bombay
Khanpur kalan, Sonepat (HR.) India Powai, Bombay, India
[email protected] [email protected]

 differentiate between the regular mails and E-mails as the

Abstract— In this paper we’ll discuss about security of e-mails. postal system handles the regular mails and nobody can look
We’ll also investigate how to add confidentiality and integrity inside the letter, this is called by law. We expect high privacy
protection to ordinary email. with regular mails but ordinary E-Mails are not private, they
In everyday life you all use e-mail and think how much you relay are exposed to everyone.
on the accuracy of its contents? Think you receive an e-mail from
your mentor saying that you did so well in your course then you
were excused from doing any further work and what if you know
that message were a joke from your classmate. We always relay
on e-mail’s confidentiality and integrity for important data or
communication. Mostly ordinary e-mails have no confidentiality
and integrity.

Index Terms— encryption, forgery, interception, security,

spam, spoof.

I. INTRODUCTION
E-mail travels on the web so they are exposed to the intruders.
So, privacy of emails may be compromised b/w sender’s and
receiver’s side without giving any warning. In today’s
electronic world, e-mail becomes the backbone of the most
organizations’ daily activity. As we know email becomes most
frequent in the world so e-mail security becomes more
important. For the security, organizations must control the
situations by taking any approach or invest wisely including
all the solutions.
Let consider the services provided by e-mail to the business,
email storage and management can be broken down into a
number of components like flow of the mail, storage of the
mails, how do we exchange public keys, how do we assign
trust and how user access the emails. These issues are the part
of total security agenda.
In section II you’ll study about how emails go and who can
access it and some threats to email, spamming, spoofing etc.
In section III you’ll study examples of email security means
by taking a technique we can provide security to mails.
II. SECURING E-MAIL
E-Mails are most frequently used in today’s commerce. Now-
a-days these are the most convenient way of communication
for ordinary users. E-Mails are public and can be seen by
everyone at every point of communication between two users.
Hence, because of their exposed nature we can’t write
sensitive information in ordinary e-mails. We can
A. How e-mails go and who can access it?
Basically, E-Mails are based on point to point communication.
With the help of an example it becomes clear to you that who
can access the email. If kavita sends an email to Ritika. Then
Kavita’s computer system creates a virtual connection with
Ritika’s system, it is called computer synchronization.
Messages between them are transferred by SMTP (Simple
Mail Transfer Protocol). Consider Ritika is not online at the
moment and Kavita wants to send message to her. This
message is stored at the server i.e. called POP (Post Office
Protocol) server. Next time whenever Ritika will be online,
she can download the message and can read them also.
Kavita’s message is for Ritika and hence is private. So we
choose point to point communication but while the message is
sitting on the server, it is potentially exposed to everyone.
For better understanding we can consider another example i.e.
let Sarika is an employee of large organization, it may be an
industry or any university or any other organization. So she
can’t create an outbound connection by herself. All her
messages are routed through a server and as a result her
privacy is compromised. Another complication is aliases and
forwarding agents – who add more mid points. By taking a
simple case we can see that there’ll five points or parts:-
i. Kavita and her system
ii. Kavita’s organisation’s SMTP server

October Issue Page 42 of 63 ISSN 2229 5208


iii. Kavita’s ISP (Internet Service Provider)
iv. Ritika’s POP server
v. Ritika and her computer system
B. Threats to E-mail:
There are so many threats to electronic-mail such as:
 Message confidentiality
 Message blocked delivery
 Message content and origin modification
 Message content and origin forgery by outsider or
recipient.
 Denial of message transmission
 Message interception and subsequent
Encryption is used for confidentiality and data
forgery. You can also defense against the replay
attack. But in encryption we doesn’t use symmetric
encryption because it cannot protect against data
forgery by recipient, in symmetric encryption both
sender and receiver share a common key. In this
situation, you can use public key scheme for security.
In this, recipient only can decrypt but don’t do
encrypt.
Sender and receiver can’t protect against the delivery
blocking because we have lack control over the
middle points in the network.
C. What are the requirements and the solution??
For protection from data forgery and maintaining the
confidentiality, we create a list of requirements and solutions.
This list includes all the security and protection for securing
any email.
i. Message Integrity
ii. Message Confidentiality
iii. Message Authenticity
iv. Non-repudiation
International Journal of Computer Information Systems,
Vol. 7, No.4, 2013
 SENDER AUTHENTICITY: Means the receiver
knows that who was the sender and receiver is very
confident about it.
 NON-REPUDIATION: Means sender can’t deny that
he/she has sent the messages.
 So all these requirements must be fulfil for an ideal
secure email. About confidentiality, Integrity and
encryption we’ll study in detail.
1) Confidentiality
We begin our description about security to provide
confidentiality enhancement to the several aspects.
To understand this, sender choose symmetric encryption
algorithm key. By using this key sender encrypts the entire
message to be sent including FROM: TO: subject: etc. then
the message sender prep ends plaintext header. The sender
encrypts the message key by using the recipient’s public key
for the key management and attaches that with the massage.
Many network e-mail handlers use unprintable characters for
control signals in the traffic stream. To avoid the transmission
problem encrypted email converts the cipher text into plain
text characters.
Encrypted email standard works most easily by using the both
symmetric and asymmetric encryption. Encrypted e-mail
standard supports multiple algorithms.
For message confidentiality we use DES, Triple DES, and
AES. For key exchange we use RSA and Diffie-Hellman.
Encrypted Message
Receiver’s New Header
public key
Encrypted
message data
encryption key

Public key
Encryption Encrypted
Message
Header+
Body

Message
encryption
key

Symmetric Key Encryption

 MESSAGE INTEGRITY: It means what the receiver
seen and what we sent is matched or not. It helps to
maintain the integrity of the messages.
 MESSAGE CONFIDENTIALITY: It makes sure that
the message is not exposed on any route while it is
Message Header+ Body
going to the receiver. 2) Integrity
Integrity for e-mail security is as important as confidentiality.
Integrity is provided by hash function in the digital signature

October Issue Page 43 of 63 ISSN 2229 5208


called message integrity check (MIC). It is optional that
encrypted email messages can be encrypted for
confidentiality. We can integrate original e-mail message or
encrypted e-mail messages so that a person can send enhanced
or non-enhanced messages. If sender sends enhanced message
so an extra bit of encrypted email processing is invoked on the
sender’s end. Receiver should also remove the enhanced bits
for getting the original message but non-enhanced messages
flow through the mail handlers as usual they processed.
3) Encryption
In this key management is a major problem. We can remove
this problem or difficulty with the use of certificates.
Certificates are used for key management, key exchange and
for associating an identity with a public encryption key. The
problem with certificate is building a hierarchy. Now-a-days
many organizations have hierarchical structure but some
organizations don’t have. So because of a problem of
imposing a hierarchy on non-hierarchical world then PGP was
developed for such organizations.
By using RSA encryption technique with long bit key we can
provide strong end-to-end security for e-mail.
Compose Message
View message
Yes No Crypto
Encryption processing
o
requested? Crypto
o Yes
Encrypted?
No
Send message
Receive message
D. E-mail Interception
As other web content have privacy concern from interception
risk such as e-mail also have the same concern while transmit
the message over the internet.
There are various techniques for encrypting e-mail. PGP and
S/MIME techniques are widely used. These techniques are
mostly used in popular email handlers like Microsoft outlook,
Eudora, Netscape etc. These products protect emails over the
internet and from midpoints too etc. VPN (Virtual Private
Network) can also provide data communication security or
protect the data. But it provides limited protection between
client’s workstation and some points. It uses router or firewall
at the point to which the sender belongs. For e.g.
communication is protected from a university student to the
edge of the university network.
October Issue Page 44 of 63
International Journal of Computer Information Systems,
Vol. 7, No.4, 2013
Some organizations copy all emails sent from org. systems
daily as the evidence in legal issues. Many org. or companies
monitor their worker’s e-mail. Network administrator or ISP
(Internet Service Provider) also monitor the e-mails for
business purpose, traffic or detect spam etc. Org. monitor
emails for any legal purpose. So there is no expected privacy
on network of your emails or general computer use.
E. Malicious e-mails (Spamming, Phishing, Spoofing)
In this electronic world, it is very important for everyone to be
familiar with three thing i.e. spamming, spoofing, phishing.
These three terms seem to denote the same thing but they are
different from each other and you should be aware. So let us
take a look at their definitions.
1) Spam
Spam is junk e-mails also known as unsolicited bulk e-mail
message or we can say unwanted messages. They are refers to
send email to thousands of users as a chain letters. Mostly we
found that spam has also to be compromised of ads for
products and services of questionable legality. Spam is
annoying but it’s not really dangerous. Sometimes, spam e-
mail spamming is combined with the spoofing so it is very
difficult to find out the actual originating email address of the
sender. Some e-mail systems like outlook express have ability
to block the e-mail with specified address. But because of
changing email address frequently, it is very difficult to
prevent some spam from reaching to your inbox. There are
two types of spam:
 Intentional spam: it is comes from spammers who are
fraud or solicited products.
 Unintentional spam: it originates from computer
systems that are infected with the virus. Virus or
worms send bulk message from the infected system
without the knowledge of the computer owner.
2) Phishing
Phishing is a type of spam in which sender enters its
personal account information (banking data) for the
purpose of breaking your account and theft of data
for fraud-ness. Phishers can enhance the credibility
by spoofing to convince source address. We can take
an example for better understanding, let you get a
false e-mail and this e-mail appear come from a
legitimate company like eBay, Yahoo, government
universities etc. These messages look like they came
from original source. These messages ask you to
update your records by entering your Date of Birth,
bank account number and PIN etc. These sites collect
your personal data in order to theft your money,
identity etc.
You just keep in mind that legitimate companies
or organisation already have your personal data, so
they will never ask you to give all this kind of
information. Whenever you think that any e-mail is
suspicious then don’t reply and even delete that
email.
ISSN 2229 5208

3) Spoofing
When an email appears that it comes from the legitimate
source and in actual it comes from an imposter/ fraud.
Basically it is the forgery of email header so that it seems
original or actual. It is done by spammers often and it can be
accomplished by changing the “FROM:” mail address.
E-mail spoofing can be done by different forms but all have
same result. Spoofing can be used for spreading virus or we
can say malicious purpose or it is a best trick to make user
confident and release sensitive information like password,
account no. or PIN no. of account. Mostly email spammers
use spoofing so that receiver can get sender’s address or
possibly respond.
To send spoofing email, sender enters command into the
header portion that’ll alter the information. Someone could
send spoofed message that appears to be a user with a
message that he/she didn’t write.
There is no way of prevention from receiving the spoofed e-
mail. If you get message from any source that ask for
something personal or confidential information then you want
to know if it is really from the person it says it’s from you can
look at the Internet Header. It shows that from where the
email actually originated.
If your email address is spoofed so that doesn’t mean that
spammer or spoofer has access your mailbox.
III. EXAMPLES OF SECURE E-MAIL SYSTEM
Many sources provide encryption e-mail programs. Many
universities or companies have created or developed their
commercial version of encrypted e-mail. Here we are taking
two examples for security e-mail. These are:
A. PGP (Pretty Good Privacy)
It was invented by phil Zimmerman in 1991. After bought by
network associates it became a commercial product in 1996.
Its freeware version is also available. It is widely used for
exchanging private e-mails.
PGP is used to address the problem of key distributed with
“ring of trust” or user’s “key ring”. Basically a user can give
its public key to another or it can take from a server. At the
bottom of the message, many people include their PGP public
keys. In this, one person can give second person’s key to
third, fourth, fifth and so on. Thus it creates a key association
problem. If you are confident that an e-mail comes from the
trusted person and there is no tempering, then you can use that
attached public key. If you trust that person then you should
also trust the keys that person gives you for other peoples.
If you are sending any key to another person then you sign
each key whenever you give. The keys you send to another
person may also been signed by other peoples.
PGP processing performs following actions depending upon
confidentiality, integrity, authenticity or non-repudiation.
 First of all, create a random session key.
 For message confidentiality encrypt the message using
the session key.
 Encrypt the session key with recipient’s public key.
October Issue Page 45 of 63
International Journal of Computer Information Systems,
Vol. 7, No.4, 2013
 Generate a hash or message digest for message
integrity or authentication.
 Sign the hash and encrypt it with sender’s private key.
 Then attach the encrypted session key with encrypted
message and digest.
 Finally transmit the message to the recipient.
When recipient receive the message it reverses these steps to
obtain the original message content.
B. S/MIME (Secure Multipurpose Internet Mail
Extensions)
S/MIME is somewhat like PGP. It is an Internet standard and
tells how e-mail is sent and received. Basic MIME represents
or describes the format of e-mail and handles e-mail
attachments. The enhanced version of MIME with security is
S/MIME (Secure Multipurpose Internet Mail Extensions).
S/MIME is the Internet standard for secure e-mail
attachments. PGP have predecessors that are PEM (Privacy
Enhanced Mail) and RIPEM. S/MIME is very much like PEM
and RIPEM as PGP too. It is now used in many commercial
products like Microsoft Outlook etc.
Principle difference between PGP and S/MIME is the way of
key exchange. In PGP each user exchanging keys with all the
trusted recipients and establish a ring of trust. In S/Mime, it
uses hierarchically validated certificate such as X.509 for key
exchange. In this sender or receiver don’t need to have
exchanged keys as long as they have a common certifier or
which they both trust. It works with many cryptographic
algorithms like DES, AES and RC2. It also performs security
transformation similar to PGP. PGP only handles plaintext but
S/MIME handles or we can say secure all type of attachments
like PPT, movies, sound files, graphic files etc.
S/MIME provides secure e-mail i.e. e-mail security and it is
broadly used by many commercial e-mail packages.
IV. CONCLUSION
To secure e-mail there are some steps, in short:
 Generate an Identity
 Configure secure e-mail software
 Get public keys for software
 Get public keys for recipients
 Start sending secured messages
There are some tips so that you can save your e-mails:
 First of all, backup your keys
 Trusting on a key after the suitable verification with
the owner
 Revoke certificates from time-to-time or revoke PGP
keys if compromised
 Always save your sensitive information elsewhere.
Now-a-days, by e-mail communication is the most common
way of exchanging information in almost every business and
ISSN 2229 5208
 International Journal of Computer Information Systems,
Vol. 7, No.4, 2013
organization. As all of us have taken e-mails granted, none of
us should neglect that the days of pure and safe internet are far
away so there is no excuse for shortcuts when it comes to
security. For prevention you should take precautions hence for
this you can take advantage of the public available solution
and always encourage our network administrator to
enforce/enhance the security policies.

REFERENCES
[1] Book: Security in Computing by Charles P. Pfleger.
[2] www.wikipedia.org
[3] www.CISCO.com
[4] www.purdue.edu/decurepurdue/docs/training/using_secure_email.pdf
[5] www.csrc.nist.gov
[6] www.cs.columbia.edu/~smb/classes/so9/11.org
[7] www.cypherpunles.to/~peter/T5_email.pdf
[8] www.pgp.com
[9] http://www.helpnetsecurity.com/
[10] www.marknoble.com/tutorial/smime/smime.aspx

AUTHORS PROFILE

Sarika Choudhary is pursuing M.tech (CSE)

with specialization in Network Security from BPS
University Khanpur, Sonepat. She has done her
B.tech (CSE) from the same university. At present
she is a student and has great interest in
networking and security.

October Issue Page 46 of 63 ISSN 2229 5208