Thank you for sharing!

Your article was successfully shared with the contacts you provided.
If you assume your firewall protects you from all Internet pests, you may be wrong — and vulnerable. For example, a simple mail transport protocol relay server (that’s the server that receives all Internet e-mail and sends it to your internal e-mail server for delivery) can be easily compromised without violating any firewall rules or without even triggering an alert. Imagine the lack of security of your e-mail and attachments as they traverse this host. But there’s hope. Encrypted e-mail is one way that you can reduce or eliminate some of the risks. Encryption is a process where the message is scrambled using complex mathematics, and only the sender and recipient of the e-mail can translate the scrambled message into legible text. (That includes the message and all attachments.) Once encrypted, the only portion of the message that remains legible is the e-mail sender and recipient field, necessary for the purposes of routing the mail from source to destination. SEVERAL MECHANISMS Several encryption mechanisms are available that use mathematics to scramble message data. Generally, all encryption processes rely on numbers, called seed values, to get the math started. The number of seed values needed varies; some processes require the same value to be used on both sides while others dynamically negotiate the value. Many processes use a combination of these two methods. One of the benefits of offering encrypted e-mail to clients and peers is that it can guarantee the confidentiality and integrity of the entire message. In addition, because courts can subpoena e-mail, it may be necessary to clearly demonstrate the chain of custody, as well as compliance with an e-mail aging and retention policy. Encryption reduces the liability of the sender and the receiver of the message. HACKER HEAVEN Let’s examine the scenario posed above without using encrypted e-mail. A hacker, let’s call her Ms. Blackjack, has compromised a mail server or network used in the routing of an e-mail message sent from an attorney at firm X to a client at company Y. Keep in mind that it doesn’t matter where the mail server is compromised — it may be your server, it may be your ISP’s server or it may be your client’s server — the risk remains the same. Now that Blackjack has compromised a server or network, she begins capturing data from the server or network. Along comes the e-mail sent from attorney at firm X to the client at company Y. The e-mail message is short, “Here is the settlement agreement for matter number 00000. Please print it, sign it, have it notarized and send it to the plaintiff.” The message includes a Microsoft Word document outlining the terms of the agreement with a referenced dollar value of $100,000. Now Blackjack captures the message, removes it from the mail queue and edits the attached document altering the amount from $100,000 to $1,000,000. The change is minor in the document, however, it is huge for Company Y. She then re-inserts the message into the mail routing queue and the message is routed to Company Y. There is no need to continue with the scenario. Both parties have already lost significantly. Whether the mistake is caught or not, the losses are huge to the company and the firm’s reputation. Now let’s examine this scenario again, this time with encrypted e-mail. Blackjack captures the message, removes it from the mail queue and attempts to edit the message. But the encryption prevents her from opening the message, so Blackjack re-submits the message for routing to hide the fact that she has compromised the system. Under this scenario, the message was not altered and the message retains its confidentiality and integrity from sender to receiver. The worst thing that Blackjack can do is delete the message. HOW DOES IT WORK? Most major e-mail clients include S/MIME functionality to encrypt messages. Three popular options are PGP, Verisign and PKI. PGP stands for Pretty Good Privacy. It was developed at the Massachussetts Institute of Technology, then commercialized by Network Associates Technology Inc. PGP is based on trust associations and key rings. A public key ring server is the place where users keep their public key. The private key ring is where a user stores his or her private keys (and the public keys of users he or she regularly communicates with). The advantage here is that the user manages the keys. Once installed, e-mail can be encrypted with one mouse click. The services provided by Verisign Inc. essentially revolve around a public key infrastructure that they have deployed and maintain. A digital certificate is purchased by the e-mail sender and used to encrypt e-mail. Once the digital certificate has been installed in the user’s e-mail client, an option exists to encrypt e-mail to the recipient. Once the e-mail is encrypted and sent to the recipient, the remote e-mail client verifies the authenticity of the certificate with Verisign and decrypts the message — once the certificate has been proven valid. Internal public key infrastructure tools have been available for several years but have not been widely used. This is primarily due to the cost and complexity of inter-corporation trust relationships. However, the technology has become commonly available (as well as free in the case of Microsoft Corp.’s Windows 2000) and is starting to make its presence felt in corporate America. Internal public key infrastructure requires the installation of public key ring servers accessible via the Internet and internal distribution of private keys to users. At that point, users may exchange v-cards with recipients and encrypt messages using the same method as that described for the Verisign option. The above three systems all offer encrypted e-mail functionality at varying degrees of cost and user impact. A strong case can be made for using an internal public key infrastructure system at a large firm with a strong information technology department. However, a medium-sized firm may opt to use the Verisign certificates process while a small firm may choose PGP. Adam C. Hansen is lead information security engineer at Sonnenschein Nath & Rosenthal of Chicago.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.