Secure Email

Publication:

Orange County Lawyer Magazine

Date:

March 2006

Author:

Jeff Lenning

Summary
Corresponding through Email has become an integral part of daily business life. For many email messages, the content is not confidential, and security is not an issue. However, there are certain email messages that do contain confidential information and securing those communications is essential, especially given client/attorney privilege. Fortunately, there are a variety of techniques for securing email.

Techniques
Although there are many excellent third-party solutions available to secure email, this article discusses only those methods that are built-in to Windows XP and Office XP computers. Third-party solutions range from secure Digital IDs (verisign.com), to rights management systems (microsoft.com), to public/private key encryption (like pgp.com). For those interested in the highest levels of security, third-party solutions are worth investigating. For those wanting a moderate level of security that is easy to use, we present the following features included with Windows XP and Office XP computers:

  • Password protected zip file attachments
  • Built-in Microsoft Office encryption
  • Built-in Outlook encryption

Disclaimer: It is important to note that given time and determination, it is possible for hackers to bypass the security measures discussed in this article.

 

 

Encryption Primer
Before digging into the various security techniques, it is important to understand the term encryption. Encryption simply means scrambling the text in the email (or email attachment) so that a human can’t read it. There are different methods for encrypting text; some methods are easy to break and some are more difficult. As an easy example, I could encrypt the phrase “Orange County Lawyer Magazine” by replacing each letter with the next letter of the alphabet, resulting in “Psbohf Dpvouz Mbxzfs Nbhbajof”. This is called a substitution cipher, and is one of the easiest types to break. More sophisticated techniques use keys, so even if you know the methodology, you can’t read the encrypted message unless you have the key. Encryption is the underlying method for securing email in the various techniques presented.

 

Password Protected ZIP Files
Probably the easiest method to quickly secure an email attachment is to simply convert it to a password-protected zip file. The resulting file is encrypted, and uses the password as the key. Thus, the recipient must know the password to unzip the file and read it. The advantages to this method are:

  • It works with any file type
  • you can include many files in one zip file
  • no special software is required by the email recipient (because Windows XP comes built-in with the necessary software)
  • no keys need to be exchanged between the sender and the recipient (except of course the password)
  • it is quick and easy to implement
  • cross-platform compatible

As a note of caution: the encryption in zip files can be broken with time, determination and the proper tools. So, understand that this is one level of security, but it is not fail safe.

We will walk through the zip creation process with screen shots using Windows XP. In our example, we have a licensing agreement created in Microsoft Word. The first step is to open Windows Explorer and simply right-click on the document and select Send To -> Compressed (zipped) Folder, as shown in Figure 1 below.

Figure 1

Now, you will see two files in Windows Explorer, the original agreement.doc Word document, and the agreement.zip file. Currently, the Zip file is not encrypted. To encrypt the Zip file, create a password by double-clicking on the agreement.zip file, and then selecting Add a Password., as shown in Figure 2 below.

Figure 2

You will be asked to enter a password as shown in Figure 3 below.

Figure 3

Using complex passwords is best (passwords that are long and contain numbers and special characters). Now, the Zip file is encrypted. When sending your email, attach the Zip file. The recipient will be prompted for a password in order to open the file.

 

Microsoft Office Files
If you simply need to encrypt a Microsoft Word (or other Office) document, you may find it easier to simply apply a password from within the Office application (Word).

A note of caution: the default level of encryption provided with Office XP is compatible with Office 97/2000. This encryption level is weak, and easily bypassed with utilities. Therefore, you should increase the encryption level manually each time you apply a password to a new document.

From within Microsoft Word, when you initially Save the file or when you perform a Save As, you will see the standard dialog box as shown in Figure 4. To set the password and encryption, you must select the Tools button, and then Security Options, as shown below.

Figure 4

You will have the opportunity to enter a password, as shown in Figure 5 below.

Figure 5

The important step is to click the Advanced button, and specify a higher level of security than the default Office 97/2000 Compatible, as shown in Figure 6 below.

Figure 6

After sending the encrypted Office document as an email attachment, the recipient will be asked for the password to open the file.


 

Microsoft Outlook Integration
The final method utilizes the built-in Outlook message encryption. It relies on a third-party vendor to supply you with a Digital ID, a version of which must be provided to your recipient. So, this method is more complicated to set up than the others presented. After composing an email click on the View -> Options menu item as shown in Figure 7 below.

Figure 7

Selecting the Security Settings button brings up the dialog box shown in Figure 8 below.

Figure 8

Checking the Encrypt Message Contents and Attachments box will perform the encryption on not only the email attachment but the text message as well. When you try to send an Encrypted message using this technique for the first time, you will be prompted to obtain a Digital ID from a third-party provider like Verisign. These Digital ID’s generally expire after a certain period of time, and there is generally a fee for generating the ID.

After you send the email, the recipient must be in possession of your Digital ID in order to view the email.

 

Conclusion
Microsoft provides several options for securing email. Fortunately, they are built-in to Windows XP and Office XP. In addition to the techniques provided by Microsoft, there are many third-party providers of encryption and security software that can dramatically enhance the security of digital email communications.

This article was written by Jeff Lenning