SECURE EMAIL SOLUTION PROPOSAL

Science & Technology

14th April 2018

1
Table of Contents
Executive Summary ............................................................................................................................... 3
Introduction .............................................................................................................................................. 4
Secured Email .......................................................................................................................................... 5
Possible Issues with these commercial Solutions ........................................................................ 6
Possible Solutions ................................................................................................................................... 6
Virtual Private Network solution .................................................................................................... 6
Text Secure............................................................................................................................................ 7
Proposed Solution for Communication of Classified Data through Email ........................... 8
Sample Implementation of Open PGP .......................................................................................... 9

2
Executive Summary

To ensure end-to-end secure corporate email solution either between the Office
of the President and Cabinet ministers or any senior government officials, we
recommend hybrid solution that incorporates the following scenarios as shown
in the figure below:

 Communication within a government office environment

 Communication between different government offices
 Between government offices (locally) and remote Embassies

For communication between the mail servers, and between mail servers and
clients TLS (Transport Layer Security) must be insisted upon. Between the local
office and the Remote embassy, a strong crypto Virtual Private Network (VPN)
solution must be implemented. Finally, to perform an end to end encryption of
any email, an plugin source called Open Pretty Good Privacy (PGP) can be
implemented over the current infrastructure for a secure and private
communication.

3
Introduction
Traditionally emails have evolved from the concept of letters, however in the
digital world these “letters” are treated as “Post Cards”. For ease of
understanding I will use “Alice” and “Bob” as two parties in this document.

Below is the brief description on how emails work;

1. Alice first types the email and sends it with some information (i.e. To:
BOB)
2. The Mail first goes to ALICE MAIL SERVER, then the mail server where it
is stored temporarily. This server looks for BOB’s mail server on the
internet and sends the mail to BOB’s Mail server
3. BOB’s mail server receives the email and stores the email until it is
ready for collection.
4. Bob then uses this client (outlook/Web portal etc.), to collect the email to
display to him.

4
Secured Email

The main issue with securing email is the physical and digital security of the
Mail servers in question and the security from the originator and the receiver.
Traditionally data on the servers are encrypted; however, the keys are saved on
the server.

Thus to remedy the security concerns a new type of solution was developed.
Below in the diagram the gist of the solution is shown. Alice and Bob generate
two pairs of keys on their computer, a public and a private key. The public
keys are shared with anyone. When Bob sends the email to Alice, Bob will
encrypt the email with Alice’s public key, and send this to Alice through the
Mail server. Alice will then use her private key to decrypt the content. In this
solution, the mail server will store and forward the encrypted email only. Even
if the mail server was compromised, the data that would be encrypted will not
be compromised.

This methodology has been used by many solution providers for example;

 Protomail.com
 Hushmail.com
 Mailfence

5
Possible Issues with these commercial Solutions
 Of the above solutions none on them take into consideration the
changing cyber and intelligence situation within their hosting country
and hence we would not be able to stop interference from their hosting
government. For example, Lavabit had to abruptly stop providing service
when cyber laws changed.
 These solutions use open-source on their client but not on their server
infrastructure.
 Since these email are encrypted, services such as anti-spam or antivirus
do not work. Thus since the Provider cannot read your email, they
cannot know if the service is being abused. Thus for example if a
complaint is filed against any users; ProtonMail will actually
suspend the account without evidence until you clear your name.
 Since the email is encrypted the contents of the email cannot be
searched by the legitimate user eg. If the user wants to query the old
email content with a specific string that will not be possible.
 If the password of the account is forgotten, there is no way to recover the
password, which means that all older mail/data will be lost and
unrecoverable.

Possible Solutions

It is important to understand the tradeoff between security and the usability of

the solution.

Virtual Private Network solution

A VPN basically extends the private (intranet) network across a public

network, and enables users to send and receive data across shared or
public networks as if their computing devices were directly connected to
the private network.

6
 The VPN solution is a standard solution used worldwide. However it
limited to internal communication only.

Text Secure

TextSecure is an open-source application (both server and client). It is

reviewed by the community .This solution is so secure that it has been
implemented in most security conscious applications (e.g., WhatsApp).
TextSecure allows users to send encrypted text messages, audio
messages, photos, videos, contact information, and a wide selection of
emoticons over a data connection (e.g. Wi-Fi, 3G or 4G) to other
TextSecure users with smartphones running Android.

The Text Secure application also has a limitation such that both the
sender and the receiver need to have installed the App.

7
Proposed Solution for Communication of Classified Data
through Email

The premise of this solution is that there are three (3) classification of
users. a) OP users, b) All Gov users c) Rest of the world (Embassies)

Embassies
All Gov Networks
User

User TLS*

Mail Server
TLS*
User

TLS*

OP Network

User TLS*

Mail Server
TLS*
User

8
 The Solution that is proposed is a combination of many technologies
1) External sites will be connected to the intranet (All Gov Networks)
using a VPN tunnel.
By using the VPN tunnel all the traffic is encrypted between the two
sites. There are many products and solutions in this field that offer
various strength of security.

2) Once the VPN is set up. In order to secure the data between 2 users
and maintain confidentiality within the network. We can use the
standard implementation of the Open PGP applications. This PGP app
is a private implementation between the 2 send users, using private
and public keys

Sample Implementation of Open PGP

Standard email clients (outlook/thunderbird) can integrate with

applications
Eg : https://www.openpgp.org/software/gpg4win/ for outlook

9
When clicking Encrypt on the Window above, a Pop-up will ask the user to
generate key pairs as shown below

After the process is followed a Key pair (public and private) is

Generated as shown below

10
The user is now ready to Encrypt the email by selecting the Encrypt function.
As shown in the image below the content of the email has been encrypted,
hence ready to be sent to the addressee.

11