Functionality and Security are two dimensions of any software that needs to be balanced through regulation. Internet and E Mails were created with a purpose of effective communication and hence functionality was the prime concern in the design of protocols such as TCP-IP or SMTP.
With the growing use of Internet and E Mail for business, the need for Security in these protocols has become critical. Hence the current systems need augmentation for security considerations.
One of the problems which is confronting the internet society is the problem of “Phishing” where unauthorized and impersonated e-mails are used for commission of frauds. This must be addressed if we want to improve the trust in Internet communication.
Preventing misuse of E Mails requires two aspects namely authentication of the origin of the E Mail and prevention of modification of the E Mail content in transit.
These two security controls are addressed through “Digital Signature” and “Encryption”.
India has adopted a PKI based system based on a central regulatory authority namely the CCA (Controller of Certifying Authorities) granting licenses for Certifying Authorities who in turn control the Digital Certificate issue system. The Digital Certificate issue/Signature system consists of the use of accredited hashing algorithms and public-private encryption along with the creation of the key pairs, embedding them in tokens etc.
These Certifying authorities also provide the “revocation” and “Verification of Non-revocation” of digital certificates to ensure that the community can use the system with assurance.
The popular e-mail systems like G-Mail however are not designed for the use of the digital signature system and users need client side applications to use digital signatures for authentication or encryption.
When a single pair of public-private key is used both for authentication and encryption of content, a problem is likely to arise when crime investigators require access to encrypted content through the exercise of powers under Section 69 of ITA 2000. Sharing of the private key under this circumstance will need an issue of a new digital certificate for further use of the subscriber.
Presently the solution to this problem is to issue two key pairs with one set being used for authentication and another set used for encryption so that when required or as a certificate issue protocol, the private key for encryption can be escrowed with the regulatory authority.
While the digital certificate issuers have enabled such “Dual Key” system, the end user applications are still not fully equipped to use such dual key systems.
In the meantime, to overcome the shortfalls in the current e-mail communication where the content can be intercepted and altered in transit through some forms of man-in-the-middle attack , an attempt is being made to create new Secure E Mail systems.
The undersigned came across one such system recently which is worth sharing here.
A Dubai based company with a development center in Bangalore has created an E Mail system which is considered as a “Blockchain” based application which can be used by enterprises for secure E-Mails within an enterprise eco-system.
The essence of the system is that the E Mail is encrypted with the public key of the recipients and hence remains encrypted in transit and storage. This requires the users to be on boarded on to the systems and issued digital certificates and the key pair of public and private keys.
If security in transit is the only concern the digital certificates can be issued by a system even if it is not belonging to the “Licensed Certifying Authorities”. If “Authentication” is also a requirement, it may be necessary for the enterprise to integrate this e-mail system with a local certification server as a sub agency of a licensed certifying authority.
One interesting feature of this system is that apart from bringing all employees of an organization into the system so that e-mails between them can be encrypted, the organization can also on-board outsiders to the extent of their interaction with the enterprise just like the ‘Boxbe’ kind of systems which try to maintain an approved guest list for persons to receive the emails.
While it is difficult to impose the “Registration of Guest” before the email is allowed entry to the recipient’s inbox, in a personal communication, it may be possible in an enterprise communication particularly between Banks and its customers or E Commerce companies and its customers.
If all Banks start using such systems, then Bank frauds using “Phishing” can be eliminated since all Bank to customer e-mails will then be handled only through the dedicated e-mail system with encryption. This could mean that the Bank may have to create e-mail space for all its customers but the volume of data transmitted will be restricted only to the Bank-Customer communication and not others.
Presently Banks do provide for in-app communication either through the mobile app or after logging into the internet banking. But the use of the designated e-mail could be a more convenient option.
If “One Designated email for one customer ID” can be extended by every bank, then even the UPI IDs can perhaps be integrated with this special e-mail ID and there could be better security in the overall process.
The system can perhaps be used even by the Government so that communication between Government servants can be encrypted.
At present the system is good for enterprise e-mail systems and may be some integrator can create a “Regulated Anonymised E Mail System” where privacy is ensured subject to the law enforcement rights. Such a system could be a replacement of the “Proton Mail” which could be non compliant with the recent CERT-In guidelines and can only function as a “Not Legal” service.
“Regulated Anonymity” was a system suggested more than a decade back by Naavi when the concept of BlockChain or even Privacy as we know today did not exist. Perhaps the system can be tweaked to meet the current requirements through this new system created by the Bangalore company.
I urge companies to explore this solution (request for contact if required) of “Secure Enterprise E Mail” that could be one of the use cases for Block Chain technology.