Cryptography Reference
In-Depth Information
OpenPGP is likely to be found more attractive by the average user. Though
the Web of Trust doesn't fit well into corporate structures, OpenPGP doesn't
ban certification hierarchies. The PEM concept might be better suited for com-
mercial use, particularly within corporations, because there doesn't need to be
privacy for emails. Also, while not everything has to be kept secret within cor-
porations, authentication is of utmost importance. Corporations are more likely
to use S/MIME.
7.2.3 Email Encryption in Practice: Disillusionment
This topic is intended to help you to better understand cryptological concepts
and to get a feel for why algorithms and protocols come in the form they do,
and where pitfalls are hidden. I think this justifies looking at a totally outdated
piece of software like PEM, or to discuss an encrypted file system called CFS
(further below).
Nevertheless, I don't think I should be discussing mail encryption from the
solely technical perspective without taking a closer look at the sad practice.
My mail conversers amount to a three-digit number, but only a handful of
them encrypt their mails. Take it literally: they are less than five. Typically,
there is no 'real' business partner among them.
Following the slogan, 'don't trust statistics you haven't forged yourself', I
decided one day to do a little poll among acquaintances and business partners
at the CeBIT 2002 trade show: 'How many encrypted mails did you receive and
how many did you send last year?' Since the people I asked were IT security
experts without exception, I expected an untypical, even prettified result. But
it was rather as I had feared: 9 out of 23 people I addressed hadn't encrypted
anything at all, 9 others exchanged less than 20 encrypted mails (out of sev-
eral thousand), including two for 'experimental purposes' only. Even PGP and
GnuPG promoters encrypted on a strictly selective basis, i.e., only messages
that they classified worth protecting (and how do you classify this?). The rep-
resentative of the then PGP owner used an expired key. Another person signed
all mails (without encrypting them), three persons encrypted many mails, and
one single person actually protected about 5 to 10 mails per day to fend off
eavesdropping. Interestingly, this very person had nothing to do with the devel-
opment or sales of encryption software. Another person remembered having
heard that only about 4 % of all companies were said to use mail encryption at
all. Unfortunately, the source of this statement is unknown.
Excluded from these 'statistics' were a few cases of symmetric encryption
where keys are distributed by phone, for example. If you are interested in
