S 5.108 Cryptographic protection of groupware and/or e-mail

Initiation responsibility: IT Security Officer, Head of IT, Administrator

Implementation responsibility: User, Administrator

A groupware server communicates with groupware clients, browsers, phone and communication applications, and other groupware systems. Data is also exchanged between the groupware system components. Communication takes place using the local network and/or external networks. In all cases, data requiring protection is transmitted. This does not only include the data used by the users for authentication (e.g. user name and password), but also business-relevant information. For this reason, it is necessary to decide which protection mechanism will be used to secure communications.

The purpose of encryption and digital signatures is to protect the integrity and confidentiality and to assure the non-repudiation of electronically transmitted messages.

To ensure that electronic communication such as e-mails is not altered or intercepted en route, it must be protected cryptographically. The confidentiality can be assured through encryption and their integrity, authenticity, and non-repudiation through digital signatures.

Generally speaking, cryptographic protection of groupware and/or e-mails is possible at three levels:

Network-to-network

In this case communications are protected at the transition from one network gateway to another, e.g. by setting up a virtual private network (VPN) (see also module S 4.4 VPN).

Advantage: the specified encryption functions without user intervention. Training requirements are limited to individual administrators only rather than many users.

Disadvantages: It is not possible to tailor settings to individual users, e.g. for digital signatures. Moreover, this solution can only be used for individual groups of previously defined communicating parties.

This is a good solution if organisations or parts of organisations which are geographically separated want to communicate frequently over a secure channel.

Client-to-web server/mail server: e.g. TLS/SSL, proxy solution

Under the proxy solution, every e-mail on the mail server is encrypted and/or decrypted and forwarded to the client in plaintext.

Advantage: This works regardless of the e-mail client. There is no need to install additional cryptographic software on the e-mail clients.

Disadvantages: Proxy solutions can be time-consuming to configure. A number of mistakes can be made with TLS or SSL solutions.

Client-to-client or "end-to-end"

Client-to-client cryptographic protection employs additional functions which are integrated in the relevant e-mail client or installed on it retroactively (e.g. as a plug-in). Well-known products here include GnuPG and PGP. Their use implicates the need to bear in mind a number of basic factors if they are to provide the level of security that is expected of them.

Encryption and digital signature facilities have now been integrated into many e-mail clients. The advantage of this is that these functions can be used without any additional input. These functions can provide direct protection for e-mail traffic within an organisation. The disadvantage is that sometimes the cryptographic procedures used or the implementations are weak. Another frequent problem is incompatibility with other e-mail clients.

There are a number of additional products for encryption and digital signatures available as an alternative. Advantage: Products can be selected which precisely match the conditions and security requirements within an organisation. One disadvantage is the fact that these additional products are not always available for all e-mail programs. In the case of e-mail program updates, it is not clear whether the plug-in will continue to work or whether this too will require an update. It may be the case that these encryption programs are incompatible with similar programs at the recipient's end.

Client-to-client protection is always based on the premise that every user has to be assigned cryptographic keys, therefore central key management is required. Some of the matters which must be guaranteed by this management system are that keys are replaced at regular intervals, are always up-to-date and that they are installed and saved securely, i.e. so that they are accessible to the authorised person only. This naturally entails a certain amount of work (see also S 2.46 Appropriate key management).

Module S 1.7 Crypto-concept lists the criteria which need to be considered when selecting an appropriate cryptographic product (e.g. range of function, user-friendliness, interoperability, economy, existence of security studies).

When transmitting data requiring protection between groupware systems, the data must be adequately protected. Various methods can be used for this. It is therefore necessary to decide which method is appropriate under the prevailing conditions. The decision must be documented so that it can be understood later.

Review questions:

• In the event of corresponding protection requirements regarding confidentiality and integrity: Is there a concept for the cryptographic protection of e-mails?