Before You Send That Email, What About Encryption and Digital Signatures?

  • Published
  • By Kevin King, COMPUSEC Manager
  • 88 CG/SCXS
WRIGHT PATTERSON AIR FORCE BASE, Ohio --  During the WPAFB Command Cyber Readiness Inspection (CCRI) (8~12 Sep 2014), DISA inspectors may ask you about encrypting and digitally signing email messages. We use these tools to preserve the confidentiality, authenticity, and integrity of information sent across the network, such as through e-mail. You must be familiar with using encryption and digital signatures, the types of information requiring protection, and possible issues they may run into with these services.

Encryption protects information confidentiality by ensuring nobody except the intended recipient can read it. When you encrypt an email message using the recipient's public key, the message can only be decrypted by the recipient's private key, which resides in their common access card (CAC).

Information requiring encryption includes, but is not limited to, Controlled Unclassified Information (CUI), For Official Use Only (FOUO), Personally Identifiable Information (PII), Health Insurance Portability and Accountability Act (HIPAA), Privacy Act (PA), proprietary, and contracting data. Examples of PII are social security numbers (SSNs), alien registration numbers, biometric identifiers, and financial account numbers.

In addition to using encryption, you must properly mark messages containing information requiring protection. Markings must be placed in message subject lines, at the message top and bottom, and at the start of paragraphs, etc., as necessary. Banner tags should be placed at the start of messages, rather than at the end, so they are not easily overlooked.

You should know e-mail encryption does NOT enable you to send classified information over unclassified systems. Doing so constitutes a classified messaging incident (CMI), which results in lost man-hours, labor costs, and possible disciplinary action against the violator.

One issue you may encounter when trying to send an encrypted message is that you may not have the recipient's public key. The global address list (GAL) may not contain the recipient's key, or the recipient may not have a GAL listing at all. Possible solutions include retrieving the recipient's public key from the DoD Global Directory Service (GDS) or having the recipient send a digitally signed message, which would include their public key. Otherwise, the sender may need to find an alternate means of delivery, such as FAX, the postal system, or a delivery or courier service.

You must immediately report the unencrypted transmission of information requiring encryption. The discovery that PII has been sent unencrypted must be reported to the organization Privacy Manager, who will process the report according to the Air force Privacy and Civil Liberties Program. You should report the breach of other information types to the applicable authority, such as the organization IAO, Security Manager, or supervisory chain.

Digital signatures verify the authenticity and integrity of messages. They confirm the message comes from the sender who signed the message, and that it has not been altered at any point during transmission. Digital signatures also provide non-repudiation, which means the sender cannot deny sending the message, since it contains their digital signature.

Examples of when digital signatures should be used include messages containing formal direction to government employees or contractors; stipulating an Air Force official position; committing to, authorizing, or denying the use of funds; or containing an embedded hyperlink and/or attachment. The final example explains why you must insert your CAC when using a multi-function device or digital sender to scan a document to e-mail; you are, in fact, sending an e-mail with an attachment, which requires a digital signature.

Much of the information we send across our networks requires protection. Encryption and digital signatures are tools we use to maintain the confidentiality, authentication, and integrity of this information. Knowing how to use these tools, when they are needed, and how to resolve issues helps you better protect your information. Your knowledge will also help WPAFB during the Sep 2014 Command Cyber Readiness Inspection.