Encryption protects data by scrambling it with a randomly generated passcode, called an encryption key. Without the key, third parties will be unable to view your data. However, hackers can attempt to steal access by impersonating an authorized user. Encryption authentication helps protect the key from bad actors.
Authentication is the process of determining if a claim is true — usually a claim about someone or something’s identity — using a secret or piece of evidence called a “factor.” When you sign onto an email account, you’re asserting a statement (“I am <Username>”), and proving it with a secret (your password). Authentication is followed by authorization. For example, once your Gmail login is authenticated, Google authorizes you to access your email and Google Workspace files, and those shared with you by other users.
Because secrets can be stolen or guessed, users can use multiple factors to make it harder for a bad actor to gain access. For example, G Suite security two-factor authentication requires users to input a password and a one-time code, texted to their phone before they can login. Similarly, an organization might require employees to present both an ID card and fingerprint scan to access a sensitive area.
If you’re protecting a file on a computer that isn’t connected to anything, encrypted authentication is pretty easy. Encrypt the file, keep the key somewhere safe (ideally, protected by a password) and you’ll be secure.
But in cloud applications such as email encryption, authentication is harder. These applications use public-key encryption, which uses two keys: one to encrypt the data, and one to decrypt it. As the name implies, the public key is often publicly available, but the private key has to be kept secret. In PGP email encryption and similar methods, you obtain the recipient’s public key, and use it to encrypt a message to them. Because they keep their private key confidential, only they can decrypt it.
Attackers can read your data by stealing your private key, but they can also do it by tricking the sender into using the wrong public key with a Man-in-the-Middle (MitM) attack. For example, imagine Sara wants to send you a secret message and Andy wants to steal it. If Andy tricks Sara into using his public key instead of yours, he can decode your message with his private key, then send it on to you, using your real public key. He can even alter it if he wants to, and you’ll be none the wiser.
Encryption authentication prevents these attacks with digital signatures — special codes unique to each party. An authority confirms that the signature and key are authentic. With PGP, the community as a whole is the authority. Users can vouch for each other by signing each other’s keys — either in-person at key signing parties, or using the Web of Trust (WoT). So if you and Sara trust Becky, and Becky has signed both of your public keys, you can trust Sara’s public key and vice versa.
Unfortunately, WoT doesn’t scale well once you start adding extra degrees of separation. For example, let’s say Becky has not signed your key, but has signed Tim’s key. To trust your public key, Sara has to believe that:
There are all kinds of ways this could fail. Becky could have been tricked into signing the wrong key, Tim could maliciously pass off Andy’s key as yours, or a hacker could have compromised someone’s private key after signing, and so on. All it takes is one person making a bad decision or losing control of their key, and the whole chain collapses.
To make encryption authentication more secure, SSL/TLS uses a trustworthy Certificate Authority (CA) to verify each party, and handles encryption key management automatically. When you send an email with TLS, your client creates an encrypted connection with your mail server, and sends your message.
The process is repeated from your server to your recipient’s server, and from their server to their client. The main problem is, you have no way to know if one of these servers has been hacked or is using a compromised version of TLS. Because data is decrypted at each stage of the process, there are multiple opportunities for a MitM attack.
Virtru Encryption authentication uses a trusted CA like PGP, but does not suffer from its weaknesses. When a user sends an encrypted email, the Virtru client on their device encrypts the message using a one-time key, and the key is sent to Virtru’s secure server using an encrypted connection. Meanwhile, the encrypted email is sent by the sender’s email client to recipient’s email server in the normal way.
When the recipient clicks the email, their Virtru client conducts a three-way session with the Virtru server and a 3rd party identity provider such as OAuth or OpenID, which enables the encryption authentication and authorization process. First, the client confirms the recipient is who they claim to be, and checks the email’s access policies to ensure the recipient is still authorized to access it. If the recipient is permitted, the Virtru server securely transfers the key to the recipient’s Virtru client.
This averts the unreliability of PGP-like encryption authentication, because it doesn’t depend on a whole chain of parties. And unlike SSL/TLS, messages aren’t encrypted or decrypted by arbitrary servers on the open Internet, which may be improperly configured.
Virtru is dedicated to user privacy from government surveillance. We have never disclosed user keys, and are in a strong legal position to resist FISA and other broad surveillance orders if we’re ever asked to in the future.
No tool can replace security awareness. Virtru protects users against attacks and the dangers of unencrypted email, but it doesn’t stop you from reusing passwords, or other unsafe practices that already put you at risk. You should use a strong, unique passwords, and enable two-factor authentication so that a hacker can’t access your account if they manage to gain access to your password.
For mobile devices, we highly recommend that you use password-protected iPhone or Android encryption to protect personal data in the apps you use for shopping, banking, and other activities, should your device be stolen. For more security tips, check out the resources below.