How to implement email encryption for web mail?
We faced this question with that project at Stuttgart Media University. We implemented an RSA encryption without the need of changing the email software SquirrelMail.
The user clicks on a bookmarklet and our user interface is rendered into the existing web site. The user may generate a new key and download it, or he may upload an existing one. The key itself is encrypted with a user provided password.
The remaining workflow is nearly the same as always, but a button appeared to send the email in an encrypted way. Plus all emails, whether encrypted or plain text, may be signed.
Incoming emails are automatically decrypted and the signature is verified.
Security
- AES-256 / RSA 2048 hyrbid encryption
- HTTPS
- Exclusively local key management
- Plain text never leaves local machine
- Identity is verified over email ownership
Frontend
- Cross site injection JS bookmarklet
- Site is moved into iFrame in order to keep the JavaScript after page navigations
- New interface elements for enhanced funcitonality is injected
Backend
- PHP webserver with prototypical API to save and receive public keys
- mySQL DB
- SSL
Video
In order to watch this youtube video you first need to accept third party cookies (Youtube, Google).
More information on google cookies