Protonmail's Encryption Protection [Solution Entry]

Introduction

This will be my first real post. It is the first is a series of cyber-privacy/surveillance related posts. In this series I want to explore the legal aspects of[Legal], current issues in[Current Issue], current practices in[Threat], and ways that you can increase your[Solution] on-line privacy.

I have been working on my format for the last few weeks. There is a lot of information I want to include and to get the right ratio of detail and succinctness has been a challenge. Keeping each article short enough to be read quickly while covering the topic fully was impossible. The solution that I have settled on is to post many small, focused posts and then one conclusion post referencing all the small posts in logical order to form a larger all encompassing article. Each post will be marked with a tag to denote it as an informative [Legal] [Current Issue], warning [Threat], or counter-measure you can use [Solution]. These tags are defined in the first paragraph.

Protonmail's Encryption Procedures

In this post, the inner workings of the Protonmail's encryption scheme will be discussed in enough detail to use the platform effectively. If you are going to rely on a platform for security and privacy, you need to know what it is going to do under what circumstances so you can be confident in your protection.

ProtonMail uses a combination of cryptography techniques to provide end-to-end protection from eavesdropping. Also, ProtonMail exclusively uses HTTPS and TLS to encrypt all Internet traffic between users and ProtonMail servers including any passwords and keys that may be exchanged to verify identity and perform login authentication. The sign-up for Protonmail requires you to create a password for authentication and the script on your browser creates a public/private key pair on your local machine to be used for the message encryption. The public key is made available to the entire Protonmail Network and is used to encrypt messages sent to you. Once a message is encrypted with your public key, only your private key can decrypt the message. The private key is stored on the Protonmail's servers but is itself, encrypted using the authentication password and is not accessible to the Protonmails staff.

Sending a message with end-to-end encryption is easiest within the Protonmail Network and is the default method when within the network. In this case, the recipient's public key is retrieved automatically from Protonmail's servers and used to encrypt the message on the local machine before transmission. It is then transmitted and stored in its encrypted form. So Protonmail's staff cannot access private keys even if they wanted. Therefore, search warrants presented to Protonmail or even physical intrusion into Protonmail's servers are not an effective means of eavesdropping. Finally,the message is retrieved by the recipient and decrypted with the recipient's private key that is only itself decrypted once it is on the recipient's machine. In this manner the message is protected from the moment it is encrypted before being sent on the sending machine to the moment it is decrypted on the receiving machine prior to being displayed.

When the message is being sent to or received from outside the Protonmail's Network the situation is more complex, at least procedurally. Since the outside client will not have the ability to automate the encryption or decryption process. However, end-to-end encryption is still possible or the message can remain unencrypted without much bother to either user in terms of extra procedural tasks.

To make use of the encryption for an incoming message from a standard email server, the non-Protonmail sender must have the public key for the Protonmail recipient. The public key can be sent over unencrypted email since the public key is public. Then the sender must encrypt the message to be sent using the public key and the 'Pretty Good Privacy (PGP)' software before sending the email. Once this is done properly with the correct formatoming, the message is then in the Protonmail system and all the automated procedures now take over and handle the decryption as before.

When sending an encrypted message to an non-Protonmail recipient the procedure is to send the email encrypted as in the 'within network' procedure except the protonmail sender must supply the public key for the non-Protonmail recipient. Again, the public may be transmitted without encryption once it is created by the PGP Software on the non-Protonmail recipient. Then the network will detect automatically that the recipient is outside its networkand the system automatically emails the recipient with a link to the message in its encrypted form. Then the recipient is once again required to handle the decryption manually using the PGP software and the private key that matches the public key sent to the sender.

This has been a review of Protonmail's strengths. Using the above procedures encrypted emails are protected from being intercepted while in transmission or while in storage. Even if the Protonmail's staff is compelled by a court order. In the next post, I will discuss Protonmail's weaknesses.

Don't forget to Upvote and follow if you found this blog useful.

Disclaimer and General Information: All disclaimer statements and general information regarding my blog are posted at this link: https://steemit.com/disclamer/@voice-of-reason/disclaimers-and-general-information-post

References:
https://protonmail.com/security-details
https://en.wikipedia.org/wiki/ProtonMail