The use of PGP to provide secure email delivery of CAA results

An important component of any assessment procedure is the security of results and authentication of the examinee. Unfortunately the use of regular email for the delivery of CAA (Computer Assisted Assessment) results is not immune from these problems as regular email suffers from a number of potential security flaws. When an email is sent across the Internet it is transmitted in a readable text format. This means that if an unauthorised user managed to access the message whilst in transit or while stored on an email server then they could easily read the email, or even alter the content of the message. Additionally regular email offers no form of authentication. It is possible for a user to send an email but make it look as though somebody else actually sent it. To prevent these problems a number of software packages have been developed, one such program is PGP (Pretty Good Privacy). PGP can encrypt and sign an email message before it is sent, therefore providing the following security: Prevent unauthorised users reading the message (privacy) • • • Proof that the message has not been altered (integrity) Confirmation of the origin of the message (authentication) At the University of Liverpool a JISC (Joint Information Systems Committee) funded pilot project was setup to investigate the use of PGP to provide secure email delivery of CAA results.