Masud Hasan

1
Masud Hasan 03-60-475 SecueEmail VS Hushmail
Project 2
2
Secure Email Hushmail It uses Digital
Certificate combined with S/MIME capable email
clients to digitally sign and encrypt E-mail It
uses Digital Certificate combined with OpenPGP
capable email clients to digitally sign and
encrypt E-mail
3
Two Basic Features

• The two basic features of Email security are
  privacy (only the intended recipient can read the
  message) and authentication (the recipient can be
  assured of the identity of the sender). The
  technical capabilities for these functions has
  been known for many years, but they have only
  been applied to Internet mail recently.
• Reality Check Security experts claim users
  encrypt only about one in every 50 to 100 of
  their email messages.

4
Goal of this Project

• Learning Hushmail (PGP based secure Email)
• Compare Hushmail with SecureEmail(S/Mime based)
• Which one we should use to secure our Email?
• Technical difference between those 2 protocols.
• Difference in Algorithm, Mechanism used.

5
Hushmail How it works

• As part of enrollment, HushMail generates a
  public/private key pair for each user. The
  private key is encrypted with a pass-phrase and,
  along with the public key, stored on the HushMail
  server.
• When a HushMail user wishes to send a private
  message, a Java applet on the user's PC will
  request his password. The password is securely
  hashed, and part of the hash is sent to the
  HushMail server to validate the user.
• If the user is authenticated, the HushMail server
  sends the user's plaintext public key and
  encrypted private key to the Java applet at the
  user's machine. The applet symmetrically decrypts
  the private key and uses it for digital
  signatures.

6
Hushmail How it works

• E-mail messages and attachments are symmetrically
  encrypted using a unique session key for each
  message.
• The session key is encrypted using a HushMail
  recipient's public key, and included in the
  message before transmission.
• When a recipient reads e-mail, a Java applet
  decrypts the encrypted message (and attachments).
  If the message is digitally signed, the Java
  applet downloads the sender's public key and uses
  it to verify the sender.

7
Features

• Enhanced Spam Control
• Webmail Updates
• File Sharing
• IMAP Access
• External POP3

8
System Requirements
Browser IE 5.0, Netscape 7.0 OS
Windows/Linux Java Enabled MSVM/SUN Hushmail for
Outlook requires Microsoft Office 2000,
Microsoft Office XP, or Microsoft Office 2003.
It also requires that Outlook's Collaboration
Data Objects be installed.
OnSite
9
Installation tips

• Tips for Getting This Application Working in
  Internet Explorer
• Set Your Security Settings to Medium.
• The most common problem Internet Explorer users
  have with this application is that they set the
  security settings on their browser too high,
  disabling essential features such as JavaScript.
  This application recommends a security setting of
  "Medium".

OnSite
10
Installation Steps

• Run the Setup executable
• (I recommend that you set up your email address
  in Outlook prior to installation)
• Accept License Agreement
• Complete Installation

OnSite
11
Outlook Configuration

• Open Microsoft Outlook.
• Click the Hushmail icon on the Microsoft Outlook
  toolbar.
• Click the Add button.
• Specify whether you would like to digitally sign
  your outgoing mail.

OnSite
12
Continues..
OnSite
13
Continues..
OnSite
14
SecureEmail VS Hushmail

• SecureEmail uses S/MIME.
• Hushmail uses OpenPGP.
• Both the protocols are designed to perform the
  same task. However, they are not compatible with
  each other.
• The key distinguishing factor of these competing
  protocol is not the algorithm used to encrypt,
  but the technology used to establish the trust.
  

OnSite
15
Trust Establishment
Hushmail defines trust Through a Web of Trust
which places the burden of trust on the end
user.Its a transitive relationship. If A trust
B, and B trust C Then A will trust C Secure
Email defines trust Through a certificate
authority (CA ) to establish trust. Every user is
issued a certificate that contains his public key
and is signed by a CA. Because CA is trusted
third party, trust is automatically established
among users.

OnSite
16
Continues
Secure Email follows X.509 standard format for
digital signatures which can be only issued by a
CA. Open PGP supports not X.509, but rather a
digital certificate format developed by PGP Inc.
Note Industry Analyst say big corporations want
the extra level of authority a CA brings to the
table, as well as the better established X.509
digital certificate. (also include SSL features
for browsers)
OnSite
17
Continues
Being said that, Users want encryption and
digital certificate to be as simple as hitting
the send button to shoot a message over the
internet. Hush mail has easier user
implementation than Secure Email. The algorithm
used by both the tools are equally strong. None
of the Algorithm have been broken mathematically.

OnSite
18
Bottom line.
The bottom line is both forms of trust the
S/MIMEs third party CA and OpenPGPs Web of
trust are viable. However, its a pity that
they dont trust each other enough to work
together. Brighter Note The evolution of both
the protocols are now under the guidance of IETF
working group.

OnSite
19
Services/ Mechanisms and Algorithm Used
Services in a security protocol
Signatures
Encryption
Hashing
RSA
AES
SHAI
OnSite
20
Conclusion
I would consider doing my graduate studies in
Computer Security. Thanks for listening and good
luck for Final.
OnSite
21
QUESTIONS
Only easy ones will be answered! Kidding?
OnSite