Email the killer app

About This Presentation

Title:

Email the killer app

Description:

Attachments make e-mail a general file delivery mechanism ... HushMail. Web based. 2048 bit strong encryption end to end. Uses OpenPGP Standard ... – PowerPoint PPT presentation

Number of Views:99

Avg rating:3.0/5.0

Slides: 119

Provided by: bruce161

Category:

more less

Transcript and Presenter's Notes

Title: Email the killer app

1
Email the killer app
2
Email Issues

E-mail basics
Confidentiality
Integrity
Authenticity
Spam
Vehicle for malware
Management
Best Practices

3
E-Mail Basics

Importance of E-Mail
Universal service on the Internet (9.7 billion in
2000, expected to be 35 billion by 2005)
Attachments make e-mail a general file delivery
mechanism
Viruses, worms, and spam, and other abuses

4
E-Mail Security

E-Mail Technology
E-Mail Clients and Mail Servers
Mail server software Sendmail on UNIX, Microsoft
Exchange, and Lotus/IBM Notes
Exchange dominate on Windows servers
Microsoft Outlook Express is safer than
full-featured Outlook because Outlook Express
generally does not execute content

5
E-Mail Standards
SMTP To Send
SMTP To Send
Receivers Mail Server
Senders Mail Server
Simple Mail Transfer Protocol (SMTP) to transmit
mail in real time to a users mail server or
between mail servers Sender-initiated
Sending E-Mail Client
Receiving E-Mail Client
6
E-Mail Standards
POP or IMAP To Receive
Receivers Mail Server
Senders Mail Server
POP or IMAP to download mail to receiver when the
receiver is next capable of downloading
mail. Receiver-initiated
Sending E-Mail Client
Receiving E-Mail Client
7
E-Mail

E-Mail Standards
Downloading mail to client
Post Office Protocol (POP) Simple and widely
used
Internet Message Application Program (IMAP) More
powerful, can manage messages on the receivers
mail host, less widely used

8
E-Mail Standards
Receivers Mail Server
Senders Mail Server
Message Body Format Standard
Sending E-Mail Client
Receiving E-Mail Client
RFC 822 or 2822 HTML body UNICODE
9
Figure 9-6 E-Mail Security

E-Mail Technology
E-mail bodies
RFC 822 / RFC 2822 Plain English text
HTML bodies Graphics, fonts, etc.
HTML bodies might contain scripts, which might
execute automatically when user opens the message
Web-based e-mail needs only a browser on the
client PC

10
Interactions in the Simple Mail Transfer Protocol
(SMTP)
Actor
Command
Comment
Receiving SMTP Process
220 Mail.Panko.Com Ready
When a TCP connection is opened, the
receiver signals that is is ready.
Sending SMTP Process
HELO Voyager.cba.Hawaii.edu
Sender asks to begin Sending a message. Gives own
identity.
Receiver
250 Mail.Panko.Com
Receiver signals that it Is ready to
begin Receiving a message.
11
Interactions in the Simple Mail Transfer Protocol
(SMTP)
Actor
Command
Comment
Sender
MAIL FROM Panko_at_ voyager.cba.hawaii.edu
Sender identifies the sender (mail author, not
SMTP process).
Receiver
250 OK
Accepts author. However, May reject mail from
others.
Sender
RCPT TO Ray_at_Panko.com
Identifies first mail recipient.
Receiver
250 OK
Accepts first recipient
12
Interactions in the Simple Mail Transfer Protocol
(SMTP)
Actor
Command
Comment
Sender
RCPT TOLee_at_Panko.com
Identifies second mail Recipient.
Receiver
550 No such user here
Does not accept second Recipient. However will
deliver to first recipient.
Sender
DATA
Message will follow.
Receiver
354 Start mail input end with ltCRLFgt.ltCRLFgt
Gives permission to send message.
13
Interactions in the Simple Mail Transfer Protocol
(SMTP)
Actor
Command
Comment
Sender
When in the course
The message. Multiple lines Of text. Ends with
line Containing only a single Period
ltCRLFgt.ltCRLFgt
Receiver
250 OK
Receiver accepts message.
Sender
QUIT
Requests termination of Session.
Receiver
221 Mail.Panko.Com Service Closing transmission
channel
End of transmission.
14
E-Mail Security

How do we address issues of
Confidentiality
Authenticity
Integrity
Need some form of secure email

15
Secure Email Choices

Services sold to end user administrated via Web
E-Mail interface
Proprietary software products
S/MIME Standard build into many mail clients
Software products that use open standards

16
E-Mail Services

HushMail
Web based
2048 bit strong encryption end to end
Uses OpenPGP Standard
Public/Private Key plus symmetric keys
Standard email communication
Secure email embedded in your web site via use of
forms

Mailwatch
An e-mail boundary solution that prevents errant
e-mail messages from damaging a company's
network, reputation, or business relationships.
Content control
Malware scanning

CertifiedMail
Certified Email Appliance
Hardened OS, SSL transport encryption, encrypted
database, X.509 certificates
Certified Mail Server
Hardware and Software solution
Biometrics, SecureId, X.509 Certificates
Meets HIPAA requirements for healthcare industry,
meets SEC guidelines for financial institutions
for delivering sensitive financial documents and
trade confirmations.

Certified Mail ASP
send secure, trackable e-mail messages to any
Internet user
provides a web interface to create, track and
receive CertifiedMail messages, and a Send
Certified plug-in to provide one-click sending of
secure messages from your e-mail client.
Send to individuals or groups of users and know
who has opened your message
Stay in touch with secure messages from your
Internet-enabled cell phone

CryptoHeaven
a secure Internet communications service
comprised of the following components Secure
Email , Secure Online Storage, File Sharing and
File Distribution
Secure Instant Messaging and Chatting
Secure and Private Discussion Forums
CryptoHeaven is easy to use and offers total
end-to-end security with state of the art 256 bit
encryption. Here is what you get
2048 to 4096 bit asymmetric and 256 bit symmetric
key encryption
no third party keyholder

automatic key and contact management
all services integrated and available from a
single user interface
no personal information - no names, no addresses,
no credit card numbers required
system free from any type of snooping and
interference, including any and all types of
governments and "authorities"
CryptoHeaven offers free and premium accounts.
Use CryptoHeaven and communicate in total
privacy. CryptoHeaven is by far the easiest to
use secure communications service, all you have
to do is just download a small client front-end.

22
Secure / Multipurpose Internet Mail Extension

Enhancement to MIME
Uses technology from RSA
The standard for commercial and organizational
use
Need to understand
RFC 822
Mime

23
RFC 822

Defines a format for text messages
Message
Envelope that information necessary to
accomplish transmission and delivery
Contents the object to be delivered to the
recipient
RFC 822 applies to contents

Contents includes header fields used by mail
system to create the envelope
Header fields available to programs
Message consists of ASCII text
Some number of header lines
Unrestricted text as body
Separated by blank line

Header line consists of keyword followed by ,
followed by keyword argument I.e
Date Tue, 16 Jan 1998 103717 (EST)
From Bruce P. Tis btis_at_simmons.edu
Subject Sample Message
To student_at_simmons.edu

26
Multipurpose Internet Mail Extensions

Extension to RFC 822
Address limitations of the use of SMTP and RFC 822

27
Limitations of SMTP/RFC822

Cannot transmit executable files or other binary
objects
Cannot transmit national language characters 8
bit ASCII
SMTP restricts message size
SMTP gateways that translate from ASCII to
EBCIDIC do not use consistent set of mappings

SMTP gateways to X.400 cannot handle nontextual
data included in X.400
Some SMTP implementations do not adhere
completely to SMTP standards defined in RFC 821

29
MIME

Resolves problems compatible with RFC 822
implementations
Five new header fields about body
A number of content formats that standardize
multimedia email
Transfer encodings that enable conversion of any
content into form that is protected from
alteration by mail systems

30
MIME Header Fields

MIME-Version
Content-Type describes data in body
Content-Transfer-Encoding indicates type of
transformation used to represent data
Content-ID used to identify MIME entities
uniquely in multiple contexts
Content-Description test description of the
object within the body

31
Content Types

Text
Plain
Enriched
Multipart
Mixed
Parallel
Alternative
Digest

Message
Rfc822
Partial
External-body
Image
Jpeg
Gif
Video
Audio
Application
Postscript
Octet-stream

32
MIME Transfer Encoding

7bit short lines of ASCII characters
8bit short lines but may be non-ASCII
characters
Binary may have long lines
Quoted printable encoded ASCII characters not
recognizable
Base64 map 6bit blocks into 8 bit block so all
are printable
X-token a named non-standard encoding

33
(No Transcript)
34
S/MIME Functionality

Sign and/or Encrypt messages
Look at
Capability
Message formats
Message preparation

Enveloped data encrypted content of any type
and encrypted content encryption keys for one or
more recipients
Signed data (digital signature)
Encrypt message digest with private key of sender
Content plus signature encoded using base64

Clear signed data only digital signature is
encrypted
Signed and enveloped data signed only and
encrypted only entities may be nested

37
Cryptographic Algorithms

Message Digest
SHA-1 and MD5
Encryption of message digest
DSS
RSA 512-1024 bit keys
Encryption of session key
Diffie-Hellman
RSA
Encryption of message contents
Triple DES
RC2/40

Protocol includes procedure for sending and
receiving station to negotiate which algorithms
to use
Always tries to use most secure algorithm
If multiple recipients cant agree then message
sent multiple times with different algorithms

39
S/MIME Messages Content Types

Multipart Signed clear signed message in two
parts, message and signature
Application
Pkcs7-mime signedData- a signed entity
Pkcs7-mime envelopedData encrypted
Pkcs7-mime degenerate signedData only contains
public key certificates
Pkcs7-signature signature subpart of a
multipart/signed message
Pkcs10-mime a certificate registration request

40
Securing a MIME Entity

Secures with signature, encryption or both
May be entire message or one or more subparts of
the message
Entity prepared according to rules of MIME plus
security related data
Algorithm identifiers
Certificates

Produces PKCS object wrapped in MIME
Message converted to canonical form
Since PKCS object is binary encoded into base64

42
Enveloped Data

Generate session key for rc2/triple DES
Encrypt session key with recipients public RSA
key
Prepare RecipientInfo block containing
Senders public key certificate
Id of algorithm used to encrypt session key
Encrypted session key
Encrypt message content with session key
Encode into base64

43
Signed Data

Select message digest algorithm SHA or MD5
Compute message digest
Encrypt message digest with signers private key
Prepare SignerInfo block containing
Signers public key certificate
ID of message digest algorithm
ID of algorithm used to encrypt message digest
Encrypted message digest

44
Clear Signing

Uses multipart content type with signed subtype
Message sent in the clear
Message consists of two parts
Message contents
Signature with a content type of application and
a subtype of pkcs7-signature

45
Registration Request

Application/pkcs10 entity
Request includes
certificationRequestInfo block
Name of certificate subject
Users public key
Id of public key encryption algorithm
Signature of certificationRequestInfo block

46
Certificates-Only Message

Message containing only certificates or
certificate revocation list
Same as signedData message

47
S/MIME Certificate Processing

Uses X.509 certificates
Each client must be configured with list of
trusted keys
Used to verify incoming signatures

48
User agent (client) Role

Key generation Diffie-hellman DSS, RSA
Registration public key registered in order to
obtain certificate
Certificate storage and retrieval
List of other users certificates to verify
incoming signatures and encrypt messages

49
Verisign

Most widely used CA
Compatible with S/MIME
Issues X.509 certificates
Calls certificate Digital ID
14.95/year or 60 day free trial certificate for
class 1 digital ID

50
Digital ID contains

Owners public key
Owners name or alias
Expiration date
Serial number
Name of CA
Digital signature of CA

51
Optional information

Address
E-mail address
Other information (country, zip, age, gender etc)

52
Three Classes

Class 1 confirms users email address
Class 2 verifies information in application
through automated comparison with a consumer
database
Class 3 user provides notarized credentials or
apply in person

53
Enhanced Security Services

Signed receipts proof of delivery
Security labels
Access control
Priority
Role based
Secure mailing lists

54
Obtaining An ID

Complete the application form
Verisign will send an email with a PIN
Access Verisigns web site and paste PIN
Versign will download and install Digital ID in
browser
Accessing your certificates in browser will
show your certificate

55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
(No Transcript)
64

In the case of Netscape V7 you have to configure
Netscape to use the certificate for a specific
email account

65
(No Transcript)
66

I then sent a signed (but not encrypted) message
to another account
I was just distributing my certificate so that
person could send an encrypted message to me

67
(No Transcript)
68
(No Transcript)
69

Once that person has my certificate (public key)
she could send a signed and encrypted message to
me
Encrypted with my public key and decrypted with
my private key
Next slide show message
Note symbols in upper right hand corner

70
(No Transcript)
71

Once I had read the message her certificate would
automatically be added to my certificate manager

72
(No Transcript)
73
(No Transcript)
74
(No Transcript)
75
Pretty Good Privacy - PGP
76
History

Phil Zimmermann created in response to the
perceived need for privacy
Created originally to circumvent government
regulations on public key cryptography
Selected best available cryptographic algorithms
RSA, DSS, Diffe-Hellman, CAST-128, IDEA, TDEA,
SHA-1

Provides confidentiality and authentication
services for electronic mail and file storage
Integrated into MS Outlook and Eudora mail
clients
Can be used with any other mail client by
cut/pasting message between client and PGP
Commercial version of PGP sold by Network
Associates until 2002

PGP Corporation formed and bought rights to PGP
from Network Associates
First release, version 8.0, release by PGP Corp
in December 2002
www.pgp.com
First version fully compatible with Windows XP
and AES

79
OpenPGP

Derived from PGP
Defined by the OpenPGP Working Group of the
Internet Engineering Task Force (IETF) standard
RFC 2440.
OpenPGP Alliance is a group of companies that are
implementers of the OpenPGP standard. The
Alliance works to facilitate technical
interoperability and marketing synergy between
OpenPGP implementations.

80
PGP Licensing Options

PGP Freeware
PGPmail, PGPKeys, PGPTray
PGP Personal Edition
Freeware PGPDisk, personal email plugins
eudora, ICQ, Outook
PGP Desktop
Personal Edition emails plugins Group Wise,
Lotus Notes, Exchange Server
PGP Enterprise
Desktop PGPadmin, PGP Keyserver

81
Services Provided

Authentication
Confidentiality
Compression
E-mail compatibility
Segmentation

82
Authentication

Sender creates a message
SHA-1 generates 160 bit hash of message
Hash encrypted with RSA using senders private
key and prepended to message
Receiver uses RSA with senders public key to
decrypt and recover hash
Receiver generates new hash and compares with
decrypted hash

83
Confidentiality

Uses conventional encryption algorithm using
CAST-128, IDEA, TDEA, Blowfish
64 bit cipher feedback mode is used
Conventional key used just once
128 bit random key
Key distributed with message by encrypting with
receivers public key

Sender generates message and random 128 bit
number for session key
Message is encrypted with session key
Session key is encrypted with RSA using
receivers public key and prepended to message
Receiver uses RSA with its private key to decrypt
and recover session key
Session key used to decrypt message

85
Confidentiality and Authentication

Both can be done
Signature generated for plaintext message
Plaintext message plus signature encrypted
Session key encrypted using RSA

86
Compression

PGP compresses message after applying the
signature but before encryption
Saves space for email transmission and for file
storage
Compression algorithm used is ZIP
Takes advantages of repeating patterns

87
Cryptographic Keys and Key Rings

PGP uses 4 types of keys
One time session conventional keys
Public keys
Private keys
Pass phrase-based conventional keys

88
Requirements

A means of generating unpredictable session keys
is needed
Users allowed to have multiple public/private key
pairs
Each PGP entity must maintain file of its own
public/private key pairs as well as a file of
public keys for correspondents

89
(No Transcript)
90
(No Transcript)
91
(No Transcript)
92
(No Transcript)
93
(No Transcript)
94
(No Transcript)
95
(No Transcript)
96
(No Transcript)
97
(No Transcript)
98
(No Transcript)
99
How are key used?

Signing a message
Encrypting a message
Decrypting a message
Authenticating a message

100
Signing a message

PGP retrieves senders private key using userid
as index
PGP prompts for passphrase to decrypt private key
Signature constructed

101
(No Transcript)
102
(No Transcript)
103
Encrypting a message

PGP generates session key and encrypts message
PGP retrieves recipients public key using userid
Session key component of message constructed

104
(No Transcript)
105
(No Transcript)
106
Decrypting a message

PGP retrieves receivers private key from private
key ring
PGP prompts for passphrase to decrypt private key
PGP recovers session key and decrypts message

107
(No Transcript)
108
Authenticating Message

PGP retrieves senders public key from public_key
ring
PGP recovers transmitted message digest
PGP computes message digest for received message
and compares to transmitted digest

109
E-Mail Filtering

Antivirus filtering and filtering for other
executable code
Especially dangerous because of scripts in HTML
bodies
Spam Unsolicited commercial e-mail

110

Volume is growing rapidly Slowing and annoying
users (porno and fraud)
Filtering for spam also rejects some legitimate
messages
Sometimes employees attack spammers back only
hurts spoofed sender and the company could be sued

111

Inappropriate Content
Companies often filter for sexually or racially
harassing messages
Could be sued for not doing so

112
E-Mail Retention

On hard disk and tape for some period of time
Benefit Can find information
Drawback Can be discovered in legal contests
could be embarrassing
Must retain some messages for legal purposes

113
E-Mail Retention

Shredding on receivers computer to take messages
back
Send key to decrypt
Make key useless after retention period so cannot
retrieve anymore

114
E-Mail Retention

Shredding on receivers computer to take messages
back
Might be able to copy or print before retention
limit date
Not good for contracts because receiver must be
able to keep a copy

115
E-Mail Retention

Message authentication to prevent spoofed sender
addresses
Employee training
E-mail is not private company has right to read
Your messages may be forwarded without permission

116
E-Mail Retention

Employee training
Never to put anything in a message they would not
want to see in court, printed in the newspapers,
or read by their boss
Never forward messages without permission

117
E-Mail Best Practices