Email the killer app - PowerPoint PPT Presentation

1 / 118
About This Presentation
Title:

Email the killer app

Description:

Attachments make e-mail a general file delivery mechanism ... HushMail. Web based. 2048 bit strong encryption end to end. Uses OpenPGP Standard ... – PowerPoint PPT presentation

Number of Views:99
Avg rating:3.0/5.0
Slides: 119
Provided by: bruce161
Category:
Tags: app | email | hushmail | killer

less

Transcript and Presenter's Notes

Title: Email the killer app


1
Email the killer app
2
Email Issues
  • E-mail basics
  • Confidentiality
  • Integrity
  • Authenticity
  • Spam
  • Vehicle for malware
  • Management
  • Best Practices

3
E-Mail Basics
  • Importance of E-Mail
  • Universal service on the Internet (9.7 billion in
    2000, expected to be 35 billion by 2005)
  • Attachments make e-mail a general file delivery
    mechanism
  • Viruses, worms, and spam, and other abuses

4
E-Mail Security
  • E-Mail Technology
  • E-Mail Clients and Mail Servers
  • Mail server software Sendmail on UNIX, Microsoft
    Exchange, and Lotus/IBM Notes
  • Exchange dominate on Windows servers
  • Microsoft Outlook Express is safer than
    full-featured Outlook because Outlook Express
    generally does not execute content

5
E-Mail Standards
SMTP To Send
SMTP To Send
Receivers Mail Server
Senders Mail Server
Simple Mail Transfer Protocol (SMTP) to transmit
mail in real time to a users mail server or
between mail servers Sender-initiated
Sending E-Mail Client
Receiving E-Mail Client
6
E-Mail Standards
POP or IMAP To Receive
Receivers Mail Server
Senders Mail Server
POP or IMAP to download mail to receiver when the
receiver is next capable of downloading
mail. Receiver-initiated
Sending E-Mail Client
Receiving E-Mail Client
7
E-Mail
  • E-Mail Standards
  • Downloading mail to client
  • Post Office Protocol (POP) Simple and widely
    used
  • Internet Message Application Program (IMAP) More
    powerful, can manage messages on the receivers
    mail host, less widely used

8
E-Mail Standards
Receivers Mail Server
Senders Mail Server
Message Body Format Standard
Sending E-Mail Client
Receiving E-Mail Client
RFC 822 or 2822 HTML body UNICODE
9
Figure 9-6 E-Mail Security
  • E-Mail Technology
  • E-mail bodies
  • RFC 822 / RFC 2822 Plain English text
  • HTML bodies Graphics, fonts, etc.
  • HTML bodies might contain scripts, which might
    execute automatically when user opens the message
  • Web-based e-mail needs only a browser on the
    client PC

10
Interactions in the Simple Mail Transfer Protocol
(SMTP)
Actor
Command
Comment
Receiving SMTP Process
220 Mail.Panko.Com Ready
When a TCP connection is opened, the
receiver signals that is is ready.
Sending SMTP Process
HELO Voyager.cba.Hawaii.edu
Sender asks to begin Sending a message. Gives own
identity.
Receiver
250 Mail.Panko.Com
Receiver signals that it Is ready to
begin Receiving a message.
11
Interactions in the Simple Mail Transfer Protocol
(SMTP)
Actor
Command
Comment
Sender
MAIL FROM Panko_at_ voyager.cba.hawaii.edu
Sender identifies the sender (mail author, not
SMTP process).
Receiver
250 OK
Accepts author. However, May reject mail from
others.
Sender
RCPT TO Ray_at_Panko.com
Identifies first mail recipient.
Receiver
250 OK
Accepts first recipient
12
Interactions in the Simple Mail Transfer Protocol
(SMTP)
Actor
Command
Comment
Sender
RCPT TOLee_at_Panko.com
Identifies second mail Recipient.
Receiver
550 No such user here
Does not accept second Recipient. However will
deliver to first recipient.
Sender
DATA
Message will follow.
Receiver
354 Start mail input end with ltCRLFgt.ltCRLFgt
Gives permission to send message.
13
Interactions in the Simple Mail Transfer Protocol
(SMTP)
Actor
Command
Comment
Sender
When in the course
The message. Multiple lines Of text. Ends with
line Containing only a single Period
ltCRLFgt.ltCRLFgt
Receiver
250 OK
Receiver accepts message.
Sender
QUIT
Requests termination of Session.
Receiver
221 Mail.Panko.Com Service Closing transmission
channel
End of transmission.
14
E-Mail Security
  • How do we address issues of
  • Confidentiality
  • Authenticity
  • Integrity
  • Need some form of secure email

15
Secure Email Choices
  • Services sold to end user administrated via Web
    E-Mail interface
  • Proprietary software products
  • S/MIME Standard build into many mail clients
  • Software products that use open standards

16
E-Mail Services
  • HushMail
  • Web based
  • 2048 bit strong encryption end to end
  • Uses OpenPGP Standard
  • Public/Private Key plus symmetric keys
  • Standard email communication
  • Secure email embedded in your web site via use of
    forms

17
  • Mailwatch
  • An e-mail boundary solution that prevents errant
    e-mail messages from damaging a company's
    network, reputation, or business relationships.
  • Content control
  • Malware scanning

18
  • CertifiedMail
  • Certified Email Appliance
  • Hardened OS, SSL transport encryption, encrypted
    database, X.509 certificates
  • Certified Mail Server
  • Hardware and Software solution
  • Biometrics, SecureId, X.509 Certificates
  • Meets HIPAA requirements for healthcare industry,
    meets SEC guidelines for financial institutions
    for delivering sensitive financial documents and
    trade confirmations.

19
  • Certified Mail ASP
  • send secure, trackable e-mail messages to any
    Internet user
  • provides a web interface to create, track and
    receive CertifiedMail messages, and a Send
    Certified plug-in to provide one-click sending of
    secure messages from your e-mail client.
  • Send to individuals or groups of users and know
    who has opened your message
  • Stay in touch with secure messages from your
    Internet-enabled cell phone

20
  • CryptoHeaven
  • a secure Internet communications service
    comprised of the following components Secure
    Email , Secure Online Storage, File Sharing and
    File Distribution
  • Secure Instant Messaging and Chatting
  • Secure and Private Discussion Forums
  • CryptoHeaven is easy to use and offers total
    end-to-end security with state of the art 256 bit
    encryption. Here is what you get
  • 2048 to 4096 bit asymmetric and 256 bit symmetric
    key encryption
  • no third party keyholder

21
  • automatic key and contact management
  • all services integrated and available from a
    single user interface
  • no personal information - no names, no addresses,
    no credit card numbers required
  • system free from any type of snooping and
    interference, including any and all types of
    governments and "authorities"
  • CryptoHeaven offers free and premium accounts.
    Use CryptoHeaven and communicate in total
    privacy. CryptoHeaven is by far the easiest to
    use secure communications service, all you have
    to do is just download a small client front-end.

22
Secure / Multipurpose Internet Mail Extension
  • Enhancement to MIME
  • Uses technology from RSA
  • The standard for commercial and organizational
    use
  • Need to understand
  • RFC 822
  • Mime

23
RFC 822
  • Defines a format for text messages
  • Message
  • Envelope that information necessary to
    accomplish transmission and delivery
  • Contents the object to be delivered to the
    recipient
  • RFC 822 applies to contents

24
  • Contents includes header fields used by mail
    system to create the envelope
  • Header fields available to programs
  • Message consists of ASCII text
  • Some number of header lines
  • Unrestricted text as body
  • Separated by blank line

25
  • Header line consists of keyword followed by ,
    followed by keyword argument I.e
  • Date Tue, 16 Jan 1998 103717 (EST)
  • From Bruce P. Tis btis_at_simmons.edu
  • Subject Sample Message
  • To student_at_simmons.edu

26
Multipurpose Internet Mail Extensions
  • Extension to RFC 822
  • Address limitations of the use of SMTP and RFC 822

27
Limitations of SMTP/RFC822
  • Cannot transmit executable files or other binary
    objects
  • Cannot transmit national language characters 8
    bit ASCII
  • SMTP restricts message size
  • SMTP gateways that translate from ASCII to
    EBCIDIC do not use consistent set of mappings

28
  • SMTP gateways to X.400 cannot handle nontextual
    data included in X.400
  • Some SMTP implementations do not adhere
    completely to SMTP standards defined in RFC 821

29
MIME
  • Resolves problems compatible with RFC 822
    implementations
  • Five new header fields about body
  • A number of content formats that standardize
    multimedia email
  • Transfer encodings that enable conversion of any
    content into form that is protected from
    alteration by mail systems

30
MIME Header Fields
  • MIME-Version
  • Content-Type describes data in body
  • Content-Transfer-Encoding indicates type of
    transformation used to represent data
  • Content-ID used to identify MIME entities
    uniquely in multiple contexts
  • Content-Description test description of the
    object within the body

31
Content Types
  • Text
  • Plain
  • Enriched
  • Multipart
  • Mixed
  • Parallel
  • Alternative
  • Digest
  • Message
  • Rfc822
  • Partial
  • External-body
  • Image
  • Jpeg
  • Gif
  • Video
  • Audio
  • Application
  • Postscript
  • Octet-stream

32
MIME Transfer Encoding
  • 7bit short lines of ASCII characters
  • 8bit short lines but may be non-ASCII
    characters
  • Binary may have long lines
  • Quoted printable encoded ASCII characters not
    recognizable
  • Base64 map 6bit blocks into 8 bit block so all
    are printable
  • X-token a named non-standard encoding

33
(No Transcript)
34
S/MIME Functionality
  • Sign and/or Encrypt messages
  • Look at
  • Capability
  • Message formats
  • Message preparation

35
  • Enveloped data encrypted content of any type
    and encrypted content encryption keys for one or
    more recipients
  • Signed data (digital signature)
  • Encrypt message digest with private key of sender
  • Content plus signature encoded using base64

36
  • Clear signed data only digital signature is
    encrypted
  • Signed and enveloped data signed only and
    encrypted only entities may be nested

37
Cryptographic Algorithms
  • Message Digest
  • SHA-1 and MD5
  • Encryption of message digest
  • DSS
  • RSA 512-1024 bit keys
  • Encryption of session key
  • Diffie-Hellman
  • RSA
  • Encryption of message contents
  • Triple DES
  • RC2/40

38
  • Protocol includes procedure for sending and
    receiving station to negotiate which algorithms
    to use
  • Always tries to use most secure algorithm
  • If multiple recipients cant agree then message
    sent multiple times with different algorithms

39
S/MIME Messages Content Types
  • Multipart Signed clear signed message in two
    parts, message and signature
  • Application
  • Pkcs7-mime signedData- a signed entity
  • Pkcs7-mime envelopedData encrypted
  • Pkcs7-mime degenerate signedData only contains
    public key certificates
  • Pkcs7-signature signature subpart of a
    multipart/signed message
  • Pkcs10-mime a certificate registration request

40
Securing a MIME Entity
  • Secures with signature, encryption or both
  • May be entire message or one or more subparts of
    the message
  • Entity prepared according to rules of MIME plus
    security related data
  • Algorithm identifiers
  • Certificates

41
  • Produces PKCS object wrapped in MIME
  • Message converted to canonical form
  • Since PKCS object is binary encoded into base64

42
Enveloped Data
  • Generate session key for rc2/triple DES
  • Encrypt session key with recipients public RSA
    key
  • Prepare RecipientInfo block containing
  • Senders public key certificate
  • Id of algorithm used to encrypt session key
  • Encrypted session key
  • Encrypt message content with session key
  • Encode into base64

43
Signed Data
  • Select message digest algorithm SHA or MD5
  • Compute message digest
  • Encrypt message digest with signers private key
  • Prepare SignerInfo block containing
  • Signers public key certificate
  • ID of message digest algorithm
  • ID of algorithm used to encrypt message digest
  • Encrypted message digest

44
Clear Signing
  • Uses multipart content type with signed subtype
  • Message sent in the clear
  • Message consists of two parts
  • Message contents
  • Signature with a content type of application and
    a subtype of pkcs7-signature

45
Registration Request
  • Application/pkcs10 entity
  • Request includes
  • certificationRequestInfo block
  • Name of certificate subject
  • Users public key
  • Id of public key encryption algorithm
  • Signature of certificationRequestInfo block

46
Certificates-Only Message
  • Message containing only certificates or
    certificate revocation list
  • Same as signedData message

47
S/MIME Certificate Processing
  • Uses X.509 certificates
  • Each client must be configured with list of
    trusted keys
  • Used to verify incoming signatures

48
User agent (client) Role
  • Key generation Diffie-hellman DSS, RSA
  • Registration public key registered in order to
    obtain certificate
  • Certificate storage and retrieval
  • List of other users certificates to verify
    incoming signatures and encrypt messages

49
Verisign
  • Most widely used CA
  • Compatible with S/MIME
  • Issues X.509 certificates
  • Calls certificate Digital ID
  • 14.95/year or 60 day free trial certificate for
    class 1 digital ID

50
Digital ID contains
  • Owners public key
  • Owners name or alias
  • Expiration date
  • Serial number
  • Name of CA
  • Digital signature of CA

51
Optional information
  • Address
  • E-mail address
  • Other information (country, zip, age, gender etc)

52
Three Classes
  • Class 1 confirms users email address
  • Class 2 verifies information in application
    through automated comparison with a consumer
    database
  • Class 3 user provides notarized credentials or
    apply in person

53
Enhanced Security Services
  • Signed receipts proof of delivery
  • Security labels
  • Access control
  • Priority
  • Role based
  • Secure mailing lists

54
Obtaining An ID
  • Complete the application form
  • Verisign will send an email with a PIN
  • Access Verisigns web site and paste PIN
  • Versign will download and install Digital ID in
    browser
  • Accessing your certificates in browser will
    show your certificate

55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
(No Transcript)
64
  • In the case of Netscape V7 you have to configure
    Netscape to use the certificate for a specific
    email account

65
(No Transcript)
66
  • I then sent a signed (but not encrypted) message
    to another account
  • I was just distributing my certificate so that
    person could send an encrypted message to me

67
(No Transcript)
68
(No Transcript)
69
  • Once that person has my certificate (public key)
    she could send a signed and encrypted message to
    me
  • Encrypted with my public key and decrypted with
    my private key
  • Next slide show message
  • Note symbols in upper right hand corner

70
(No Transcript)
71
  • Once I had read the message her certificate would
    automatically be added to my certificate manager

72
(No Transcript)
73
(No Transcript)
74
(No Transcript)
75
Pretty Good Privacy - PGP
76
History
  • Phil Zimmermann created in response to the
    perceived need for privacy
  • Created originally to circumvent government
    regulations on public key cryptography
  • Selected best available cryptographic algorithms
    RSA, DSS, Diffe-Hellman, CAST-128, IDEA, TDEA,
    SHA-1

77
  • Provides confidentiality and authentication
    services for electronic mail and file storage
  • Integrated into MS Outlook and Eudora mail
    clients
  • Can be used with any other mail client by
    cut/pasting message between client and PGP
  • Commercial version of PGP sold by Network
    Associates until 2002

78
  • PGP Corporation formed and bought rights to PGP
    from Network Associates
  • First release, version 8.0, release by PGP Corp
    in December 2002
  • www.pgp.com
  • First version fully compatible with Windows XP
    and AES

79
OpenPGP
  • Derived from PGP
  • Defined by the OpenPGP Working Group of the
    Internet Engineering Task Force (IETF) standard
    RFC 2440.
  • OpenPGP Alliance is a group of companies that are
    implementers of the OpenPGP standard. The
    Alliance works to facilitate technical
    interoperability and marketing synergy between
    OpenPGP implementations.

80
PGP Licensing Options
  • PGP Freeware
  • PGPmail, PGPKeys, PGPTray
  • PGP Personal Edition
  • Freeware PGPDisk, personal email plugins
    eudora, ICQ, Outook
  • PGP Desktop
  • Personal Edition emails plugins Group Wise,
    Lotus Notes, Exchange Server
  • PGP Enterprise
  • Desktop PGPadmin, PGP Keyserver

81
Services Provided
  • Authentication
  • Confidentiality
  • Compression
  • E-mail compatibility
  • Segmentation

82
Authentication
  • Sender creates a message
  • SHA-1 generates 160 bit hash of message
  • Hash encrypted with RSA using senders private
    key and prepended to message
  • Receiver uses RSA with senders public key to
    decrypt and recover hash
  • Receiver generates new hash and compares with
    decrypted hash

83
Confidentiality
  • Uses conventional encryption algorithm using
    CAST-128, IDEA, TDEA, Blowfish
  • 64 bit cipher feedback mode is used
  • Conventional key used just once
  • 128 bit random key
  • Key distributed with message by encrypting with
    receivers public key

84
  • Sender generates message and random 128 bit
    number for session key
  • Message is encrypted with session key
  • Session key is encrypted with RSA using
    receivers public key and prepended to message
  • Receiver uses RSA with its private key to decrypt
    and recover session key
  • Session key used to decrypt message

85
Confidentiality and Authentication
  • Both can be done
  • Signature generated for plaintext message
  • Plaintext message plus signature encrypted
  • Session key encrypted using RSA

86
Compression
  • PGP compresses message after applying the
    signature but before encryption
  • Saves space for email transmission and for file
    storage
  • Compression algorithm used is ZIP
  • Takes advantages of repeating patterns

87
Cryptographic Keys and Key Rings
  • PGP uses 4 types of keys
  • One time session conventional keys
  • Public keys
  • Private keys
  • Pass phrase-based conventional keys

88
Requirements
  • A means of generating unpredictable session keys
    is needed
  • Users allowed to have multiple public/private key
    pairs
  • Each PGP entity must maintain file of its own
    public/private key pairs as well as a file of
    public keys for correspondents

89
(No Transcript)
90
(No Transcript)
91
(No Transcript)
92
(No Transcript)
93
(No Transcript)
94
(No Transcript)
95
(No Transcript)
96
(No Transcript)
97
(No Transcript)
98
(No Transcript)
99
How are key used?
  • Signing a message
  • Encrypting a message
  • Decrypting a message
  • Authenticating a message

100
Signing a message
  • PGP retrieves senders private key using userid
    as index
  • PGP prompts for passphrase to decrypt private key
  • Signature constructed

101
(No Transcript)
102
(No Transcript)
103
Encrypting a message
  • PGP generates session key and encrypts message
  • PGP retrieves recipients public key using userid
  • Session key component of message constructed

104
(No Transcript)
105
(No Transcript)
106
Decrypting a message
  • PGP retrieves receivers private key from private
    key ring
  • PGP prompts for passphrase to decrypt private key
  • PGP recovers session key and decrypts message

107
(No Transcript)
108
Authenticating Message
  • PGP retrieves senders public key from public_key
    ring
  • PGP recovers transmitted message digest
  • PGP computes message digest for received message
    and compares to transmitted digest

109
E-Mail Filtering
  • Antivirus filtering and filtering for other
    executable code
  • Especially dangerous because of scripts in HTML
    bodies
  • Spam Unsolicited commercial e-mail

110
  • Volume is growing rapidly Slowing and annoying
    users (porno and fraud)
  • Filtering for spam also rejects some legitimate
    messages
  • Sometimes employees attack spammers back only
    hurts spoofed sender and the company could be sued

111
  • Inappropriate Content
  • Companies often filter for sexually or racially
    harassing messages
  • Could be sued for not doing so

112
E-Mail Retention
  • On hard disk and tape for some period of time
  • Benefit Can find information
  • Drawback Can be discovered in legal contests
    could be embarrassing
  • Must retain some messages for legal purposes

113
E-Mail Retention
  • Shredding on receivers computer to take messages
    back
  • Send key to decrypt
  • Make key useless after retention period so cannot
    retrieve anymore

114
E-Mail Retention
  • Shredding on receivers computer to take messages
    back
  • Might be able to copy or print before retention
    limit date
  • Not good for contracts because receiver must be
    able to keep a copy

115
E-Mail Retention
  • Message authentication to prevent spoofed sender
    addresses
  • Employee training
  • E-mail is not private company has right to read
  • Your messages may be forwarded without permission

116
E-Mail Retention
  • Employee training
  • Never to put anything in a message they would not
    want to see in court, printed in the newspapers,
    or read by their boss
  • Never forward messages without permission

117
E-Mail Best Practices
  • Do not forward hoaxes, rumors, urban legends,
    chain letters etc
  • Be careful with attachments
  • Create separate email account used when posting
    to newsgroups
  • Be selective about mailing list subscriptions
  • Be selective on who you copy on email messages or
    replies

118
  • Never send email messages in the heat of the
    moment
  • Use major distribution lists sparingly
  • Remember how public email generally is
  • Follow corporate policies
Write a Comment
User Comments (0)
About PowerShow.com