Email Security. Michael E. Locasto University of Calgary

Similar documents

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

DKIM last chance for mail service? TFMC2 01/2006

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

4.1: Securing Applications Remote Login: Secure Shell (SSH) PEM/PGP. Chapter 5: Security Concepts for Networks

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Network Security - ISA 656 Security

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Security. Issues:

How To Protect Your From Being Hacked On A Pc Or Mac Or Ipa From Being Stolen On A Network (For A Free Download) On A Computer Or Ipo (For Free) On Your Pc Or Ipom (For An Ipo

Table of Contents. Electronic mail. History of (2) History of (1) history. Basic concepts. Aka (or according to Knuth)

Prof. Sead Muftic Feng Zhang. Lecture 10: Secure Systems

Why you need secure

Internet Security [1] VU Engin Kirda

Managing and Securing Computer Networks. Guy Leduc. Chapter 3: Securing applications. Chapter goals: security in practice:

IBM. Implementing SMTP and POP3 Scenarios with WebSphere Business Integration Connect. Author: Ronan Dalton

Options for encrypted communication with AUDI AG Version of: 31 May 2011

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

Standards and Products. Computer Security. Kerberos. Kerberos

Clearswift Information Governance

How To Write An On A Linux Computer (No Mail) (No ) (For Ahem) (Or Ahem, For Ahem). (For An ) Or Ahem.Org) (Ahem) Or An

Message Authentication Signature Standards (MASS) BOF. Jim Fenton Nathaniel Borenstein

What is network security?

Lecture 9 - Network Security TDTS (ht1)

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

2- Electronic Mail (SMTP), File Transfer (FTP), & Remote Logging (TELNET)

Chapter 6 Electronic Mail Security

Internet Technology 2/13/2013

SIP and VoIP 1 / 44. SIP and VoIP

Network Security. HIT Shimrit Tzur-David

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Services. SMTP, Internet Message Format. Johann Oberleitner SS 2006

The Case For Secure

POP3 Connector for Exchange - Configuration

Taxonomy of Security Protocol

Serial Deployment Quick Start Guide

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Electronic mail security. MHS (Message Handling System)

Security. Raj Jain. Washington University in St. Louis

SMTP Servers. Determine if an message should be sent to another machine and automatically send it to that machine using SMTP.

A Guide to Secure

Principles of Network Security

Envelope (SMTP) Journaling for Microsoft Exchange 2007 and 2010

Mail system components. Electronic Mail MRA MUA MSA MAA. David Byers

How to Build an Effective Mail Server Defense

Setting up Microsoft Office 365

Setting up Microsoft Office 365

TREND MICRO. InterScan VirusWall 6. SMTP Configuration Guide. Integrated virus and spam protection for your Internet gateway.

Installing your Digital Certificate & Using on MS Out Look 2007.

Envelope (SMTP) Journaling for Microsoft Exchange 2007 and 2010

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

Networks. Connecting Computers. Measures for connection speed. Ethernet. Collision detection. Ethernet protocol

How To Protect Your Data From Attack

T.38 fax transmission over Internet Security FAQ

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

Lecture 10: 1. Secure E mail E systems. Systems. Page 1

Networks & Security Course. Web of Trust and Network Forensics

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Security: Focus of Control. Authentication

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Overview of VoIP Systems

COSC 472 Network Security

Introduction to Cryptography

Spam, Spam and More Spam. Spammers: Cost to send

Forging Digital Signatures

SIP Security. ENUM-Tag am 28. September in Frankfurt. Prof. Dr. Andreas Steffen. Agenda.

LEAP Encryption Access Project. Αλέξανδρος Αφεντούλης

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Chapter 7: Network security

A Noval Approach for S/MIME

Nokia for Business. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

I. Configuring Digital signature certificate in Microsoft Outlook 2003:

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Celframe - Easy Linux - Lesson 8 - Server

SIP, Session Initiation Protocol used in VoIP

Remote ESL On A Mac With OS-X Using SSH Tunneling & Port Forwarding

Application Security: Threats and Architecture

How to generate SSL certificates for use with a KVM box & XViewer with XCA v0.9.3

White paper. Why Encrypt? Securing without compromising communications

2- Electronic Mail (SMTP), File Transfer (FTP), & Remote Logging (TELNET)

AS2 Disaster Recovery Implementation Guide Issue 1, Approved, 18-Nov-2010

PGP Universal Satellite Version 2.7 for Windows Release Notes

QMAIL & SMTP: A Secure Application for an Unsecure Protocol. Orr Dunkelman. orrd@vipe.technion.ac.il. January 27, 2004 SMTP and QMAIL Slide 1

Transcription:

Email Security Michael E. Locasto University of Calgary

Agenda Read Chapter 20 and 21 - don t need to memorize PEM details background: RFCs, Chapter 22 Concept queskon: Where do we put security? SMTP Refresher Email security considerakons PEM, S/MIME, PGP We will talk more about email infrastructure security on Friday 4/2/15 Michael E. Locasto, CPSC 2

QoD JJ asks: "How do we alter someone else's email, so that we know how to protect against such a malicious a]ack? 4/2/15 Michael E. Locasto, CPSC 3

OK, so I know none of you ever use email and that only people between the ages of 28 and 64 use email, and eventually all these people will die off, so who cares about email security, blah blah blah, but the point is that whatever asynchronous messaging pladorm you use, it will have the same end- to- end security and privacy concerns. CAVEAT 4/2/15 Michael E. Locasto, CPSC 4

MoKvaKng QuesKon Where do we place security in the system and network stack? Problem domain: asynchronous chat - email, IRC, skype, twi]er, ICQ, gchat/aim, facebook messaging, web forums, etc. 4/2/15 Michael E. Locasto, CPSC 5

Simple Email Model Alice specifies a message containing headers and a body, and hands the message to an untrustworthy network to read, interpret, and rewrite her message on each hop toward Bob, the recipient (who may be offline). Conceptually similar to IP with a sprinkling of source- roukng style recording of the route of the message. 4/2/15 Michael E. Locasto, CPSC 6

4/2/15 Michael E. Locasto, CPSC 7

SMTP Terminology Simple mail transfer protocol store and forward model mail client / user agent (UA) sends to series of: MTA (message transfer agent) 4/2/15 Michael E. Locasto, CPSC 8

4/2/15 Michael E. Locasto, CPSC 9

You ll typically see an SMTP instance (sendmail, qmail, posdix) running on localhost at port 25; this is for local mail delivery 4/2/15 Michael E. Locasto, CPSC 10

Servers can play with your message. Usually this is just adding headers to track the message path, ank- spam countermeasures, etc. But MTAs somekmes play with the message content itself b/c machines have different ways of represenkng plaintext. This is annoying when we think of applying standard solukons for integrity. 4/2/15 Michael E. Locasto, CPSC 11

Standard Menu of C- I- A Threats Denial of Service RewriKng message Snooping/sniffing message in transit / at rest AuthenKcaKon of senders? Recipients? Sender anonymity Traffic analysis (did A send a msg to B?) business concerns: recall, return receipt, etc. 4/2/15 Michael E. Locasto, CPSC 12

Email Content Security (end- to- end) PEM (Privacy Enhanced Mail) - confidenkality, src auth, integrity (txt) - symmetric or asymmetric S/MIME - adapt PEM for use in MIME regime - e.g., signed data, encrypted data are new MIME types PGP (Pre]y Good Privacy) - web of trust, public key crypto 4/2/15 Michael E. Locasto, CPSC 13

Preliminary: Base- 64 encoding uuencode/uudecode map arbitrary data into a small set of characters, adding <CR><LF> 4/2/15 Michael E. Locasto, CPSC 14

4/2/15 Michael E. Locasto, CPSC 15

Main Ideas: Types of Content cleartext integrity- protected cleartext integrity- protected encoded data encrypted, integrity- protected data, encoded varying requirements on the recipient (knowledge & ability to decode) key establishment (especially PEM symmetric)? 4/2/15 Michael E. Locasto, CPSC 16

Main Ideas: IdenKfying Content Delimit the protected content in some way - - - - - BEGIN PRIVACY- ENHANCED MESSAGE- - - - - - - - - - END PRIVACY- ENHANCED MESSAGE- - - - - 4/2/15 Michael E. Locasto, CPSC 17

4/2/15 Michael E. Locasto, CPSC 18

4/2/15 Michael E. Locasto, CPSC 19

4/2/15 Michael E. Locasto, CPSC 20

S/MIME adapts PEM Ideas In the MIME encoding framework applicakon/pkcs7- signature applicakon/pkcs7- mime Did not try to create a PKI like PEM did 4/2/15 Michael E. Locasto, CPSC 21

S/MIME to PGP S/MIME allows users to obtain cerkficates from any cerkficate authority A sender communicates their cerkficate to a recipient simply by sending a signed message, but Bob skll needs to establish trust in the binding Upshot: S/MIME is effeckve against passive eavesdropping forecasts the introduckon of PGP 4/2/15 Michael E. Locasto, CPSC 22

Key DistribuKon PEM: Rigid hierarchy of Cas PGP: web- of- trust ( anarchy ) S/MIME: doesn t care, but prackcally: assumes disconnected set of federated CAs 4/2/15 Michael E. Locasto, CPSC 23

Unaddressed Security of email server infrastructure - bugs - spam - domain/dns ownership - client authenkcakon PEM cerkficate hierarchy - example of PKI concept Public Key Infrastructure in general - trust in the PKI, cerkficate authorikes, etc. 4/2/15 Michael E. Locasto, CPSC 24

THE END 4/2/15 Michael E. Locasto, CPSC 25