An Introduction to Secure Email Presented by: Addam Schroll IT Security & Privacy Analyst
Topics Secure Email Basics Types of Secure Email Walkthroughs 2
Secure Email Services Confidentiality Message Integrity Sender Authentication 3
Protect sensitive data Why do I want secure email? Prove authenticity to recipients Send attachments normally filtered Avoid the junk folder! 4
How does Secure Email work? Long answer That s another talk entirely. Short answer Secure email uses a set cryptographic tools to encapsulate a message into a specially formatted envelope. 5
Encryption Think CryptoQuip Means of hiding a message through substitution or rearranging letters Requires a key to unlock the original message 6
Digital Signatures A string of characters that uniquely identifies the signer of an electronic message. Recipients are able to Verify message was from purported sender Verify message was not modified in transit Sender cannot deny being originator of message 7
Pick your poison Most popular secure email standards S/MIME OpenPGP How are these different? Similar services Different trust models 8
Hierarchical Trusts Users all directly trust some central authority Alice trusts Bob if Bob s chain of trust traces back to the central authority Driver s License Issued by state authority to prove identity to others 9
Web of Trust Incorporates user perception of trust Any user can be an authority to verify others Users can assign levels of trust Not all authorities are equal Alice and Bob think she is Carol, and that s good enough for me. 10
S/MIME and Digital Certificates IETF standard extending MIME Most email clients already support S/MIME Requires users have public keys to communicate securely Where do users get this key? 11
S/MIME Capable Clients Apple Mail Entourage Eudora 7 Evolution Kmail Mozilla/Thunderbird Mutt Outlook Pine 12
OpenPGP A defacto standard based on Pretty Good Privacy program Users must be able to find others public keys Requires additional 3 rd party software Several implementations available 13
Finding public keys Get public key from previous messages Lookup via directory service PGP Key Servers (e.g. http://pgp.mit.edu) Purdue Electronic Directory Distributed via Public Key Infrastructure 14
Trusting Keys Equivalent to trusting link between identity and key Must have a process for validating identity of key owner Documentation Check Verbal Verification 15
GNU Privacy Guard Freely available implementation of OpenPGP protocol Available for most platforms Does not integrate directly with email clients Integrates with Thunderbird through Enigmail 16
PGP Desktop 8.0 Commercial implementation of OpenPGP standard Runs on Windows and MacOS X Integrates with several common email clients 17
PGP Desktop 9.0 Acts as email proxy instead of client plugin Allows secure email through any client May require reconfiguration of email client connection settings 18
Issues with Secure Email Who should have access to private keys? How do we exchange public keys? How do we assign trust? Should group keys be issued? 19
Generate an Identity Steps to Secure Email Configure Secure Email software Get public keys for recipients Start sending secured messages 20
Getting a Digital Certificate Must be issued by an authority Organizational PKI Third-party vendor Free personal certificates available Thawte Global Trust CACert Comodo 21
Thawte Personal Certificate Enroll for Thawte ID via website Request certificate for ID Must provide national identification number By default, certificate includes email address but not name No validation done to link identity to address yet 22
Thawte Web of Trust Receive trust points from notaries 50 points: Request certificate with name 100 points: Eligible to be a notary Several notaries on Purdue WL campus Hint: One is probably up front talking right now 23
Download from Thawte via IE How to Install a Certificate - Outlook Set Security to High Automatically installed in certificate store How do I view the certificate store? Control Panel->Internet Options->Content->Certificates 24
Download from Thawte via IE How to Install a Certificate - Thunderbird Export from certificate store Import into Thunderbird Options->Privacy->Security->View Certificates->Import 28
Specify identity to link to keys Generating PGP Keys Provide key type and size parameters Add comments or even a digital photo Choose a strong passphrase 30
Outlook S/MIME Setup Outlook S/MIME Walkthrough Encrypting and signing messages Decrypting and Verifying messages 35
Thunderbird Setup Thunderbird S/MIME Walkthrough Encrypting and signing messages Decrypting and Verifying messages 40
Interface Overview Signing messages Encrypting messages Decrypting messages Backing up key pairs PGP Desktop 9 Walkthrough 45
Generate new key pair Configure Enigmail settings Thunderbird GPG Walkthrough Encrypting and Signing Messages Inline PGP vs. PGP/MIME Decrypting and Verifying Messages 53
Using GPG with Thunderbird
Secure Email Tips Backup your keys! Revoke certificates or PGP keys if compromised Trusting a key should only be done after suitable verification with the owner 60
Secure Email Tips Follow the Purdue Data Handling Guidelines Encrypted email is a means of transport, not storage File your sensitive information elsewhere 61
Just because you can, doesn t mean you should. 62
References Trust Models www.pgpi.org/doc/pgpintro/#p20 Thawte Personal Certificates www.thawte.com/secure-email/personal-email-certificates/index.html S/MIME Tutorial www.marknoble.com/tutorial/smime/smime.aspx OpenPGP www.openpgp.org Pretty Good Privacy www.pgp.com Purdue Data Handling Guidelines www.itap.purdue.edu/security/procedures/datahandling.cfm 63
References Gnu Privacy Guard http://www.gnupg.org/ Enigmail OpenPGP Extension enigmail.mozdev.org NIST Guidelines on Electronic Mail Security (Draft) http://csrc.nist.gov/publications/drafts/draft-sp800-45a.pdf 64