Upload
sherman-oliver
View
212
Download
0
Embed Size (px)
Citation preview
CSCE 201CSCE 201
Email SecurityEmail SecurityFall 2010Fall 2010
CSCE 201 - Farkas 2
Electronic MailElectronic Mail Most heavily used network-based application
– Over 210 billion per day
Used across different architectures and platforms Send e-mail to others connected directly or
indirectly to the Internet regardless of host operating systems and protocols
NEED: – Authentication– Confidentiality
CSCE 201 - Farkas 3
Why Email Security?Why Email Security?Message confidentialityMessage integritySender authenticationNonrepudiation
How email works?How email works?TCP sub-protocols:
– Simple Mail Transfer Protocol (SMTP): outgoing mail, port 25
– Post Office Protocol (POP): incoming mail, port 110
CSCE 201 - Farkas 4
SMTP SMTP
POP3
Sender Receiver
Internet
Internet Mail Access ProtocolInternet Mail Access Protocol
POP3: email is downloaded to the client’s computer and deleted from the server
IMAP4: email remains on the server– Can be organized into folders– Can be accessed remotely– Can be used offline
CSCE 201 - Farkas 5
Email attacksEmail attacksSpam: unsolicited email
– Costly: time spent on looking at and deleting email– Text, image spam
Protection: spam filters– Set level of spam email protection– Block specific senders (black list)– Allow only specific senders (white list)– Block top level domains
CSCE 201 - Farkas 6
Email AttacksEmail AttacksMalicious attachments and embedded hyperlink
– Virus, spyware, adware, etc.
Protection: – Malware detection tool– Read messages using a reading pane– Block external content– Preview attachments– Use email postmark
CSCE 201 - Farkas 7
CSCE 201 - Farkas 8
Secure E-mail ApproachesSecure E-mail ApproachesPEM: Privacy-Enhanced MailS/MIMEPGP: Pretty good Privacy
CSCE 201 - Farkas 9
Pretty Good PrivacyPretty Good PrivacyPhil Zimmermann (early 90’)Confidentiality and authentication for
– Electronic mail and– Storage applications
CSCE 201 - Farkas 10
PGP – EvolutionPGP – Evolution1. Best available cryptographic algorithms (90’)
2. Integrate these algorithms such that1. Independent of operating system and processor
2. Based on a small set of commands
3. Make the application and the documentation available through the Internet
4. Agreement with a company to provide compatible, low-cost commercial version of PGP
CSCE 201 - Farkas 11
PGP - UsagePGP - UsagePGP became widely used within a few years
– Available worldwide for different platforms– Based on proven secure algorithms such as RSA,
IDEA, MD5– Wide range of applicability– Was not developed or controlled by government
standards
CSCE 201 - Farkas 12
PGP ServicesPGP Services Digital Signature: RSA, MD5
Hash code of message is created using MD5, encrypted using RSA, with sender’s private key, and attached to the message
Confidentiality: RSA, IDEA Message is encrypted using IDEA, with one-time
session key generated by the sender, session key is encrypted, using RSA and the recipient’s public key, and attached to the message
CSCE 201 - Farkas 13
PGP ServicesPGP Services Compression: ZIP
Message may be compressed for storage or transmission
E-mail compatibility Encrypted message is converted to ACSII string
Segmentation To accommodate maximum message size, PGP
performs segmentation and reassembly