CSCE 201CSCE 201

Email SecurityEmail SecurityFall 2010Fall 2010

CSCE 201 - Farkas 2

Electronic MailElectronic Mail Most heavily used network-based application

– Over 210 billion per day

Used across different architectures and platforms Send e-mail to others connected directly or

indirectly to the Internet regardless of host operating systems and protocols

NEED: – Authentication– Confidentiality

CSCE 201 - Farkas 3

Why Email Security?Why Email Security?Message confidentialityMessage integritySender authenticationNonrepudiation

How email works?How email works?TCP sub-protocols:

– Simple Mail Transfer Protocol (SMTP): outgoing mail, port 25

– Post Office Protocol (POP): incoming mail, port 110

CSCE 201 - Farkas 4

SMTP SMTP

POP3

Sender Receiver

Internet

Internet Mail Access ProtocolInternet Mail Access Protocol

POP3: email is downloaded to the client’s computer and deleted from the server

IMAP4: email remains on the server– Can be organized into folders– Can be accessed remotely– Can be used offline

CSCE 201 - Farkas 5

Email attacksEmail attacksSpam: unsolicited email

– Costly: time spent on looking at and deleting email– Text, image spam

Protection: spam filters– Set level of spam email protection– Block specific senders (black list)– Allow only specific senders (white list)– Block top level domains

CSCE 201 - Farkas 6

Email AttacksEmail AttacksMalicious attachments and embedded hyperlink

– Virus, spyware, adware, etc.

Protection: – Malware detection tool– Read messages using a reading pane– Block external content– Preview attachments– Use email postmark

CSCE 201 - Farkas 7

CSCE 201 - Farkas 8

Secure E-mail ApproachesSecure E-mail ApproachesPEM: Privacy-Enhanced MailS/MIMEPGP: Pretty good Privacy

CSCE 201 - Farkas 9

Pretty Good PrivacyPretty Good PrivacyPhil Zimmermann (early 90’)Confidentiality and authentication for

– Electronic mail and– Storage applications

CSCE 201 - Farkas 10

PGP – EvolutionPGP – Evolution1. Best available cryptographic algorithms (90’)

2. Integrate these algorithms such that1. Independent of operating system and processor

2. Based on a small set of commands

3. Make the application and the documentation available through the Internet

4. Agreement with a company to provide compatible, low-cost commercial version of PGP

CSCE 201 - Farkas 11

PGP - UsagePGP - UsagePGP became widely used within a few years

– Available worldwide for different platforms– Based on proven secure algorithms such as RSA,

IDEA, MD5– Wide range of applicability– Was not developed or controlled by government

standards

CSCE 201 - Farkas 12

PGP ServicesPGP Services Digital Signature: RSA, MD5

Hash code of message is created using MD5, encrypted using RSA, with sender’s private key, and attached to the message

Confidentiality: RSA, IDEA Message is encrypted using IDEA, with one-time

session key generated by the sender, session key is encrypted, using RSA and the recipient’s public key, and attached to the message

CSCE 201 - Farkas 13

PGP ServicesPGP Services Compression: ZIP

Message may be compressed for storage or transmission

E-mail compatibility Encrypted message is converted to ACSII string

Segmentation To accommodate maximum message size, PGP

performs segmentation and reassembly