• No results found

An Introduction to Secure . Presented by: Addam Schroll IT Security & Privacy Analyst

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "An Introduction to Secure . Presented by: Addam Schroll IT Security & Privacy Analyst"

Copied!
64
0
0

Loading.... (view fulltext now)

Download now ( 64 Page )

Full text

(1)

An Introduction to Secure Email

(2)

Topics

ƒ Secure Email Basics

ƒ Types of Secure Email

(3)

Secure Email Services

ƒ Confidentiality

ƒ Message Integrity

(4)

Why do I want secure email?

ƒ Protect sensitive data

ƒ Prove authenticity to recipients

ƒ Send attachments normally filtered

(5)

How does Secure Email work?

ƒ Long answer

• That’s another talk entirely. ƒ Short answer

• Secure email uses a set cryptographic tools to encapsulate a message into a specially

(6)

Encryption

ƒ Think CryptoQuip

ƒ Means of hiding a message through substitution or rearranging letters

ƒ Requires a “key” to unlock the original message

(7)

Digital Signatures

ƒ A string of characters that uniquely identifies the signer of an electronic message.

ƒ Recipients are able to

• Verify message was from purported sender • Verify message was not modified in transit ƒ Sender cannot deny being originator of

(8)

Pick your poison

ƒ Most popular secure email standards

• S/MIME • OpenPGP

ƒ How are these different?

• Similar services

(9)

Hierarchical Trusts

ƒ Users all directly trust some central authority

ƒ Alice trusts Bob if Bob’s “chain of trust” traces back to the central authority

ƒ Driver’s License

• Issued by state authority to prove identity to others

(10)

Web of Trust

ƒ Incorporates user perception of trust

ƒ Any user can be an authority to verify others

ƒ Users can assign levels of trust

• Not all authorities are equal

(11)

S/MIME and Digital Certificates

ƒ IETF standard extending MIME

ƒ Most email clients already support S/MIME

ƒ Requires users have public keys to communicate securely

(12)

S/MIME Capable Clients

ƒ Apple Mail

ƒ Entourage

ƒ Eudora 7

ƒ Evolution ƒ Kmail ƒ Mozilla/Thunderbird ƒ Mutt ƒ Outlook ƒ Pine

(13)

OpenPGP

ƒ A defacto standard based on Pretty Good Privacy program

ƒ Users must be able to find others’ public keys

ƒ Requires additional 3rd party software

(14)

Finding public keys

ƒ Get public key from previous messages

ƒ Lookup via directory service

• PGP Key Servers (e.g. http://pgp.mit.edu)

• Purdue Electronic Directory

(15)

Trusting Keys

ƒ Equivalent to trusting link between identity and key

ƒ Must have a process for validating identity of key owner

• Documentation Check • Verbal Verification

(16)

GNU Privacy Guard

ƒ Freely available implementation of OpenPGP

protocol

ƒ Available for most platforms

ƒ Does not integrate directly with email clients

(17)

PGP Desktop 8.0

ƒ Commercial implementation of OpenPGP standard

ƒ Runs on Windows and MacOS X

ƒ Integrates with several common email clients

(18)

PGP Desktop 9.0

ƒ Acts as email proxy instead of client plugin

ƒ Allows secure email through any client

ƒ May require reconfiguration of email client connection settings

(19)

Issues with Secure Email

ƒ Who should have access to private keys?

ƒ How do we exchange public keys?

ƒ How do we assign trust?

(20)

Steps to Secure Email

ƒ Generate an Identity

ƒ Configure Secure Email software

ƒ Get public keys for recipients

(21)

Getting a Digital Certificate

ƒ Must be issued by an authority

• Organizational PKI • Third-party vendor

ƒ Free personal certificates available

• Thawte

• Global Trust • CACert

(22)

Thawte Personal Certificate

ƒ Enroll for Thawte ID via website

ƒ Request certificate for ID

• Must provide “national identification number”

ƒ By default, certificate includes email address but not name

(23)

Thawte Web of Trust

ƒ Receive trust points from notaries

• 50 points: Request certificate with name • 100 points: Eligible to be a notary

ƒ Several notaries on Purdue WL campus

(24)

How to Install a Certificate -Outlook

• Download from Thawte via IE • Set Security to High

• Automatically installed in certificate store • How do I view the certificate store?

(25)
(26)
(27)
(28)

How to Install a Certificate -Thunderbird

• Download from Thawte via IE • Export from certificate store • Import into Thunderbird

(29)
(30)

Generating PGP Keys

ƒ Specify identity to link to keys

ƒ Provide key type and size parameters

ƒ Add comments or even a digital photo

(31)
(32)
(33)
(34)
(35)

Outlook S/MIME Walkthrough

ƒ Outlook S/MIME Setup

ƒ Encrypting and signing messages

(36)
(37)
(38)
(39)
(40)

Thunderbird S/MIME Walkthrough

ƒ Thunderbird Setup

ƒ Encrypting and signing messages

(41)
(42)
(43)
(44)
(45)

PGP Desktop 9 Walkthrough

ƒ Interface Overview

ƒ Signing messages

ƒ Encrypting messages

ƒ Decrypting messages

(46)
(47)
(48)
(49)
(50)
(51)
(52)
(53)

Thunderbird GPG Walkthrough

ƒ Generate new key pair

ƒ Configure Enigmail settings

ƒ Encrypting and Signing Messages

ƒ Inline PGP vs. PGP/MIME

(54)
(55)
(56)
(57)
(58)
(59)
(60)

Secure Email Tips

ƒ Backup your keys!

ƒ Revoke certificates or PGP keys if compromised

ƒ Trusting a key should only be done after suitable verification with the owner

(61)

Secure Email Tips

ƒ Follow the Purdue Data Handling Guidelines

ƒ Encrypted email is a means of transport, not storage

(62)
(63)

References

Trust Models

www.pgpi.org/doc/pgpintro/#p20

Thawte Personal Certificates

www.thawte.com/secure-email/personal-email-certificates/index.html

S/MIME Tutorial

www.marknoble.com/tutorial/smime/smime.aspx

OpenPGP

www.openpgp.org

Pretty Good Privacy

www.pgp.com

Purdue Data Handling Guidelines

(64)

References

Gnu Privacy Guard

http://www.gnupg.org/

Enigmail OpenPGP Extension

enigmail.mozdev.org

NIST Guidelines on Electronic Mail Security (Draft)

References

Download now ( PDF - 64 Page - 751.62 KB )

Related documents

TELE 301 Network Management. Lecture 18: Network Security

•  Alice sends “I am Alice”, to Bob •  Bob sends a nonce, R, to Alice •  Alice encrypts the nonce using. Alice and Bob’s symmetric secret key, K A-B , and sends it

How To Use Telematics For Insurance

By using data exploration and analytics, insurers will be able to rank and weigh hundreds of new variables generated by telematics to develop highly accurate telematics pricing

Joint optimization of spectrum and energy efficiency in cognitive radio networks

Wang, Resource allocation for heterogeneous multiuser OFDM-based cognitive radio networks with imperfect spectrum sensing, in: Proceedings of the IEEE INFOCOM'12, Orlando, FL, 2012,

Hekaton: SQL Server s Memory-Optimized OLTP Engine

At the time of commit, a serializable transaction must verify that the versions it read have not been updated and that no phantoms have appeared. The validation phase

The relationship between vitamin A and ferritin towards malondialdehyde level among Javanese male smokers

This was a case control study involving 60 individuals consisting of 30 smokers as case group and 30 nonsmokers as control group. Subjects were Javanese men who lived in

1-Yuhki Kuramoto - Piano Solo [1]

[r]

Rate estimates on the Gem Disks

1 Point smearing task & plug to tracking/genfit 2 More realistic geometry description (passive material) 3 Digitization & hit reco. • I will not do this, but I’ll be there

Department of Astronomy, Kyoto University, Sakyo-ku, Kyoto

We devised a data format of a "Quick Look Information File (QLIF)" which carries various information extracted form observational data, and have developed a