An Introduction to Secure Email
Topics
Secure Email Basics
Types of Secure Email
Secure Email Services
Confidentiality
Message Integrity
Why do I want secure email?
Protect sensitive data
Prove authenticity to recipients
Send attachments normally filtered
How does Secure Email work?
Long answer
• That’s another talk entirely. Short answer
• Secure email uses a set cryptographic tools to encapsulate a message into a specially
Encryption
Think CryptoQuip
Means of hiding a message through substitution or rearranging letters
Requires a “key” to unlock the original message
Digital Signatures
A string of characters that uniquely identifies the signer of an electronic message.
Recipients are able to
• Verify message was from purported sender • Verify message was not modified in transit Sender cannot deny being originator of
Pick your poison
Most popular secure email standards
• S/MIME • OpenPGP
How are these different?
• Similar services
Hierarchical Trusts
Users all directly trust some central authority
Alice trusts Bob if Bob’s “chain of trust” traces back to the central authority
Driver’s License
• Issued by state authority to prove identity to others
Web of Trust
Incorporates user perception of trust
Any user can be an authority to verify others
Users can assign levels of trust
• Not all authorities are equal
S/MIME and Digital Certificates
IETF standard extending MIME
Most email clients already support S/MIME
Requires users have public keys to communicate securely
S/MIME Capable Clients
Apple Mail
Entourage
Eudora 7
Evolution Kmail Mozilla/Thunderbird Mutt Outlook Pine
OpenPGP
A defacto standard based on Pretty Good Privacy program
Users must be able to find others’ public keys
Requires additional 3rd party software
Finding public keys
Get public key from previous messages
Lookup via directory service
• PGP Key Servers (e.g. http://pgp.mit.edu)
• Purdue Electronic Directory
Trusting Keys
Equivalent to trusting link between identity and key
Must have a process for validating identity of key owner
• Documentation Check • Verbal Verification
GNU Privacy Guard
Freely available implementation of OpenPGP
protocol
Available for most platforms
Does not integrate directly with email clients
PGP Desktop 8.0
Commercial implementation of OpenPGP standard
Runs on Windows and MacOS X
Integrates with several common email clients
PGP Desktop 9.0
Acts as email proxy instead of client plugin
Allows secure email through any client
May require reconfiguration of email client connection settings
Issues with Secure Email
Who should have access to private keys?
How do we exchange public keys?
How do we assign trust?
Steps to Secure Email
Generate an Identity
Configure Secure Email software
Get public keys for recipients
Getting a Digital Certificate
Must be issued by an authority
• Organizational PKI • Third-party vendor
Free personal certificates available
• Thawte
• Global Trust • CACert
Thawte Personal Certificate
Enroll for Thawte ID via website
Request certificate for ID
• Must provide “national identification number”
By default, certificate includes email address but not name
Thawte Web of Trust
Receive trust points from notaries
• 50 points: Request certificate with name • 100 points: Eligible to be a notary
Several notaries on Purdue WL campus
How to Install a Certificate -Outlook
• Download from Thawte via IE • Set Security to High
• Automatically installed in certificate store • How do I view the certificate store?
How to Install a Certificate -Thunderbird
• Download from Thawte via IE • Export from certificate store • Import into Thunderbird
Generating PGP Keys
Specify identity to link to keys
Provide key type and size parameters
Add comments or even a digital photo
Outlook S/MIME Walkthrough
Outlook S/MIME Setup
Encrypting and signing messages
Thunderbird S/MIME Walkthrough
Thunderbird Setup
Encrypting and signing messages
PGP Desktop 9 Walkthrough
Interface Overview
Signing messages
Encrypting messages
Decrypting messages
Thunderbird GPG Walkthrough
Generate new key pair
Configure Enigmail settings
Encrypting and Signing Messages
Inline PGP vs. PGP/MIME
Secure Email Tips
Backup your keys!
Revoke certificates or PGP keys if compromised
Trusting a key should only be done after suitable verification with the owner
Secure Email Tips
Follow the Purdue Data Handling Guidelines
Encrypted email is a means of transport, not storage
References
Trust Models
www.pgpi.org/doc/pgpintro/#p20
Thawte Personal Certificates
www.thawte.com/secure-email/personal-email-certificates/index.html
S/MIME Tutorial
www.marknoble.com/tutorial/smime/smime.aspx
OpenPGP
www.openpgp.org
Pretty Good Privacy
www.pgp.com
Purdue Data Handling Guidelines
References
Gnu Privacy Guard
http://www.gnupg.org/
Enigmail OpenPGP Extension
enigmail.mozdev.org
NIST Guidelines on Electronic Mail Security (Draft)