Misc. Security Items
DKIM
domainkeys identified mail (dkim) Developed at and patented by Yahoo! Offers a way for a domain to claim responsibility for an email Uses public key cryptography
dkim features E-Mail body and selected headers can be covered by the DKIM signature Signed portions of the email are protected against tampering Independent of SMTP: can survive relaying
dkim problems Signing and verifying are expensive operations DKIM is done on the server where resources may be limited Many things can break the DKIM signature e.g. encoding changes, automated footers
dkim recommendations DKIM is nice to implement if you have the resources We will not be covering it in the lab
s/mime
s/mime Supports signing and encryption of E-Mail Secure Multipurpose Internet Mail Extensions Public key cryptography Supports signing and encryption of E-Mail Keys are tied to E-Mail addresses and usually an identity Performed by end-users Supported by most E-Mail clients
s/mime Uses certificate authorities, like TLS CAs act as a trusted third party Walk the certificate chain back to the CA to prove identity To my knowledge, there is no central location to find a user’s S/MIME public key
s/mime To sign mail, you must have a public/private key pair To encrypt mail, you must have the recipient’s public key To verify an email, you must have the sender’s public key
pgp
pretty good privacy Public key cryptography Performed by end users Supports signing and encrypting E-Mail Keys are tied to E-Mail addresses and usually an identity Performed by end users Client support is not as common as S/MIME
pretty good privacy No central certificate authority Relies on ‘web of trust’ instead Gnu Privacy Guard (gpg) is open-source equivalent
pgp: web of trust If you trust someone you can sign their public key (e.g. verify their identity) You have a list of keys you trust Everyone who you trust has a list of keys they trust, and so on Trust can be established by finding a path of trust between two keys Think seven degrees of Kevin Bacon
pgp: key servers Public keys can be looked up using key servers e.g. pgp.mit.edu Allows out-of-band retrieval of keys Public keys contain web of trust information
s/mime and pgp recommendations S/MIME and PGP only sign and encrypt the body of an email. Headers (e.g. To, From, Subject are not encrypted) Only work if you communicate with other people who use it If you lose the key, you lose access to all encrypted email Sometime plausible deniability is a good thing
other solutions spamassassian amavis, clamav procmail evaluate E-Mail and score the likelihood of it being spam amavis, clamav scan incoming E-Mail for viruses procmail act on E-Mail (e.g. move, delete) based on header information can use headers set by SPF, spamassassian, and antivirus