CSCE 201 Security Fall 2010
CSCE Farkas2 Electronic Mail Most heavily used network-based application – Over 210 billion per day Used across different architectures and platforms Send to others connected directly or indirectly to the Internet regardless of host operating systems and protocols NEED: – Authentication – Confidentiality
CSCE Farkas3 Why Security? Message confidentiality Message integrity Sender authentication Nonrepudiation
How works? TCP sub-protocols: – Simple Mail Transfer Protocol (SMTP): outgoing mail, port 25 – Post Office Protocol (POP): incoming mail, port 110 CSCE Farkas4 SMTP POP3 Sender Receiver Internet
Internet Mail Access Protocol POP3: is downloaded to the client’s computer and deleted from the server IMAP4: remains on the server – Can be organized into folders – Can be accessed remotely – Can be used offline CSCE Farkas5
attacks Spam: unsolicited – Costly: time spent on looking at and deleting – Text, image spam Protection: spam filters – Set level of spam protection – Block specific senders (black list) – Allow only specific senders (white list) – Block top level domains CSCE Farkas6
Attacks Malicious attachments and embedded hyperlink – Virus, spyware, adware, etc. Protection: – Malware detection tool – Read messages using a reading pane – Block external content – Preview attachments – Use postmark CSCE Farkas7
8 Secure Approaches PEM: Privacy-Enhanced Mail S/MIME PGP: Pretty good Privacy
CSCE Farkas9 Pretty Good Privacy Phil Zimmermann (early 90’) Confidentiality and authentication for – Electronic mail and – Storage applications
CSCE Farkas10 PGP – Evolution 1.Best available cryptographic algorithms (90’) 2.Integrate these algorithms such that 1.Independent of operating system and processor 2.Based on a small set of commands 3.Make the application and the documentation available through the Internet 4.Agreement with a company to provide compatible, low-cost commercial version of PGP
CSCE Farkas11 PGP - Usage PGP became widely used within a few years – Available worldwide for different platforms – Based on proven secure algorithms such as RSA, IDEA, MD5 – Wide range of applicability – Was not developed or controlled by government standards
CSCE Farkas12 PGP Services Digital Signature: RSA, MD5 Hash code of message is created using MD5, encrypted using RSA, with sender’s private key, and attached to the message Confidentiality: RSA, IDEA Message is encrypted using IDEA, with one-time session key generated by the sender, session key is encrypted, using RSA and the recipient’s public key, and attached to the message
CSCE Farkas13 PGP Services Compression: ZIP Message may be compressed for storage or transmission compatibility Encrypted message is converted to ACSII string Segmentation To accommodate maximum message size, PGP performs segmentation and reassembly