Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhancing Email Security with S/MIME Chuck Connell, www.chc-3.comwww.chc-3.com www.DominoAdministration.comwww.DominoAdministration.com, www.DominoSecurity.org.

Published byBasil Stevens Modified over 9 years ago

Similar presentations

Presentation on theme: "Enhancing Email Security with S/MIME Chuck Connell, www.chc-3.comwww.chc-3.com www.DominoAdministration.comwww.DominoAdministration.com, www.DominoSecurity.org."— Presentation transcript:

1 Enhancing Email Security with S/MIME Chuck Connell, www.chc-3.comwww.chc-3.com www.DominoAdministration.comwww.DominoAdministration.com, www.DominoSecurity.org

2 Introduction  Worked at Lotus from 90 to 95  Managed Notes C API team, architect in (short-lived) “enterprise applications” group, business partner technical liaison  Began my own business in 1995  Notes/Domino consulting, writing, teaching CS at Boston University  Security expert at www.SearchDomino.comwww.SearchDomino.com

3 Outline  What is S/MIME?  Why do we care about it?  Secrecy, authentication, and integrity  Cryptography primer, including public key techniques and certificates  How S/MIME works  Where S/MIME is used in Notes/Domino  How to use S/MIME

4 Audience  Experienced with Notes, Domino, general email topics  Used some encryption/privacy tools  Not a security expert or mathematician (will skip gory details)  My goal is to explain a fairly complex topic to a generally knowledgeable computer audience

5 What is S/MIME?  When email was first developed, people could only send plain text messages  MIME was developed in early 90s to allow people to send pictures, sound, programs and general attachments -- “Multipurpose Internet Mail Extension”  MIME has no security features, can be read along its route or forged (easily)  S/MIME is a secure version of MIME

6 What does S/MIME give us?  Secrecy – Only intended recipient can read the message. (A thick envelope and trustworthy couriers.)  Authentication – Recipient knows the message came from the apparent sender. (An ink signature that you recognize.)  Integrity – Recipient knows the message was not changed en route. (Un-erasable ink in a letter.)

7 Cryptography primer  Secret key (a.k.a symmetric cipher)  Public key (a.k.a. asymmetric cipher) –Secrecy –Authentication –Secrecy and authentication  Hashing (a.k.a. message digest)  Public key certificate (X.509)

8 Symmetric cipher  Dates back thousands of years  A “key” is scrambled into the message in a way that makes the message unreadable  Scrambling method can be pencil and paper, mechanical, or mathematical  Key can be numbers, letters, text from a book  Only way to read the message (easily) is to unscramble it with the same key  Sender and receiver must exchange key somehow

9 Symmetric cipher

10 Public key cryptography (PKC)  Invented in 1970s  There are two keys; one public for all to see, the other kept secret to one person  Keys are pairs of large numbers, related to prime number theory  Message is scrambled with one key; only unscrambled easily with the other key  Can be used for secrecy, authentication, or both

11 Public key cryptography

12 PKC for secrecy only  Chuck wants to send message that only Katie can read  Ciphertext = PKC(plaintext, katie’s public key)  Plaintext = PKC(ciphertext, katie’s private key)  Only Katie can decrypt the message, and Chuck does not have to send her a key

13 PKC for authentication only  Chuck wants to send message to Katie and prove it is from him  Ciphertext = PKC(plaintext1, chuck’s private key)  Chuck sends ciphertext and plaintext1  Plaintext2 = PKC(ciphertext, chuck’s public key)  Katie compares plaintext1 (sent) with plaintext2 (decrypted)  If they match, only Chuck could have sent the message.

14 PKC for secrecy and authentication  Chuck wants to send secret message to Katie and prove it is from him  Cipher1 = PKC(plaintext1, chuck’s private key)  Cipher2 = PKC(Cipher1 and plaintext1, katie’s public key)  Chuck sends Cipher2  Cipher1 and Plaintext1 = PKC(Cipher2, katie’s private key)  Plaintext2 = PKC(Cipher1, chuck’s public key)  Katie compares plaintext1 (sent) with plaintext2 (decrypted)

15 Hashing  A one-way operation that is hard to undo  Often results in a shorter message, which is called a message digest  Example: “Let’s have breakfast at Dunkin Donuts”  “h7tfd8Fr”

16 Public key certificate  But, there is a problem with PKC… How does Katie know it is really Chuck sending her the message. Someone could pretend to be Chuck.  Public key certificates solve this problem (mostly)  A public key certificate contains –A person’s name –That person’s public key –Name of a trusted certifying authority (CA) –Digital signature of the CA, using their private key  Certificate can be verified with CA’s public key  X.509 is most common format

17 Questions ?

18 So what is S/MIME?  S/MIME puts all these techniques together to create a practical, efficient, reasonably secure email protocol  Standard (symmetric) cipher – RC2 or TripleDES  Public key (asymmetric) cipher – RSA  Hashing – SHA-1 or MD5  (Mathematical details found in references)

19 S/MIME for secrecy only 1. Chuck’s email program creates a random key (session key) to be used in a symmetric cipher. 2. Chuck’s email program encrypts the message with the symmetric cipher and session key. 3. Chuck’s email program encrypts the session key with PKC and Katie's public key. 4. Chuck’s email program creates a package of: encrypted message, encrypted session key, his X.509 certificate, names of encryption algorithms.

20 S/MIME for secrecy, continued 5. Chuck’s email program sends package to Katie. This is an S/MIME email message. 6. Katie’s email program receives package. 7. Katie's email program uses her private key (and named PKC method) to decrypt the session key. 8. Katie’s email program uses session key (and named symmetric cipher) to decrypt the message.

21 S/MIME for authentication only 1. Chuck’s email program uses hash function to create message digest 2. Chuck’s email program encrypts message digest with PKC and his private key 3. Chuck’s email program creates a package of: original message, encrypted message digest, his X.509 certificate, names of encryption algorithms 4. Chuck’s email program sends package to Katie. 5. Katie's email program receives package

22 S/MIME for authentication, continued 6. Katie’s email program verifies Chuck’s X.509 certificate by testing signature of CA 7. Katie’s email program gets Chuck’s public key from his certificate 8. Katie's email program uses Chuck’s public key to decrypt the message digest 9. Katie's email program independently computes the message digest, using the same hash function 10. Katie's email program compares the two message digests to verify sender and message integrity

23 S/MIME for secrecy and authentication 1. Message is authenticated just as shown above 2. Authenticated package is made secret, just as shown above 3. Secret package is sent to recipient 4. Receiver uses his/her private key to decrypt session key 5. Receiver uses session key to decrypt rest of secret package, yielding authenticated message 6. Receiver authenticates message, just as shown above

24 Questions ?

25 So S/MIME is used for Notes mail?  No! For pure Notes email (Notes and Domino) S/MIME is not needed. Notes has its own, similar, methods.  S/MIME is used whenever pure Notes email is not available –From Notes, through Domino, to other email –From Notes, through standard server, to any email –From other email, through Domino, to any email

26 Using S/MIME  Get a digital identification  Set up Domino server for S/MIME  Use S/MIME with general email clients  Use S/MIME with Notes

27 Getting a digital identification  A digital ID is –Your name –Public/private key pair –Public key certificate for this ID  Most popular vendors are www.Thawte.com and www.VeriSign.com www.Thawte.comwww.VeriSign.com  Thawte is free, but VeriSign is only $15/year and simpler to use

28 Setting up Domino for S/MIME  Do nothing! (other than standard Internet mail set up)  (If anyone is aware of special settings that are required, please let me know.)

29 S/MIME with standard email clients (e.g. Outlook Express)  If you got your digital ID on this computer, it is already installed (Can see the ID with Start / Settings / Control Panel / Internet Options / Content / Certificates)  For secrecy, just press Encrypt  For authentication, just press Sign  When receiving a message, you will see security symbols near the attachment paperclip

30 Using S/MIME with Notes (Assuming digital ID already on Windows computer) 1. Export digital ID from Windows 2. Import digital ID to Notes ID file 3. Make sure this certificate will be used for Internet mail from Notes 4. Use digital ID as you send and receive email Demonstration…

31 For further reading  Excellent online overview of cryptography: www.rsalabs.com/faq/ www.rsalabs.com/faq/  Cryptography and Network Security by William Stallings – Good general security textbook. www.amazon.com/exec/obidos/ASIN/0138690170 www.amazon.com/exec/obidos/ASIN/0138690170  S/MIME Internet task force: www.imc.org/ietf-smime/index.html www.imc.org/ietf-smime/index.html  Relationship between S/MIME and PGP/MIME: www.imc.org/smime-pgpmime.html www.imc.org/smime-pgpmime.html

Download ppt "Enhancing Email Security with S/MIME Chuck Connell, www.chc-3.comwww.chc-3.com www.DominoAdministration.comwww.DominoAdministration.com, www.DominoSecurity.org."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,

Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Cryptographic Technologies

Cryptographic Technologies
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Cryptography

Introduction to Cryptography
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
E-mail Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.

Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.
Masud Hasan 03-60-475 Secure Email Project 1. Secure Email It uses Digital Certificate combined with S/MIME capable email clients to digitally sign and.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Similar presentations

Ads by Google