Email security
•Download as ODP, PDF•
1 like•1,355 views
This document discusses email security threats and options to improve security. The main threats to email security are loss of confidentiality from emails being sent in clear text over open networks and stored on insecure systems, lack of integrity protection allowing emails to be altered, and lack of authentication and non-repudiation. Options to improve security include encrypting server-client connections using POP/IMAP over SSH or SSL, and end-to-end encryption using PGP. PGP provides encryption for confidentiality and digital signatures for authenticity and non-repudiation. The document also discusses email-based attacks and spam, as well as the algorithms and authentication process used by PGP.
Report
Share
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (18)
Similar to Email security
Similar to Email security (20)
Recently uploaded
Recently uploaded (20)
Email security
- 1. Email Security Eng.Ahmed Ali El-Kosairy eng.aelkosairy@gmail.com
- 2. Threats Threats to the security of e-mail itself − Loss of confidentiality E-mails are sent in clear over open networks E-mails stored on potentially insecure clients and mail servers − Loss of integrity − − − No integrity protection on e-mails; body can be altered in transit or on mail server Lack of data origin authentication Lack of non-repudiation Lack of notification of receipt
- 3. Threats Enabled by E-mail Disclosure of sensitive information Exposure of systems to malicious code Denial-of-Service (DoS) Unauthorized accesses etc.
- 4. What are the Options Secure the server to client connections (easy thing first) − − POP, IMAP over ssh, SSL https access to webmail Secure the end-to-end email delivery − − The PGPs of the world Still need to get the other party to be PGP aware
- 5. Email based Attacks Buffer over-flow attack − Fix the code Shell script attack − Scan before send to the shell Web bugs (for tracking) - Hardening the mail server
- 6. Email SPAM Cost to exceed $10 billion SPAM filtering − − − Content based – required hits White list Black list
- 7. PGP PGP=“Pretty Good Privacy” First released in 1991, developed by Phil Zimmerman Freeware: OpenPGP and variants: OpenPGP specified in RFC 2440 and defined by IETF OpenPGP working group. − www.ietf.org/html.charters/openpgp-charter.html Available as plug-in for popular e-mail clients, can also be used as stand-alone software.
- 8. PGP Functionality − − Encryption for confidentiality. Signature for non-repudiation/authenticity. Sign before encrypt, so signatures on unencrypted data can be detached and stored separately.
- 9. PGP Algorithms Broad range of algorithms supported: Symmetric encryption: − Public key encryption of session keys: − RSA or ElGamal. Hashing: − DES, 3DES, AES and others. SHA-1, MD-5 and others. Signature: − RSA, DSS, ECDSA and others.
- 10. PGP Authentication This is a digital signature scheme with hashing. 1. Alice has (private/public) key pair (Ad/Ae) and she wants to send a digitally signed message m to Bob. 2. Alice hashes the message using SHA-1 to obtain SHA(m). 10
- 11. 1. Alice encrypts the hash using her private key Ad to obtain ciphertext c given by c=pk.encryptAd(SHA(m)) 1. Alice sends Bob the pair (m,c) 1. Bob receives (m,c) and decrypts c using Alice's public key Ae to obtain signature s s=pk.decryptAe(c) 11
- 12. 1. He computes the hash of m using SHA-1 and if this hash value is equal to s then the message is authenticated. Bob is sure that the message is correct and that is does come from Alice. Furthermore Alice cannot later deny sending the message since only Alice has access to her private key Ad which works in conjunction with the public key Ae. 12
- 13. 13
Editor's Notes
- Story: mailing of patent list to academic mailing list.
- In fact PGP-processed data can be used with any transport protocol. PGP-processed message is simply placed Into e-mail client edit window.