Using Secure Email
64
An Introduction to Secure Email Presented by: Addam Schroll IT Security & Privacy Analyst
-
Upload
vasudevgopinath -
Category
Documents
-
view
218 -
download
0
Transcript of Using Secure Email
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 1/64
An Introduction to Secure Email
Presented by:
Addam Schroll
IT Security & Privacy Analyst
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 2/64
2
Topics
Secure Email Basics
Types of Secure Email
Walkthroughs
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 3/64
3
Secure Email Services
Confidentiality
Message Integrity
Sender Authentication
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 4/64
4
Why do I want secure email?
Protect sensitive data
Prove authenticity to recipients
Send attachments normally filtered
Avoid the junk folder!
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 5/64
5
How does Secure Email work?
Long answer
• That’s another talk entirely.
Short answer
• Secure email uses a set cryptographic tools toencapsulate a message into a speciallyformatted envelope.
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 6/64
6
Encryption
Think CryptoQuip
Means of hiding a message throughsubstitution or rearranging letters
Requires a “key” to unlock the original
message
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 7/64
7
Digital Signatures
A string of characters that uniquely identifiesthe signer of an electronic message.
Recipients are able to
• Verify message was from purported sender• Verify message was not modified in transit
Sender cannot deny being originator ofmessage
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 8/64
8
Pick your poison
Most popular secure email standards
• S/MIME
• OpenPGP
How are these different?• Similar services
• Different trust models
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 9/64
9
Hierarchical Trusts
Users all directly trust some central authority
Alice trusts Bob if Bob’s “chain of trust”traces back to the central authority
Driver’s License
• Issued by state authority to prove identity toothers
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 10/64
10
Web of Trust
Incorporates user perception of trust
Any user can be an authority to verify others
Users can assign levels of trust• Not all authorities are equal
“Alice and Bob think she is Carol, and that’s goodenough for me.”
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 11/64
11
S/MIME and Digital
Certificates IETF standard extending MIME
Most email clients already support S/MIME
Requires users have public keys tocommunicate securely
• Where do users get this key?
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 12/64
12
S/MIME Capable Clients
Apple Mail
Entourage
Eudora 7 Evolution
Kmail
Mozilla/Thunderbird
Mutt
Outlook
Pine
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 13/64
13
OpenPGP
A defacto standard based on Pretty GoodPrivacy program
Users must be able to find others’ public
keys
Requires additional 3
rd
party software• Several implementations available
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 14/64
14
Finding public keys
Get public key from previous messages
Lookup via directory service
• PGP Key Servers (e.g. http://pgp.mit.edu)
• Purdue Electronic Directory
Distributed via Public Key Infrastructure
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 15/64
15
Trusting Keys
Equivalent to trusting link between identityand key
Must have a process for validating identity ofkey owner
• Documentation Check• Verbal Verification
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 16/64
16
GNU Privacy Guard
Freely available implementation of OpenPGPprotocol
Available for most platforms
Does not integrate directly with email clients
Integrates with Thunderbird through Enigmail
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 17/64
17
PGP Desktop 8.0
Commercial implementation of OpenPGPstandard
Runs on Windows and MacOS X
Integrates with several common email
clients
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 18/64
18
PGP Desktop 9.0
Acts as email proxy instead of client plugin
Allows secure email through any client
May require reconfiguration of email clientconnection settings
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 19/64
19
Issues with Secure Email
Who should have access to private keys?
How do we exchange public keys?
How do we assign trust?
Should group keys be issued?
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 20/64
20
Steps to Secure Email
Generate an Identity
Configure Secure Email software
Get public keys for recipients
Start sending secured messages
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 21/64
21
Getting a Digital Certificate
Must be issued by an authority• Organizational PKI
• Third-party vendor
Free personal certificates available• Thawte
• Global Trust
• CACert
• Comodo
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 22/64
22
Thawte Personal Certificate
Enroll for Thawte ID via website
Request certificate for ID
• Must provide “national identification number”
By default, certificate includes email addressbut not name
• No validation done to link identity to address yet
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 23/64
23
Thawte Web of Trust
Receive trust points from notaries
• 50 points: Request certificate with name
• 100 points: Eligible to be a notary
Several notaries on Purdue WL campusHint: One is probably up front talking right now
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 24/64
24
How to Install a Certificate -Outlook
• Download from Thawte via IE
• Set Security to High
• Automatically installed in certificate store
• How do I view the certificate store?
› Control Panel->Internet Options->Content->Certificates
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 25/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 26/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 27/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 28/64
28
How to Install a Certificate -Thunderbird
• Download from Thawte via IE
• Export from certificate store
• Import into Thunderbird› Options->Privacy->Security->View Certificates->Import
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 29/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 30/64
30
Generating PGP Keys
Specify identity to link to keys
Provide key type and size parameters
Add comments or even a digital photo
Choose a strong passphrase
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 31/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 32/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 33/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 34/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 35/64
35
Outlook S/MIME Walkthrough
Outlook S/MIME Setup
Encrypting and signing messages
Decrypting and Verifying messages
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 36/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 37/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 38/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 39/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 40/64
40
Thunderbird S/MIME Walkthrough
Thunderbird Setup
Encrypting and signing messages
Decrypting and Verifying messages
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 41/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 42/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 43/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 44/64
PGP D kt 9 W lkth h
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 45/64
45
PGP Desktop 9 Walkthrough
Interface Overview
Signing messages
Encrypting messages
Decrypting messages
Backing up key pairs
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 46/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 47/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 48/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 49/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 50/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 51/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 52/64
Thunderbird GPG
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 53/64
53
Walkthrough
Generate new key pair
Configure Enigmail settings
Encrypting and Signing Messages
Inline PGP vs. PGP/MIME
Decrypting and Verifying Messages
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 54/64
Using GPG with Thunderbird
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 55/64
Using GPG with Thunderbird
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 56/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 57/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 58/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 59/64
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 60/64
Secure Email Tips
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 61/64
61
p
Follow the Purdue Data Handling Guidelines
Encrypted email is a means of transport, notstorage
• File your sensitive information elsewhere
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 62/64
62
Just because you can, doesn’t mean you should.
References
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 63/64
63
Trust Modelswww.pgpi.org/doc/pgpintro/#p20
Thawte Personal Certificates
www.thawte.com/secure-email/personal-email-certificates/index.html
S/MIME Tutorialwww.marknoble.com/tutorial/smime/smime.aspx
OpenPGPwww.openpgp.org
Pretty Good Privacywww.pgp.com
Purdue Data Handling Guidelineswww.itap.purdue.edu/security/procedures/dataHandling.cfm
References
7/30/2019 Using Secure Email
http://slidepdf.com/reader/full/using-secure-email 64/64
64
Gnu Privacy Guardhttp://www.gnupg.org/
Enigmail OpenPGP Extension
enigmail.mozdev.org
NIST Guidelines on Electronic Mail Security (Draft)http://csrc.nist.gov/publications/drafts/Draft-SP800-45A.pdf
