Electronic Mail Security. Why Study Security? After web browsing, is the most widely used network-reliant application. Mail servers, after.

Презентация:



Advertisements
Похожие презентации
Prepared: Kurateva E.. According to the UN Committee on Crime Prevention and Control, computer crime has reached the level of one of the international.
Advertisements

GROUP 33-1 NAME : DIANA SURNAME : SHEVKETOVA Networks.
SECURE HASHING ALGORITHM By: Ruth Betcher. Purpose: Authentication Not Encryption Authentication Requirements: Masquerade – Insertion of message from.
Telecommunication and Networks Group Akhmedov Ilkhom.
«MODERN IT TRENDS IN THE PROFESSIONAL SPHERE». What is information? The word "information" is used in many different ways. Originally, it comes from a.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Implementing BGP Explaining BGP Concepts and Terminology.
Designing Enterprise Edge Connectivity © 2004 Cisco Systems, Inc. All rights reserved. Designing the Remote Access Module ARCH v
Electronic TRIAL MASTER FILETAILORED FOR YOU. MANAGE HIGH VOLUME OF DOCUMENTS Online file sharing & versioning Automatic capture of Metadata Quality Control.
© 2006 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Examining Cisco IOS Firewall.
Computer viruses and antivirus PRESENTATION BY Beibit Nurbibi Psychologist Psychologist.
HOW TO WRITE AN . 5 main things: 1) To/From 2) Subject 3) Salutation 4) Body of Message 5) Signature.
What does GSM, Lock&Unlock mean?. The term GSM means - Global System for Mobile Communications. It is the most popular standard for mobile phones in the.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 3 Cisco PIX Firewall Technology and Features.
Copyright 2003 CCNA 1 Chapter 9 TCP/IP Transport and Application Layers By Your Name.
© 2009 Avaya Inc. All rights reserved.1 Chapter Two, Voic Pro Components Module Two – Actions, Variables & Conditions.
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Introduction to VoIP Introducing VoIP Network Technologies.
1 Where is the O(penness) in SaaS? Make sure youre ready for the next wave … Jiri De Jagere Senior Solution Engineer, Progress Software Session 123.
Contract law. contract Contract law deals with promises which create legal rights. In most legal systems, a contract is formed when one party makes an.
Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.
Influence of video’s sound quality on its positions in YouTube search results - SeeZisLab
Транксрипт:

Electronic Mail Security

Why Study Security? After web browsing, is the most widely used network-reliant application. Mail servers, after web servers, are the most often attacked Internet hosts. Basic offers little security, counter to public perception. Good technical solutions are available, but not widely used.

Threats to Loss of confidentiality. s are sent in clear over open networks. s stored on potentially insecure clients and mail servers. Loss of integrity. No integrity protection on s; anybody be altered in transit or on mail server ect.

Threats to Lack of notification of receipt. Has the intended recipient received my and acted on it? A message locally marked as sent may not have been delivered.

security What are the Options? Secure the server to client connections (easy thing first) https access to webmail Protection against insecure wireless access Secure the end-to-end delivery The PGPs of the world Practical in an enterprise intra-network environment

security based Attacks Active content attack Clean up at the server Buffer over-flow attack Fix the code Trojan Horse Attack Web bugs (for tracking) Mangle the image at the mail server

security Software for encrypting messages has been widely available for more than 15 years, but the -using public has failed to adopt secure messaging. This failure can be explained through a combination of: technical, community, and usability factors

Types of electronic mail security Pretty Good Privacy S/Mime Secure Standards and Products Other now defunct standards: PEM (privacy enhanced mail), X.400. S/MIME. We focus on PGP

PGP (Pretty Good Privacy) PGP use: public keys for encrypting session keys / verifying signatures. private keys for decrypting session keys / creating signatures.

PGP (Pretty Good Privacy) PGP Key Rings PGP supports multiple public/private keys pairs per sender/recipient. Keys stored locally in a PGP Key Ring – essentially a database of keys. Private keys stored in encrypted form; decryption key determined by user- entered pass-phrase.

PGP (Pretty Good Privacy) Key Management for PGP Public keys for encrypting session keys / verifying signatures. Private keys for decrypting session keys / creating signatures. Where do these keys come from and on what basis can they be trusted?

PGP (Pretty Good Privacy) PGP adopts a trust model called the web of trust. No centralised authority Individuals sign one anothers public keys, these certificates are stored along with keys in key rings. PGP computes a trust level for each public key in key ring. Users interpret trust level for themselves.

PGP (Pretty Good Privacy) Trust levels for public keys dependent on: Number of signatures on the key; Trust level assigned to each of those signatures. Trust levels recomputed from time to time.

PGP (Pretty Good Privacy) An attacker may socially engineer himself into a web of trust, or some trustable person may change. Then he could falsify public keys. This breaks most of the security. PGP binaries can be corrupted when they are obtained. The PGP binaries can be modified in the computer. The passphrase can be obtained by a Trojan. Weak passphrases can be cracked. On multiuser system, access to the secret key can be obtained.

Resources William Stallings, Cryptography and Network Security Principles and Practices, Fourth Edition Prentice Hall, GITA Encryption Technologies, Standard P800- S850 V2.0, April 5, Sieuwert van Otterloo A security analysis of Pretty Good Privacy, September 7, Amr el-kadi what is computer security2005