Using Secure Email
Content
An Introduction to Secure Email
Presented by:
Addam Schroll
IT Security & Privacy Analyst
2
Topics
Secure Email Basics
Types of Secure Email
Walkthroughs
3
Secure Email Services
Confidentiality
Message Integrity
Sender Authentication
4
Why do I want secure email?
Protect sensitive data
Prove authenticity to recipients
Send attachments normally filtered
Avoid the junk folder!
5
How does Secure Email work?
Long answer
• That’s another talk entirely.
Short answer
• Secure email uses a set cryptographic tools to
encapsulate a message into a specially
formatted envelope.
6
Encryption
Think CryptoQuip
Means of hiding a message through
substitution or rearranging letters
Requires a “key”to unlock the original
message
7
Digital Signatures
A string of characters that uniquely identifies
the signer of an electronic message.
Recipients are able to
• Verify message was from purported sender
• Verify message was not modified in transit
Sender cannot deny being originator of
message
8
Pick your poison
Most popular secure email standards
• S/MIME
• OpenPGP
How are these different?
• Similar services
• Different trust models
9
Hierarchical Trusts
Users all directly trust some central authority
Alice trusts Bob if Bob’s “chain of trust”
traces back to the central authority
Driver’s License
• Issued by state authority to prove identity to
others
10
Web of Trust
Incorporates user perception of trust
Any user can be an authority to verify others
Users can assign levels of trust
• Not all authorities are equal
“Alice and Bob think she is Carol, and that’s good
enough for me.”
11
S/MIME and Digital
Certificates
IETF standard extending MIME
Most email clients already support S/MIME
Requires users have public keys to
communicate securely
• Where do users get this key?
12
S/MIME Capable Clients
Apple Mail
Entourage
Eudora 7
Evolution
Kmail
Mozilla/Thunderbird
Mutt
Outlook
Pine
13
OpenPGP
A defacto standard based on Pretty Good
Privacy program
Users must be able to find others’ public
keys
Requires additional 3
rd
party software
• Several implementations available
14
Finding public keys
Get public key from previous messages
Lookup via directory service
• PGP Key Servers (e.g. http://pgp.mit.edu)
• Purdue Electronic Directory
Distributed via Public Key Infrastructure
15
Trusting Keys
Equivalent to trusting link between identity
and key
Must have a process for validating identity of
key owner
• Documentation Check
• Verbal Verification
16
GNU Privacy Guard
Freely available implementation of OpenPGP
protocol
Available for most platforms
Does not integrate directly with email clients
Integrates with Thunderbird through Enigmail
17
PGP Desktop 8.0
Commercial implementation of OpenPGP
standard
Runs on Windows and MacOS X
Integrates with several common email
clients
18
PGP Desktop 9.0
Acts as email proxy instead of client plugin
Allows secure email through any client
May require reconfiguration of email client
connection settings
19
Issues with Secure Email
Who should have access to private keys?
How do we exchange public keys?
How do we assign trust?
Should group keys be issued?
20
Steps to Secure Email
Generate an Identity
Configure Secure Email software
Get public keys for recipients
Start sending secured messages
21
Getting a Digital Certificate
Must be issued by an authority
• Organizational PKI
• Third-party vendor
Free personal certificates available
• Thawte
• Global Trust
• CACert
• Comodo
22
Thawte Personal Certificate
Enroll for Thawte ID via website
Request certificate for ID
• Must provide “national identification number”
By default, certificate includes email address
but not name
• No validation done to link identity to address yet
23
Thawte Web of Trust
Receive trust points from notaries
• 50 points: Request certificate with name
• 100 points: Eligible to be a notary
Several notaries on Purdue WL campus
Hint: One is probably up front talking right now
24
How to Install a Certificate -
Outlook
• Download from Thawte via IE
• Set Security to High
• Automatically installed in certificate store
• How do I view the certificate store?
› Control Panel->Internet Options->Content->Certificates
28
How to Install a Certificate -
Thunderbird
• Download from Thawte via IE
• Export from certificate store
• Import into Thunderbird
› Options->Privacy->Security->View Certificates->Import
30
Generating PGP Keys
Specify identity to link to keys
Provide key type and size parameters
Add comments or even a digital photo
Choose a strong passphrase
35
Outlook S/MIME Walkthrough
Outlook S/MIME Setup
Encrypting and signing messages
Decrypting and Verifying messages
40
Thunderbird S/MIME Walkthrough
Thunderbird Setup
Encrypting and signing messages
Decrypting and Verifying messages
45
PGP Desktop 9 Walkthrough
Interface Overview
Signing messages
Encrypting messages
Decrypting messages
Backing up key pairs
53
Thunderbird GPG
Walkthrough
Generate new key pair
Configure Enigmail settings
Encrypting and Signing Messages
Inline PGP vs. PGP/MIME
Decrypting and Verifying Messages
Using GPG with Thunderbird
60
Secure Email Tips
Backup your keys!
Revoke certificates or PGP keys if
compromised
Trusting a key should only be done after
suitable verification with the owner
61
Secure Email Tips
Follow the Purdue Data Handling Guidelines
Encrypted email is a means of transport, not
storage
• File your sensitive information elsewhere
62
J ust because you can, doesn’t mean you should.
63
References
Trust Models
www.pgpi.org/doc/pgpintro/#p20
Thawte Personal Certificates
www.thawte.com/secure-email/personal-email-certificates/index.html
S/MIME Tutorial
www.marknoble.com/tutorial/smime/smime.aspx
OpenPGP
www.openpgp.org
Pretty Good Privacy
www.pgp.com
Purdue Data Handling Guidelines
www.itap.purdue.edu/security/procedures/dataHandling.cfm
64
References
Gnu Privacy Guard
http://www.gnupg.org/
Enigmail OpenPGP Extension
enigmail.mozdev.org
NIST Guidelines on Electronic Mail Security (Draft)
http://csrc.nist.gov/publications/drafts/Draft-SP800-45A.pdf
