Using Secure Email

Published on March 2017 | Categories: Documents | Downloads: 27 | Comments: 0 | Views: 222
of 64
Download PDF   Embed   Report

Comments

Content

An Introduction to Secure Email

Presented by: Addam Schroll IT Security & Privacy Analyst

Topics

Secure Email Basics Types of Secure Email Walkthroughs

2

Secure Email Services

Confidentiality Message Integrity Sender Authentication

3

Why do I want secure email? Protect sensitive data Prove authenticity to recipients Send attachments normally filtered Avoid the junk folder!

4

How does Secure Email work? Long answer
• That’s another talk entirely.

Short answer
• Secure email uses a set cryptographic tools to encapsulate a message into a specially formatted envelope.

5

Encryption Think CryptoQuip Means of hiding a message through substitution or rearranging letters Requires a “key” to unlock the original message

6

Digital Signatures A string of characters that uniquely identifies the signer of an electronic message. Recipients are able to
• Verify message was from purported sender • Verify message was not modified in transit

Sender cannot deny being originator of message
7

Pick your poison Most popular secure email standards
• S/MIME • OpenPGP

How are these different?
• Similar services • Different trust models

8

Hierarchical Trusts Users all directly trust some central authority Alice trusts Bob if Bob’s “chain of trust” traces back to the central authority Driver’s License
• Issued by state authority to prove identity to others

9

Web of Trust
Incorporates user perception of trust Any user can be an authority to verify others Users can assign levels of trust
• Not all authorities are equal

“Alice and Bob think she is Carol, and that’s good enough for me.”
10

S/MIME and Digital Certificates IETF standard extending MIME Most email clients already support S/MIME Requires users have public keys to communicate securely
• Where do users get this key?

11

S/MIME Capable Clients
Apple Mail Entourage Eudora 7 Evolution Kmail Mozilla/Thunderbird Mutt Outlook Pine

12

OpenPGP A defacto standard based on Pretty Good Privacy program Users must be able to find others’ public keys Requires additional 3rd party software
• Several implementations available

13

Finding public keys Get public key from previous messages Lookup via directory service
• PGP Key Servers (e.g. http://pgp.mit.edu) • Purdue Electronic Directory

Distributed via Public Key Infrastructure

14

Trusting Keys Equivalent to trusting link between identity and key Must have a process for validating identity of key owner
• Documentation Check • Verbal Verification

15

GNU Privacy Guard
Freely available implementation of OpenPGP protocol Available for most platforms Does not integrate directly with email clients Integrates with Thunderbird through Enigmail

16

PGP Desktop 8.0 Commercial implementation of OpenPGP standard Runs on Windows and MacOS X Integrates with several common email clients

17

PGP Desktop 9.0 Acts as email proxy instead of client plugin Allows secure email through any client May require reconfiguration of email client connection settings

18

Issues with Secure Email Who should have access to private keys? How do we exchange public keys? How do we assign trust? Should group keys be issued?

19

Steps to Secure Email Generate an Identity Configure Secure Email software Get public keys for recipients Start sending secured messages

20

Getting a Digital Certificate Must be issued by an authority
• Organizational PKI • Third-party vendor

Free personal certificates available
• • • • Thawte Global Trust CACert Comodo

21

Thawte Personal Certificate Enroll for Thawte ID via website Request certificate for ID
• Must provide “national identification number”

By default, certificate includes email address but not name
• No validation done to link identity to address yet

22

Thawte Web of Trust Receive trust points from notaries
• 50 points: Request certificate with name • 100 points: Eligible to be a notary

Several notaries on Purdue WL campus
Hint: One is probably up front talking right now

23

How to Install a Certificate Outlook • Download from Thawte via IE • Set Security to High • Automatically installed in certificate store • How do I view the certificate store?
› Control Panel->Internet Options->Content->Certificates

24

How to Install a Certificate Thunderbird • Download from Thawte via IE • Export from certificate store • Import into Thunderbird
› Options->Privacy->Security->View Certificates->Import

28

Generating PGP Keys Specify identity to link to keys Provide key type and size parameters Add comments or even a digital photo Choose a strong passphrase

30

Outlook S/MIME Walkthrough Outlook S/MIME Setup Encrypting and signing messages Decrypting and Verifying messages

35

Thunderbird S/MIME Walkthrough

Thunderbird Setup Encrypting and signing messages Decrypting and Verifying messages

40

PGP Desktop 9 Walkthrough
Interface Overview Signing messages Encrypting messages Decrypting messages Backing up key pairs

45

Thunderbird GPG Walkthrough
Generate new key pair Configure Enigmail settings Encrypting and Signing Messages Inline PGP vs. PGP/MIME Decrypting and Verifying Messages

53

Using GPG with Thunderbird

Secure Email Tips Backup your keys! Revoke certificates or PGP keys if compromised Trusting a key should only be done after suitable verification with the owner

60

Secure Email Tips Follow the Purdue Data Handling Guidelines Encrypted email is a means of transport, not storage
• File your sensitive information elsewhere

61

Just because you can, doesn’t mean you should.

62

References
Trust Models
www.pgpi.org/doc/pgpintro/#p20

Thawte Personal Certificates
www.thawte.com/secure-email/personal-email-certificates/index.html

S/MIME Tutorial
www.marknoble.com/tutorial/smime/smime.aspx

OpenPGP
www.openpgp.org

Pretty Good Privacy
www.pgp.com

Purdue Data Handling Guidelines
www.itap.purdue.edu/security/procedures/dataHandling.cfm

63

References
Gnu Privacy Guard
http://www.gnupg.org/

Enigmail OpenPGP Extension
enigmail.mozdev.org

NIST Guidelines on Electronic Mail Security (Draft)
http://csrc.nist.gov/publications/drafts/Draft-SP800-45A.pdf

64

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close