Why do I want secure email? Protect sensitive data Prove authenticity to recipients Send attachments normally filtered Avoid the junk folder!
4
How does Secure Email work? Long answer
• That’s another talk entirely.
Short answer
• Secure email uses a set cryptographic tools to encapsulate a message into a specially formatted envelope.
5
Encryption Think CryptoQuip Means of hiding a message through substitution or rearranging letters Requires a “key” to unlock the original message
6
Digital Signatures A string of characters that uniquely identifies the signer of an electronic message. Recipients are able to
• Verify message was from purported sender • Verify message was not modified in transit
Sender cannot deny being originator of message
7
Pick your poison Most popular secure email standards
• S/MIME • OpenPGP
How are these different?
• Similar services • Different trust models
8
Hierarchical Trusts Users all directly trust some central authority Alice trusts Bob if Bob’s “chain of trust” traces back to the central authority Driver’s License
• Issued by state authority to prove identity to others
9
Web of Trust
Incorporates user perception of trust Any user can be an authority to verify others Users can assign levels of trust
• Not all authorities are equal
“Alice and Bob think she is Carol, and that’s good enough for me.”
10
S/MIME and Digital Certificates IETF standard extending MIME Most email clients already support S/MIME Requires users have public keys to communicate securely
• Where do users get this key?
11
S/MIME Capable Clients
Apple Mail Entourage Eudora 7 Evolution Kmail Mozilla/Thunderbird Mutt Outlook Pine
12
OpenPGP A defacto standard based on Pretty Good Privacy program Users must be able to find others’ public keys Requires additional 3rd party software
• Several implementations available
13
Finding public keys Get public key from previous messages Lookup via directory service
• PGP Key Servers (e.g. http://pgp.mit.edu) • Purdue Electronic Directory
Distributed via Public Key Infrastructure
14
Trusting Keys Equivalent to trusting link between identity and key Must have a process for validating identity of key owner
• Documentation Check • Verbal Verification
15
GNU Privacy Guard
Freely available implementation of OpenPGP protocol Available for most platforms Does not integrate directly with email clients Integrates with Thunderbird through Enigmail
16
PGP Desktop 8.0 Commercial implementation of OpenPGP standard Runs on Windows and MacOS X Integrates with several common email clients
17
PGP Desktop 9.0 Acts as email proxy instead of client plugin Allows secure email through any client May require reconfiguration of email client connection settings
18
Issues with Secure Email Who should have access to private keys? How do we exchange public keys? How do we assign trust? Should group keys be issued?
19
Steps to Secure Email Generate an Identity Configure Secure Email software Get public keys for recipients Start sending secured messages
20
Getting a Digital Certificate Must be issued by an authority
• Organizational PKI • Third-party vendor
Free personal certificates available
• • • • Thawte Global Trust CACert Comodo
21
Thawte Personal Certificate Enroll for Thawte ID via website Request certificate for ID
• Must provide “national identification number”
By default, certificate includes email address but not name
• No validation done to link identity to address yet
22
Thawte Web of Trust Receive trust points from notaries
• 50 points: Request certificate with name • 100 points: Eligible to be a notary
Several notaries on Purdue WL campus
Hint: One is probably up front talking right now
23
How to Install a Certificate Outlook • Download from Thawte via IE • Set Security to High • Automatically installed in certificate store • How do I view the certificate store?
› Control Panel->Internet Options->Content->Certificates
24
How to Install a Certificate Thunderbird • Download from Thawte via IE • Export from certificate store • Import into Thunderbird
› Options->Privacy->Security->View Certificates->Import
28
Generating PGP Keys Specify identity to link to keys Provide key type and size parameters Add comments or even a digital photo Choose a strong passphrase
30
Outlook S/MIME Walkthrough Outlook S/MIME Setup Encrypting and signing messages Decrypting and Verifying messages
35
Thunderbird S/MIME Walkthrough
Thunderbird Setup Encrypting and signing messages Decrypting and Verifying messages
Thunderbird GPG Walkthrough
Generate new key pair Configure Enigmail settings Encrypting and Signing Messages Inline PGP vs. PGP/MIME Decrypting and Verifying Messages
53
Using GPG with Thunderbird
Secure Email Tips Backup your keys! Revoke certificates or PGP keys if compromised Trusting a key should only be done after suitable verification with the owner
60
Secure Email Tips Follow the Purdue Data Handling Guidelines Encrypted email is a means of transport, not storage
• File your sensitive information elsewhere