Beruflich Dokumente
Kultur Dokumente
Topics
Why do I want secure email? Protect sensitive data Prove authenticity to recipients Send attachments normally filtered Avoid the junk folder!
Short answer
Secure email uses a set cryptographic tools to encapsulate a message into a specially formatted envelope.
Encryption Think CryptoQuip Means of hiding a message through substitution or rearranging letters Requires a key to unlock the original message
Digital Signatures A string of characters that uniquely identifies the signer of an electronic message. Recipients are able to
Verify message was from purported sender Verify message was not modified in transit
Hierarchical Trusts Users all directly trust some central authority Alice trusts Bob if Bobs chain of trust traces back to the central authority Drivers License
Issued by state authority to prove identity to others
Web of Trust
Incorporates user perception of trust Any user can be an authority to verify others Users can assign levels of trust
Not all authorities are equal
Alice and Bob think she is Carol, and thats good enough for me.
10
S/MIME and Digital Certificates IETF standard extending MIME Most email clients already support S/MIME Requires users have public keys to communicate securely
Where do users get this key?
11
12
OpenPGP A defacto standard based on Pretty Good Privacy program Users must be able to find others public keys Requires additional 3rd party software
Several implementations available
13
Finding public keys Get public key from previous messages Lookup via directory service
PGP Key Servers (e.g. http://pgp.mit.edu) Purdue Electronic Directory
14
Trusting Keys Equivalent to trusting link between identity and key Must have a process for validating identity of key owner
Documentation Check Verbal Verification
15
16
PGP Desktop 8.0 Commercial implementation of OpenPGP standard Runs on Windows and MacOS X Integrates with several common email clients
17
PGP Desktop 9.0 Acts as email proxy instead of client plugin Allows secure email through any client May require reconfiguration of email client connection settings
18
Issues with Secure Email Who should have access to private keys? How do we exchange public keys? How do we assign trust? Should group keys be issued?
19
Steps to Secure Email Generate an Identity Configure Secure Email software Get public keys for recipients Start sending secured messages
20
21
Thawte Personal Certificate Enroll for Thawte ID via website Request certificate for ID
Must provide national identification number
22
23
How to Install a Certificate Outlook Download from Thawte via IE Set Security to High Automatically installed in certificate store How do I view the certificate store?
Control Panel->Internet Options->Content->Certificates
24
How to Install a Certificate Thunderbird Download from Thawte via IE Export from certificate store Import into Thunderbird
Options->Privacy->Security->View Certificates->Import
28
Generating PGP Keys Specify identity to link to keys Provide key type and size parameters Add comments or even a digital photo Choose a strong passphrase
30
Outlook S/MIME Walkthrough Outlook S/MIME Setup Encrypting and signing messages Decrypting and Verifying messages
35
Thunderbird Setup Encrypting and signing messages Decrypting and Verifying messages
40
45
53
Secure Email Tips Backup your keys! Revoke certificates or PGP keys if compromised Trusting a key should only be done after suitable verification with the owner
60
Secure Email Tips Follow the Purdue Data Handling Guidelines Encrypted email is a means of transport, not storage
File your sensitive information elsewhere
61
62
References
Trust Models
www.pgpi.org/doc/pgpintro/#p20
S/MIME Tutorial
www.marknoble.com/tutorial/smime/smime.aspx
OpenPGP
www.openpgp.org
63
References
Gnu Privacy Guard
http://www.gnupg.org/
64