An Introduction to Secure Email

Presented by: Addam Schroll IT Security & Privacy Analyst

Topics

Secure Email Basics Types of Secure Email Walkthroughs

Secure Email Services

Confidentiality Message Integrity Sender Authentication

Why do I want secure email? Protect sensitive data Prove authenticity to recipients Send attachments normally filtered Avoid the junk folder!

How does Secure Email work? Long answer

Thats another talk entirely.

Short answer
Secure email uses a set cryptographic tools to encapsulate a message into a specially formatted envelope.

Encryption Think CryptoQuip Means of hiding a message through substitution or rearranging letters Requires a key to unlock the original message

Digital Signatures A string of characters that uniquely identifies the signer of an electronic message. Recipients are able to
Verify message was from purported sender Verify message was not modified in transit

Sender cannot deny being originator of message

7

Pick your poison Most popular secure email standards

S/MIME OpenPGP

How are these different?

Similar services Different trust models

Hierarchical Trusts Users all directly trust some central authority Alice trusts Bob if Bobs chain of trust traces back to the central authority Drivers License
Issued by state authority to prove identity to others

Web of Trust
Incorporates user perception of trust Any user can be an authority to verify others Users can assign levels of trust
Not all authorities are equal

Alice and Bob think she is Carol, and thats good enough for me.
10

S/MIME and Digital Certificates IETF standard extending MIME Most email clients already support S/MIME Requires users have public keys to communicate securely
Where do users get this key?

11

S/MIME Capable Clients

Apple Mail Entourage Eudora 7 Evolution Kmail Mozilla/Thunderbird Mutt Outlook Pine

12

OpenPGP A defacto standard based on Pretty Good Privacy program Users must be able to find others public keys Requires additional 3rd party software
Several implementations available

13

Finding public keys Get public key from previous messages Lookup via directory service
PGP Key Servers (e.g. http://pgp.mit.edu) Purdue Electronic Directory

Distributed via Public Key Infrastructure

14

Trusting Keys Equivalent to trusting link between identity and key Must have a process for validating identity of key owner
Documentation Check Verbal Verification

15

GNU Privacy Guard

Freely available implementation of OpenPGP protocol Available for most platforms Does not integrate directly with email clients Integrates with Thunderbird through Enigmail

16

PGP Desktop 8.0 Commercial implementation of OpenPGP standard Runs on Windows and MacOS X Integrates with several common email clients

17

PGP Desktop 9.0 Acts as email proxy instead of client plugin Allows secure email through any client May require reconfiguration of email client connection settings

18

Issues with Secure Email Who should have access to private keys? How do we exchange public keys? How do we assign trust? Should group keys be issued?

19

Steps to Secure Email Generate an Identity Configure Secure Email software Get public keys for recipients Start sending secured messages

20

Getting a Digital Certificate Must be issued by an authority

Organizational PKI Third-party vendor

Free personal certificates available

Thawte Global Trust CACert Comodo

21

Thawte Personal Certificate Enroll for Thawte ID via website Request certificate for ID
Must provide national identification number

By default, certificate includes email address but not name

No validation done to link identity to address yet

22

Thawte Web of Trust Receive trust points from notaries

50 points: Request certificate with name 100 points: Eligible to be a notary

Several notaries on Purdue WL campus

Hint: One is probably up front talking right now

23

How to Install a Certificate Outlook Download from Thawte via IE Set Security to High Automatically installed in certificate store How do I view the certificate store?
Control Panel->Internet Options->Content->Certificates

24

How to Install a Certificate Thunderbird Download from Thawte via IE Export from certificate store Import into Thunderbird
Options->Privacy->Security->View Certificates->Import

28

Generating PGP Keys Specify identity to link to keys Provide key type and size parameters Add comments or even a digital photo Choose a strong passphrase

30

Outlook S/MIME Walkthrough Outlook S/MIME Setup Encrypting and signing messages Decrypting and Verifying messages

35

Thunderbird S/MIME Walkthrough

Thunderbird Setup Encrypting and signing messages Decrypting and Verifying messages

40

PGP Desktop 9 Walkthrough

Interface Overview Signing messages Encrypting messages Decrypting messages Backing up key pairs

45

Thunderbird GPG Walkthrough

Generate new key pair Configure Enigmail settings Encrypting and Signing Messages Inline PGP vs. PGP/MIME Decrypting and Verifying Messages

53

Using GPG with Thunderbird

Secure Email Tips Backup your keys! Revoke certificates or PGP keys if compromised Trusting a key should only be done after suitable verification with the owner

60

Secure Email Tips Follow the Purdue Data Handling Guidelines Encrypted email is a means of transport, not storage
File your sensitive information elsewhere

61

Just because you can, doesnt mean you should.

62

References
Trust Models
www.pgpi.org/doc/pgpintro/#p20

Thawte Personal Certificates

www.thawte.com/secure-email/personal-email-certificates/index.html

S/MIME Tutorial
www.marknoble.com/tutorial/smime/smime.aspx

OpenPGP
www.openpgp.org

Pretty Good Privacy

www.pgp.com

Purdue Data Handling Guidelines

www.itap.purdue.edu/security/procedures/dataHandling.cfm

63

References
Gnu Privacy Guard
http://www.gnupg.org/

Enigmail OpenPGP Extension

enigmail.mozdev.org

NIST Guidelines on Electronic Mail Security (Draft)

http://csrc.nist.gov/publications/drafts/Draft-SP800-45A.pdf

64