Masud Hasan 03-60-475 SecueEmail VS Hushmail Project 2 Secure Email & Hushmail It uses Digital Certificate combined with S/MIME capable email clients to digitally sign and encrypt Email It uses Digital Certificate combined with OpenPGP capable email clients to digitally sign and encrypt Email Two Basic Features – The two basic features of Email security are privacy (only the intended recipient can read the message) and authentication (the recipient can be assured of the identity of the sender). The technical capabilities for these functions has been known for many years, but they have only been applied to Internet mail recently. – Reality Check: Security experts claim users encrypt only about one in every 50 to 100 of their email messages. Goal of this Project – Learning Hushmail (PGP based secure Email) – Compare Hushmail with SecureEmail(S/Mime based) – Which one we should use to secure our Email? – Technical difference between those 2 protocols. – Difference in Algorithm, Mechanism used. Hushmail – How it works •As part of enrollment, HushMail generates a public/private key pair for each user. The private key is encrypted with a pass-phrase and, along with the public key, stored on the HushMail server. •When a HushMail user wishes to send a private message, a Java applet on the user's PC will request his password. The password is securely hashed, and part of the hash is sent to the HushMail server to validate the user. •If the user is authenticated, the HushMail server sends the user's plaintext public key and encrypted private key to the Java applet at the user's machine. The applet symmetrically decrypts the private key and uses it for digital signatures. Hushmail – How it works •E-mail messages and attachments are symmetrically encrypted using a unique session key for each message. •The session key is encrypted using a HushMail recipient's public key, and included in the message before transmission. •When a recipient reads e-mail, a Java applet decrypts the encrypted message (and attachments). If the message is digitally signed, the Java applet downloads the sender's public key and uses it to verify the sender. Features – Enhanced Spam Control – Webmail Updates – File Sharing – IMAP Access – External POP3 System Requirements Browser: IE 5.0+, Netscape 7.0+ OS: Windows/Linux Java Enabled: MSVM/SUN Hushmail for Outlook requires: Microsoft Office 2000, Microsoft Office XP, or Microsoft Office 2003. It also requires that Outlook's “Collaboration Data Objects” be installed. OnSite Installation tips •Tips for Getting This Application Working in Internet Explorer: •Set Your Security Settings to Medium. The most common problem Internet Explorer users have with this application is that they set the security settings on their browser too high, disabling essential features such as JavaScript. This application recommends a security setting of "Medium". OnSite Installation Steps •Run the Setup executable (I recommend that you set up your email address in Outlook prior to installation) •Accept License Agreement •Complete Installation OnSite Outlook Configuration •Open Microsoft Outlook. •Click the Hushmail icon on the Microsoft Outlook toolbar. •Click the Add button. •Specify whether you would like to digitally sign your outgoing mail. OnSite Continues….. OnSite Continues….. OnSite SecureEmail VS Hushmail •SecureEmail uses S/MIME. •Hushmail uses OpenPGP. •Both the protocols are designed to perform the same task. However, they are not compatible with each other. •The key distinguishing factor of these competing protocol is not the algorithm used to encrypt, but the technology used to establish the trust. OnSite Trust Establishment Hushmail defines trust: Through a “Web of Trust” which places the burden of trust on the end user.It’s a transitive relationship. If A trust B, and B trust C Then A will trust C Secure Email defines trust: Through a certificate authority (CA ) to establish trust. Every user is issued a certificate that contains his public key and is signed by a CA. Because CA is trusted third party, trust is automatically established among users. OnSite Continues… Secure Email follows X.509 standard format for digital signatures which can be only issued by a CA. Open PGP supports not X.509, but rather a digital certificate format developed by PGP Inc. Note: Industry Analyst say big corporations want the extra level of authority a CA brings to the table, as well as the better established X.509 digital certificate. (also include SSL features for browsers) OnSite Continues… Being said that, Users want encryption and digital certificate to be as simple as hitting the send button to shoot a message over the internet. Hush mail has easier user implementation than Secure Email. The algorithm used by both the tools are equally strong. None of the Algorithm have been broken mathematically. OnSite Bottom line…. The bottom line is both forms of trust the S/MIME’s third party CA and OpenPGP’s Web of trust are viable. However, it’s a pity that they don’t “trust” each other enough to work together. Brighter Note: The evolution of both the protocols are now under the guidance of IETF working group. OnSite Services/ Mechanisms and Algorithm Used Services in a security protocol Signatures RSA Encryption AES Hashing SHAI OnSite Conclusion I would consider doing my graduate studies in Computer Security. Thanks for listening and good luck for Final. OnSite QUESTIONS Only easy ones will be answered! Kidding~~ OnSite