Secure Email

advertisement
Masud Hasan
03-60-475
SecueEmail VS Hushmail
Project 2
Secure Email & Hushmail
It uses Digital Certificate combined with S/MIME
capable email clients to digitally sign and encrypt Email
It uses Digital Certificate combined with OpenPGP
capable email clients to digitally sign and encrypt Email
Two Basic Features
– The two basic features of Email security are
privacy (only the intended recipient can read
the message) and authentication (the
recipient can be assured of the identity of the
sender). The technical capabilities for these
functions has been known for many years, but
they have only been applied to Internet mail
recently.
– Reality Check: Security experts claim users
encrypt only about one in every 50 to 100 of
their email messages.
Goal of this Project
– Learning Hushmail (PGP based secure
Email)
– Compare Hushmail with
SecureEmail(S/Mime based)
– Which one we should use to secure our
Email?
– Technical difference between those 2
protocols.
– Difference in Algorithm, Mechanism
used.
Hushmail – How it works
•As part of enrollment, HushMail generates a
public/private key pair for each user. The private key is
encrypted with a pass-phrase and, along with the
public key, stored on the HushMail server.
•When a HushMail user wishes to send a private
message, a Java applet on the user's PC will request his
password. The password is securely hashed, and part
of the hash is sent to the HushMail server to validate
the user.
•If the user is authenticated, the HushMail server sends
the user's plaintext public key and encrypted private
key to the Java applet at the user's machine. The
applet symmetrically decrypts the private key and uses
it for digital signatures.
Hushmail – How it works
•E-mail messages and attachments are
symmetrically encrypted using a unique
session key for each message.
•The session key is encrypted using a HushMail
recipient's public key, and included in the
message before transmission.
•When a recipient reads e-mail, a Java applet
decrypts the encrypted message (and
attachments). If the message is digitally
signed, the Java applet downloads the
sender's public key and uses it to verify the
sender.
Features
– Enhanced Spam Control
– Webmail Updates
– File Sharing
– IMAP Access
– External POP3
System Requirements
Browser: IE 5.0+, Netscape 7.0+
OS: Windows/Linux
Java Enabled: MSVM/SUN
Hushmail for Outlook requires:
Microsoft Office 2000, Microsoft Office XP,
or Microsoft Office 2003.
It also requires that Outlook's
“Collaboration Data Objects” be
installed.
OnSite
Installation tips
•Tips for Getting This Application Working in
Internet Explorer:
•Set Your Security Settings to Medium.
The most common problem Internet Explorer
users have with this application is that they set
the security settings on their browser too high,
disabling essential features such as JavaScript.
This application recommends a security setting
of "Medium".
OnSite
Installation Steps
•Run the Setup executable
(I recommend that you set up your email
address in Outlook prior to installation)
•Accept License Agreement
•Complete Installation
OnSite
Outlook Configuration
•Open Microsoft Outlook.
•Click the Hushmail icon on the Microsoft
Outlook toolbar.
•Click the Add button.
•Specify whether you would like to
digitally sign your outgoing mail.
OnSite
Continues…..
OnSite
Continues…..
OnSite
SecureEmail VS Hushmail
•SecureEmail uses S/MIME.
•Hushmail uses OpenPGP.
•Both the protocols are designed to
perform the same task. However, they
are not compatible with each other.
•The key distinguishing factor of these
competing protocol is not the algorithm
used to encrypt, but the technology used
to establish the trust.
OnSite
Trust Establishment
Hushmail defines trust:
Through a “Web of Trust” which places the
burden of trust on the end user.It’s a
transitive relationship.
If A trust B, and B trust C
Then A will trust C
Secure Email defines trust:
Through a certificate authority (CA ) to
establish trust. Every user is issued a
certificate that contains his public key and
is signed by a CA. Because CA is trusted
third party, trust is automatically established
among users.
OnSite
Continues…
Secure Email follows X.509 standard
format for digital signatures which can be
only issued by a CA.
Open PGP supports not X.509, but rather a
digital certificate format developed by
PGP Inc.
Note: Industry Analyst say big corporations
want the extra level of authority a CA
brings to the table, as well as the better
established X.509 digital certificate. (also
include SSL features for browsers)
OnSite
Continues…
Being said that, Users want encryption and
digital certificate to be as simple as hitting
the send button to shoot a message over
the internet.
Hush mail has easier user implementation
than Secure Email.
The algorithm used by both the tools are
equally strong. None of the Algorithm
have been broken mathematically.
OnSite
Bottom line….
The bottom line is both forms of trust the S/MIME’s
third party CA and OpenPGP’s Web of trust are
viable.
However, it’s a pity that they don’t “trust” each
other enough to work together.
Brighter Note: The evolution of both the protocols
are now under the guidance of IETF working
group.
OnSite
Services/ Mechanisms
and Algorithm Used
Services in a security protocol
Signatures
RSA
Encryption
AES
Hashing
SHAI
OnSite
Conclusion
I would consider doing my
graduate studies in Computer
Security.
Thanks for listening and good luck
for Final.
OnSite
QUESTIONS
Only easy ones will be
answered! Kidding~~
OnSite
Download