Security By Meenal Mandalia
What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different. A typical address format would be:- Or
Security Implications Phishing Spam Spoof s
Recognising a Spoof Spelling and grammatical errors Requires a complete form filling in. Verification of Log In details Advertisement of a competition informing of selection Non-site users may also receive an from a site they never use. E.g. A customer may receive an from Barclays bank regarding their online banking details when they don’t hold a Barclays Bank account. Again this would help to identify a spoofing .
What is PGP? Stands for Pretty Good Privacy A program that provides cryptographic privacy and authentication Used for signing, encrypting and decrypting s PGP was first designed by Zimmermann in the 1990s.
What is S/MIME? Stands for Secure Multi-Purpose Internet Mail Extensions MIME (Multipurpose Internet Mail Extension) was developed in the early 1990’s ‘to allow users to send pictures, sound, programs and general attachments’ S/MIME employs secure MIME
How does PGP work? PGP uses a public key cryptography method and includes a system which binds the public key to a username
Digital Signatures The sender can use PGP to create a digital signature with either the RSA or DSA signature algorithms. Creates a hash (message digest) from the text. Creates a digital signature from using the sender’s private key
Web Of Trust First mentioned by Zimmermann It is a protocol A certificate assists with the verification of making sure the public key in a certificate belongs to the user who is claiming it
How does S/MIME work? Requires knowledge of how cryptography works 3 examples –Secrecy –Authentication –Both
Secrecy Example User 1’s program creates a random key that will be used in the symmetric cipher. This key is known as the session key, since it is used just for this session. User 1’s program encrypts the message with the symmetric cipher, using the session key. User 1’s program encrypts the session key with public key cryptography, using User 2’s public key. User 1’s program creates a package of data that includes the encrypted message, the encrypted session key, my x.509 certificate, and identification of the encryption algorithms used. The package of data is sent to User 2. This is an S/MIME message. When User 2's program receives the message, it uses User 2's private key to decrypt the session key. Using the session key (and the information about the symmetric cipher) User 2's program decrypts the message.’
Authentication Example User 1’s program creates a digest of the message, using a hashing function. User 1’s program encrypts the message digest with public key cryptography, using User 1’s private key. User 1’s program creates a package of data that includes the original message, the encrypted message digest, my x.509 certificate, and identification of the encryption algorithms used. The package of data is sent to User 2. This is an S/MIME message. When User 2's program receives the message, it verifies that User 1’s X.509 certificate is valid and retrieves User 1’s public key from the certificate. User 2's program uses User 1’s public key to decrypt the message digest. User 2’s program uses the information about the hashing function to independently compute the message digest of the original message. User 2’s program compares the decrypted message digest (from User 1) with the message digest it computed. If the two digests match, User 2 can trust the message was not tampered with.’
Example of Both ‘To send a message that is both secret and authenticated, the S/MIME techniques shown above simply are nested. the message is authenticated then the authenticated package is made secret Then the secret package is sent to the recipient. The recipient of the message unwraps the package by using their private key to decrypt the session key then decrypts the rest of the package with the session key After decrypting, the remaining data is a signed S/MIME message, which is authenticated as outlined above.’
Summary Employing Security via software is not the only thing that is required. Users need to be more vigilant with s and not click or reply to any suspicious s.