CSCE 813 Internet Security Secure E-Mail Services I Professor Lisa Luo Fall 2017
Previous Class Why do we need cloud computing? Three models of cloud service Software as a service (SaaS) Platform as a service (PaaS) Infrastructure as a service (IaaS) Cloud security risks Abuse of cloud computing Insecure interfaces and APIs Account or service hijacking Data loss or leakage Data protection in the cloud Basic requirement: encrypt data + access control 2
Security Objectives of E-Mail Services Confidentiality Integrity Availability Authentication Authentication vs. Authorization User authentication vs. Message authentication 3
1. Internet Mail Architecture
5
Message User Agent (MUA) Operates on behalf of user actors and user applications 1. Formats a message 2. Submit message to MHS via MSA Housed in the user s computer: client email program, or local network email server 6
Mail Submission Agent (MSA) 1. Accepts messages submitted by MUA SMTP is used between MUA and MSA 2. Enforces the policies of the hosting domain and the requirements of Internet standards 7
Message Transfer Agent (MTA) Relays mails, like a package switch or IP router SMTP is used between MTA and MTA, MTA and MDA Mail Delivery Agent (MDA) Transfers message from MHS to MS Message Store (MS) Stores messages MUA retrieves messages from MS via POP (Post Office Protocal) or IMAP (Internet Message Access Protocol) 8
2. Email Protocols
Email Protocols SMTP: used to move messages from source (MUA) to destination (MS) IMPA or POP: used to retrieval message from MS to MUA, or transfer messages between mail servers 10
SMTP (Simple Mail Transfer Protocol) Encapsulates messages in an envelope Relay the encapsulated message from source to destination via MTAs How SMTP works: https://www.youtube.com/watch?v=vybx4jalu- M https://www.youtube.com/watch?v=j7kmzd81he c 11
IMAP vs. POP Allows users to download emails from an email server 1. User provides username and password 2. After user is authenticated, user can download emails via IMAP or POP IMAP vs. POP Both them use TCP IMPA provides stronger authentication, and other functions not supported by POP 12
SMTP over TLS (STARTTLS) A security-related extension for SMTP Enables the confidentiality and authentication between SMTP agents If TLS is used to establish a secure communication channel, it is SMTP over TLS 13
Multipurpose Internet Mail Extensions (MIME) Goal: address some problems and limitations of SMTP Limitations of SMTP cannot transmit executable files or binary objects cannot transmit text data including national language characters may reject mail message over a certain size some SMTP implementations does not follow the SMTP standards (RFC 821) 14
Secure/MIME (S/MIME) A secure enhancement to MIME Provides: Authentication Confidentiality Compression Email compatibility https://www.youtube.com/watch?v=aaom6mhw 93Y 15
Authentication Add digital signatures RSA + SHA-256 Q: How to generate digital signatures? message -> M message digest -> H = SHA(M) digital signature -> Sig = E(H, PR_sender) send the message M Sig 16
Confidentiality Encrypting message Encryption algorithm: AES with CBC Q: How to distribute the secrete key? use RSA the sender use the receiver s public key to encrypt the secrete key and send to the receiver 17
M M E (K, M sig.) M H(M) E (PR, H(M)) Sig. Sig. Sig. Message digest Digital signature M D (K, M sig.) M H(M) Sig. Sig. D (PU, sig) H(M) Equal? 18
If only the signature service is used, then the digital signature is encrypted If the confidentiality is used, the message plus the digital signature are encrypted 19
Cryptographic algorithms used in S/MIME Function create a message digest to be used in forming a digital signature Requirement MUST support SHA-256 SHOULD support SHA-1 Use message digest to form a digital signature Encrypt session key for transmission with a message Encrypt message for transmission with a onetime session key MUST support RSA with SHA-256 SHOULD support DSA with SHA-256 RSASSA-PSS with SHA-256 RSA with SHA-1 RSA with SHA-1 DSA with SHA-1 RSA with MD5 MUST support RSA encryption SHOULD support RSAES-OAEP Diffie-Hellmanehpemeral-static mode MUST support AES-128 with CBC SHOULD support AES-192 CBC and AES-256 CBC Triple DESCBC 20
Summary Internet Mail Architecture Message User Agent (MUA) Mail Submission Agent (MSA) Message Transfer Agent (MTA) Mail Delivery Agent (MDA) Message Store (MS) Email Protocols SMTP IMPA or POP MIME Secure Email Protocols: SMTP over TLS S/MIME 21