=====================================================
LuxSci FYI Blog from LuxSci.com
by Erik Kangas,
PhD, CEO
Email
Security Threats
Eavesdropping
The Internet is a big place with a
lot of people on it. It is very easy for someone who has access to the
computers or networks through which your information is traveling to capture
this information and read it. Just like someone in the next room listening in
on your phone conversation, people using computers “near” the path your email
takes through the Internet can potentially read and copy your messages.
Identity Theft
If someone can obtain the username
and password that you use to access your email servers, they can read your
email and send false email messages as you. Very often, these credentials can
be obtained by eavesdropping on SMTP, POP, IMAP, or Webmail connections, by
reading email messages in which you include this information, or through other
means.
Invasion of Privacy
If you are very concerned about your
privacy, then you should consider the possibility of “unprotected backups”,
listed below. You may also be concerned about letting your recipients know the
IP address of your computer. This information may be used to tell in what city
you are located or even to find out what your address is in some cases! This is
not usually an issue with WebMail, POP, or IMAP, but is an
issue with the transport of email, securely or insecurely, from any email
client over SMTP.
Message Modification
Anyone who has system administrator
permission on any of the SMTP Servers that your message visits, can not only
read your message, but they can delete or change the message before it
continues on to its destination. Your recipient has no way to tell if the
email message that you sent has been altered! If the message was merely deleted
they wouldn’t even know it had been sent.
False Messages
It is very easy to construct
messages that appear to be sent by someone else. Many viruses take advantage of
this situation to propagate themselves. In general, there it is very hard to be
sure that the apparent sender of a message is the true sender – the sender’s
name could have been easily fabricated. See “Who stole my
email address?“
Message Replay
Just as a message can be modified,
messages can be saved, modified, and re-sent later! You could receive a valid
original message, but then receive subsequent faked messages that appear to be
valid.
Unprotected Backups
Messages are usually stored in plain
text on SMTP Servers. Thus, backups of these servers’ disks usually contains
plain text copies of your messages. As backups may be kept for years and can be
read by anyone with access to them, your messages could still be exposed in
insecure places even after you think that all copies have been “deleted”.
Repudiation
Because normal email messages can be
forged, there is no way for you to prove that someone sent you a particular
message. This means that even if someone DID send you a message, they can
successfully deny it. This has implications with regards to using email for
contracts, business communications, electronic commerce, etc. See: DKIM: Fight
Spam and Forged Email by Signing your Messages.
===================================================
====================================================
Email
Encryption
Symmetric Encryption
In symmetric encryption, you and
your friend share a “secret” key. Using this key, you can encrypt a message
into “cyphertext”. Cyphertext looks like a random sequence of characters and is
completely meaningless to anyone unless they also have the secret key, in which
case they can decrypt the cyphertext back into the original message and read
it.
Using symmetric key encryption,
eavesdropping and unwanted backups of your messages no longer are a problem
(unless the eavesdropper knows what your secret key is). It also becomes harder
for someone to modify your messages in transit in any kind of a meaningful way.
An example of a popular, excellent
method used for symmetric encryption is AES-256.
The problem with symmetric key
encryption is precisely the fact that you and your friend must share the same
secret key. Unless you meet in person, how do you communicate this key in a
way that is secure? What if you want to send a secure message to someone on
the other side of the world? How do you get them the secret key quickly in a
way that eavesdroppers can’t detect?
Message Digests / Authentication Codes
A “Message Digest” or “Message
Authentication Code” is really a very simple concept. You take your message and
pass it through an algorithm that spits out a relatively short sequence of
characters (maybe 128 or 256 or so of them). This sequence of characters is a
“fingerprint” of the message. Any minute change in the message would produce a
significantly different “fingerprint”. There is no way to “reverse engineer”
the original message from its fingerprint and it is almost “impossible”
(assuming that your method of making these fingerprints is sufficiently “good”)
to find two messages that yield the same fingerprint (just like trying to find
two complete strangers who have the same fingerprint).
An example of a good modern function
for this process is “SHA2“.
Message Digests are quick ways to
check to see if a message has been altered. If you have a digest of the
original message and compare it with a digest of the message you just received
and they match, then you know that the message is unaltered.
Asymmetric Encryption
In asymmetric encryption, also known
as “public key” encryption, each person has TWO keys. Any cyphertext created
using one of the keys can ONLY be decrypted using the other key. For example,
say you have keys “K1″ and “K2″. If you encrypt your message with K1, then ONLY
K2 can be used to decrypt it. Similarly, if you encrypt using K2, ONLY K1 can
be used to decrypt it. This is distinctly different from symmetric key
encryption where you only have one key that performs both functions on the same
message.
For a detailed explanation and
example of asymmetric encryption, see: How does
Secure Socket Layer (SSL or TLS) Work?
In asymmetric key encryption, the
two keys that each person possesses are commonly named the “private” and
“public” keys because the “public” one is published or given out freely to
anyone who wants a copy and the “private” one is kept secret. The security
of asymmetric key encryption depends only on whether you can keep your private
key secret.
Asymmetric key encryption allows you
to do many clever things:
·
Send an Encrypted Message:
To send a secure message to someone, all you have to do is encrypt it with
their public key! Only the intended recipient who has the matching private key
will be able to decrypt and read the message. This solves the problem of
eavesdropping and the problem of sending secret keys that is inherent in
symmetric key encryption.
·
Prove You Sent a Message:
To prove to someone that you sent a message, you can encrypt the message (or
just a piece of it) with your private key. Then, anyone can decrypt it with
your public key and read the contents. The fact that your public key decrypts
the message proves that only you could have sent it (or someone who has your
private key).
·
Sign a Message:
A message signature proves that you sent the message AND allows the recipient
to determine if the message was altered in transit. This is done by using your
private key to encrypt a digest of a message at the time of sending. The
recipient can decrypt this digest and compare it to a digest of the received
message. If they match, then the message is unaltered and was sent by you.
·
Encrypted, Signed Messages:
The most secure form of communication is to first add a signature to the
message and then to encrypt the message plus signature with the recipient’s
public key. This combines all of the benefits of all of the techniques:
security against eavesdropping and unexpected storage, proof of sender, and
proof on message integrity.
===========================================================
Have you ever wondered how it would be if your email suddenly came to life? You are about to find out.
====================================================
https://www.youtube.com/watch?v=HTgYHHKs0ZwHave you ever wondered how it would be if your email suddenly came to life? You are about to find out.
====================================================
===========================================================
**Important note** - contact our company for very powerful solutions for IP management (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” will be published soon follow by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio Additionally, I provide content for an online newsletter via paper.li. I have also established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications.
Lastly, I
am the founder and president of Tabula
Rosa Systems, a company that provides “best of breed” products for network,
security and system management and services. Tabula Rosa has a new blog and Twitter site which offers great IT
product information for virtually anyone.
==============================================
No comments:
Post a Comment