Email Security Trail Map - A World beyond DMARC -

Copyright© QUALITIA CO., LTD. All Rights Reserved.
Email Security
Trail Map
～A World beyond DMARC～
QUALITIA CO., LTD
HIRANO Yoshitaka
<hirano@qualitia.co.jp>

Our Company
Name Qualitia CO., LTD
HQ 3-11-10 Nihombashi-Kayabacho Chuo-ku Tokyo
Capital 85M yen
Since Oct. 1993
CEO Ken Matsuda
⚫ Development and Sales of Messaging Related Solutions
⚫ Supporting Efficient Communication and Security Enhancement
⚫ Providing the Messaging Related Cloud Services and Software
Create the Future of “Communication” and “Security” with our Customers and Partners
Q U A L I T Y M A K E S F U T U R E

Self Introduction
Name HIRANO Yoshitaka
Belongs to QUALITIA Co., Ltd
Chief Engineer
Cert. Licensed Scrum Master
Certified Scrum Developer
Activities M3AAWG
JPAAWG
IA Japan 迷惑Mail対策委員会
Anti-Spam mail Promotion Council (ASPC)
Message Research Institute
Audax Randonneurs Nihonbashi

Our Team
We are researching
and developing
New Feature
Be our
Friend!
Twitter Account →

Email Security?
Where is the goal?

Technologies for Email Security
SPF
DKIM
誤送信
防止
Sanitize
Password
ZIP
Anti
Phishing Anti
SPAM
DNS
SEC
SMTP
AUTH
DANE
MTA-
STS
START
TLS
BIMI
ARC
DMARC
TLS-
RPT
Anti
Virus
Virus
Filter
Sandb
ox
Anshin
Mark
So many things!!
I cannot understand

What do you want to protect
from What?

What we protect from
クオリティア
Mail
Server
Mail
Server
spoofing
hijacking
eavesdropping
tampering
stealing
leakage
Malware
Mail
Server
phishing

What you want to protect from
•Spoofing, Tampering
•Account Hijacking, Springboard
•Eavesdropping
•Spam, Malware, Phishing
•Leakage

Spoofing, Tampering
Protect from

Protect from Spoofing, Tampering
クオリティア
Mail
Server
Mail
Server
Mail
Server
Spoofing
Tampering

Protect from Spoofing・Tampering
•SPF
•DKIM
•DMARC
•ARC
•BIMI

When there is no SPF
192.0.2.1
203.0.113.1
Env From: taro@qualitia.co.jp
From: taro@qualitia.co.jp
Subject: Please transfer money
Hi! I'm Taro @ QUALITIA.
・・・・
OK I transfer! Click!
×
クオリティア
Spoofing・Tampering

When there is SPF
192.0.2.1
AR: spf=pass
・・・・
qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all”
Check Source IP using Envelope From
○
OK, This is right. Transfer!
クオリティア

When there is SPF
192.0.2.1
203.0.113.1
AR: spf=fail
・・・・qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all”
Hmm, it looks fake
×
クオリティア

But!

Even if there is SPF
192.0.2.1
203.0.113.1
Env From: jiro@badgroup.example
AR: spf=none
・・・・qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all”
クオリティア
Use badgroup domain

badgroupのSPFで認証
192.0.2.1
203.0.113.1
AR: spf=pass
・・・・
badgroup.example txt “v=spf1 ip4:203.0.113.1 –all”
qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all”
クオリティア

SPF
•Verify if the pair of Envelope From and IP
Address is correct or not
•RFC4408 (2006/04)
Source IP = Envelope From = Header From?

DKIM

When there is no DKIM
AR: dkim=none
・・・・
クオリティア

DKIM-Signature: v=1;
d=qualitia.co.jp; s=s1;
h=From:Subject;
b=abcdef・・・・
・・・・
When there is DKIM
Send with signature
s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...”
Encryption
Public Key
Private Key
hash
クオリティア

h=From:Subject;
AR: dkim=pass
・・・・
When there is DKIM
OK, it’s trustable. Transfer, click!
Decryption
Public Key
Private Key
hash○
クオリティア

d=qualitia.co.jp;
h=From:Subject;
・・・・
When there is DKIM
Cannot sign
without a private key!
encryption
Private Key
hash
×
クオリティア

h=From:Subject;
Subject: Please transfer money to thief
・・・・
When there is DKIM
Tamper
the signed
message
Public Key
Private Key
クオリティア

h=From:Subject;
Subject: 泥棒にPlease transfer money
AR: dkim=fail
・・・・
When there is DKIM
Hmm, this might be tampered?
decryption
Public Key
Private Key
hash
×
クオリティア

Even if there is DKIM
AR: dkim=none
・・・・
Ok, Transfer! Click!
Private Key
Same as
when there is not DKIM
クオリティア
Send without signature

By Any Chance？
AR: dkim=none
・・・・
Ehh? QUALITIA usually
sign DKIM signature, right?
Private Key
クオリティア
Same as
when there is not DKIM

d=badgroup.example; s=aku;
h=From:Subject;
・・・・
Sign as badgroup!
aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...”
encryption
Private Key
of badgroup
Private Key
hash
クオリティア

h=From:Subject;
AR: dkim=pass
・・・・
Ok, transfer!
decryption
badgroupの
Public Key
Private Key
hash○
badgroupの
Private Key
クオリティア

DKIM
•Sign headers and body
to protect from tampering

Problem of SPF, DKIM
•SPF: Even if the third party spoofed the
Envelope From, still spf will be a “pass”
•DKIM: Even if the third party signed,still
dkim will be a “pass”

DMARC

DMARC
•Verify based on Header From
•Header From
•Envelope From Verify all domains match
•DKIM signer

SPF for badgroup (dmarc p=none)
192.0.2.1
203.0.113.1
AR: spf=pass, dmarc=Fail
・・・・
_dmarc.qualitia.co.jp txt “v=DMARC1; p=none”
Oh, dmarc is fail.
×
クオリティア

SPF for badgroup (dmarc p=reject)
192.0.2.1
203.0.113.1
AR: spf=pass, dmarc=Fail
・・・・
× Reject!
_dmarc.qualitia.co.jp txt “v=DMARC1; p=reject”
×
クオリティア

h=From:Subject;
AR: dkim=pass, dmarc=fail
・・・・
DKIM signature for badgroup
Public Key
of badgroup
Private Key
of badgroup
×
_dmarc.qualitia.co.jp txt “v=DMARC1; p=reject”
×Reject!
クオリティア

h=From:Subject;
Subject: [○○ML:1234] Hi! All
AR: dkim=fail
Hi! Long time no see!
・・・・
DKIM + Mailing List
Hmm, can I trust?
decryption
Public Key
Private Key
hash
×
クオリティア

ARC

ARCがあれば
Ok, arc=pass
Private Key
クオリティア
Mailing List
Server
ml.example.jp
ARC-Seal: i=1; cv=none; d=ml.example.jp;...
ARC-Message-Signature: i=1; d=ml.example.jp;
h=from:subject:dkim-signature:...
ARC-Authentication-Result: i=1; ml.example.jp;
dkim=pass; spf=pass; dmarc=pass
DKIM-Signature: v=1; d=qualitia.co.jp; b=abcdef・・・・
Subject: [○○ML:1234] Hi! All
AR: dkim=fail, arc=pass
Hi! Long time no see!
・・・・

ARC
•The Authenticated Received Chain Protocol
•RFC8617 (2019年7月)
•Mailing List Server will write ARC signature
with sequence number,
if DKIM=pass, ARC=pass when it received.

Operation

Recent DKIM Circumstances
•RFC8301: Cryptographic Algorithm and Key Usage Update to
DomainKeys Identified Mail (DKIM) (Jan. 2018)
・Both signer and verifier MUST use rsa-sha256
・Both MUST NOT use rsa-sha1
・Sign: 1024bit～(MUST)、2048bit～(SHOULD)
・Verify: 1024bit～4096bit(MUST)
※ But 2048bit is longer than the size 255bytes which DNS can handle

Recent DKIM Circumstances
•RFC8463: A New Cryptographic Signature Method for DomainKeys
Identified Mail (DKIM) (Sep. 2018)
・Signer SHOULD implement this
・Verifier MUST implement this
・Write two signatures, Ed25519-SHA256 and
RSA-SHA256(1024bit～) for backward compatibility
Use Ed25519-SHA256
BASE64 encoded size is just 44 bytes, so this can be fit into DNS

DKIM Key Rotation
•DKIM Key has
to be rotated
https://www.m3aawg.org/sites/default/files/m3aawg-dkim-key-rotation-bp-2019-03.pdf

Operation for DKIM
•Follow the latest cryptography
•Key rotation
Too much hassle!!!
We are creating a service
to DKIM-sign automatically!
Coming Soon!
注目

BIMI

BIMI
•Show the logo
specified by the
sender,
if the DMARC
is “pass”.
Show the logo
注目

Protect from Spoofing, Tampering (Summary)
•SPF
•DKIM
•DMARC
•ARC
•BIMI

•Spoofing・Tampering
•Hijacking・Springboard
•Eavesdropping
•Spam・Malware・Phishing
•Leakage
Hijacking・Springboard

Protect from

Protect from Hijacking・
Springboard
クオリティア
Mail
Server
Mail
Server
Hijacking

POP before SMTP

POP before SMTP
If you pass the POP3 authentication,
you can send email.
Mail Server

SMTP AUTH

SMTP AUTH
If you passed the ID/Password authentication
on SMTP, you can send email.
Mail Server
RFC2554 (1999) → RFC4954 (2007)

OP25B

OP25B
•If you passed the ID/Password authentication on
SMTP(Port 587 ), you can send email.
•ISP blocks Port 25 from customer.
Mail Server

Multi Factor Authentication

Multi Factor Authentication
If the multiple combinations of authentication, such
as SMTP AUTH, device auth, biometric auth, are
passed, you can send an email.
Mail Server
Device auth
+ Face auth
OK

デモ
We made it!
注目

Demo
Mail ServerDevice Auth
+ Face Auth
OK

Device + Face authenticationSender
MUA
Packet

多要素認証
SMTP Biometric Auth Service
Looking for β users!
注目

Protect from Hijacking・Springboard
(Summary)
•POP before SMTP
•SMTP AUTH
•OP25B
•Multi Factor Authentication

•Eavesdropping
•Leakage
Eavesdroppin

Eavesdropping
Protect From
Eavesdroppin

Protect from Eavesdropping
クオリティア
Mail
Server
Mail
Server
Eavesdropping
Tampering
Stealing
Eavesdroppin

Encrypted ZIP
Eavesdroppin

Encrypted ZIP
クオリティア
Mail
Server
Mail
Server
Eavesdropping
Tampering
Stealing
Password
Eavesdroppin

STARTTLS
Eavesdroppin

STARTTLS
クオリティア
Mail
Server
Mail
Server
Eavesdropping
Tampering
Encrypt the line between mail servers
Eavesdroppin

But!
Eavesdroppin

Unsupported STARTTLS
クオリティア
Mail
Server
Mail
Server2
Eavesdropping
Tampering
If the server or client does not
support STARTTLS, the client will
send emails by plain text
opportunistically.
Mail
Server1
Eavesdroppin

When the network routing is hijacked
クオリティア
Mail
Server
Mail
Server
Encryption is meaningless.
Mail
Server
ARP
BGP
・・・
Eavesdroppin

MTA-STS
Eavesdroppin

MTA-STS
•Force to use STARTTLS
•Force to use TLS1.2 or more
•Enforce that server has a valid certification
•RFC8461 (Sep. 2018)
Eavesdroppin

When there is MTA-STS
クオリティア
Mail
Server
Mail
Server
Client does not send,
if encryption is not supported
_mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;"
version: STSv1
mode: enforce
mx: mx1.qualitia.co.jp
max_age: 1296000
https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt
＝Not Stealed
Eavesdroppin
Policy

But!
If the client did not send it
we want to know it
Eavesdroppin

TLS-RPT
Eavesdroppin

When there is TLS-RPT
クオリティア
Mail
Server
Mail
ServerSend a report,
if the encryption is not supported
RFC8460 (Sep. 2018)
version: STSv1
mode: enforce
max_age: 1296000
_smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=mailto:reports@qualitia.co.jp"
Eavesdroppin

Be careful！
クオリティア
Mail
Server
Mail
Server
version: STSv1
mode: enforce
max_age: 1296000
_smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=mailto:reports@qualitia.co.jp"
Server does not support TLS,
so that client cannot send a report
encryption
Eavesdroppin

Report Using HTTPS
クオリティア
Mail
Server
Mail
Server
version: STSv1
mode: enforce
max_age: 1296000
_smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=https://api.qualitia.co.jp/v1/tlsrpt"
HTTPS is also available
https://api.qualitia.co.jp.jp/v1/tlsrptPOST
Eavesdroppin

DNS Hijacking
クオリティア
Mail
Server
Mail
ServerDisable MTA-STS
Mail
Server
DNS
Eavesdroppin

Compromised CA
クオリティア
Mail
Server
Mail
Server
Mail
Server
ARP
BGP
・・・
Certificate Authority (CA)
署名
qualitia.co.jp
qualitia.co.jp
Sign
Compromised CA
Everything seems fine
for sender
Trust
Eavesdroppin

DANE
Eavesdroppin

DANE
•Do not use Certificate authority(CA)
•You can use if you want
•Self-signed certificate is available
•Use DNSSEC
•RFC7672 (Oct. 2015)
Eavesdroppin

DANE
クオリティア
Mail
Server
Mail
Server
Use DNS Trust chain instead of CA
DNSSEC
Certificate Authority(CA)
No Need
ルートDNS
DNSSEC
Trust
Eavesdroppin
_25._tcp.mx1.qualitia.co.jp. IN TLSA 3 0 1 2B73BB905F…"
mx1.qualitia.co.jp

But!
Settings and Operations are not easy
Eavesdroppin

Operation of MTA-STS, TLS-RPT, DANE
•Operating DNSSEC is not easy
•We cannot use DNSSEC easily (in Japan)
•Do not want to Key-Rotate
•Do not want to analyze the report
Authoritative DNSSEC Service
for Mail User
We are now developing!
注目
Eavesdroppin

Protect from Eavesdropping (Summary)
•Encrypted ZIP
•STARTTLS
•MTA-STS
•TLS-RPT
•DANE-TLS
•DNSSEC
•DANE-S/MIME
Eavesdroppin

•Eavesdropping
•Leakage
Spam・Malware・Phishing

Spam, Malware, Phishing
Protect from

Protect from Spam, Malware
Mail
Server
Mail
Server
Spoofing
Spam
Malware
Phishing

Security for received emails
•Spam Filtering
•Virus Filtering

But!
Virus file is also encrypted!
Virus scanners cannot detect the virus!

Decode by Password to Detect Virus
Decode by Password
Virus Check
Check in Sandbox
You can download
if the file is safe
注目

•Eavesdropping
•Leakage
Leakage

Leakage
Protect from
Leakage

Mail Missending Prevention
•Holding Email for a while
•To, Cc → Bcc Transformation
•Password protected ZIP
Leakage

Web Downloading
クオリティア
Mail
Server
Mail
Server
Separate
Attachment
File
注目
Leakage

EMAILを守るための技術
•Eavesdropping
•Leakage
SPF DKIM DMARC ARC BIMI
POP before SMTP SMTP AUTH MFA
STARTTLS MTA-STS TLS-RPT DANE DNSSEC
AntiSPAM AntiVirus SandBox Active! zone
Holding Passworded ZIP Web Downloading Active! gate

Introduced Products, Services
•Web Mail for BIMI
•DKIM signing Service
•SMTP Bio Auth Product, Service
•Authoritative DNSSEC + Mail Setting Service
•TLS Report Analysis Service
•Virus Checking for Passworded Files Product
•Attachment Separation for Mail Missending Prevention
βユーザ募集！

Thank you
Thank you

Email Security Trail Map - A World beyond DMARC -

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

Email Security Trail Map - A World beyond DMARC -