SlideShare a Scribd company logo

YosefGamble_Writing_Sample_Email_Security

Download as DOCX, PDF
Yosef Gamble
Yosef Gamble
1 of 8
1 Yosef Gamble 10 June 2014 CS 325 - Dr. Harper Email Security & Future Development Abstract This paper outlines some of the problems of email communications, specifically, the issue of privacy of the Simple Mail Transfer Protocol (SMTP). This paper also explores 2 attempts to solve email security, Public key infrastructure (PKI) and Pretty Good Privacy (PGP) encryption, and the issues with these attempts that can still make encrypted information vulnerable to theft. Also discussed, are solutions that are in current development. Modern email encryption solutions are aiming to replace SMTP with new protocols such as Extensible Messaging and Presence Protocol (XMPP) to address the problem of metadata leaks and difficult usability. 1. Introduction Internet privacy has become the forefront of discussion in the media and online for the last two years. With the role of the United States’ National Security Agency (NSA) being revealed, people around the world have become more concerned about their own personal privacy online, especially in regards to text-based communication. Communication mediums such as email, text messaging, and social networking have all come under scrutiny for providing global government agencies with easy access to private information without a person’s consent. But there are a very limited amount of options for people to secure their data. For some people, there is a lack of knowledge or ability to be able to encrypt information, but many experienced computer users know that the real reason is because snooping government agencies were not
2 always on the minds of security professionals who helped make internet communication the way it is today. 2. Email Security The way that email works is naturally insecure and vulnerable to cyber-criminals. According to Danny Bradbury, in “Can We Make Email Secure”, “Email has always been insecure”. Bradbury states that email relies upon an outdated system that has not evolved to accommodate the modern necessities of internet communication. The modern standard for email communication, called Simple Mail Transfer Protocol (SMTP), was developed when “collaboration and openness” were necessary. But as internet grew and online services became more security conscious, email did not change to accommodate the modern concerns regarding security and privacy (Bradbury 2014). Danny Bradbury explains that when an email is sent, the message is formatted in plain text, using the Multipurpose Internet Mail Extension (MIME) and includes metadata that contains the email sender’s IP address and route information that the email travelled through a server, revealing exactly where the email came from and who possibly sent it. Using the IP address in the email header, a reverse lookup could reveal the geographic location of the email sender (Bradbury 2014). The main reason why information is so vulnerable in email is because of the way it travels, In order for the email to reach the recipient’s inbox, it is relayed to an SMTP server that belongs to the domain name contained in the email address. The relay process uses a list of addresses in the server called a mail exchange (MX) record to look up the inbox that the email should be sent to. If the email is valid and the inbox is found, the email arrives in the correct inbox. If the email is not found, or if there are complications in finding the correct server, the
3 email is “bounced” around until the right inbox is found. The problem with this protocol is that there is a possibility that the email could be intercepted during this process. There is a way to encrypt the email contents called Secure Multipurpose Internet Mail Extension (S/MIME), but it is not widely used and does not address the problem with metadata (Bradbury 2014). Since the email protocol hasn’t been changed, the best way to send sensitive information via email is by encrypting the email message itself. 3. PKI Encryption According to Carl Ellison and Bruce Schneier’s article, “Risks of PKI: Secure Email”, an encryption standard called Public-key infrastructure (PKI) became the “cure all for security problems”. PKI provided a level of security, trust, and privacy for corporate email users (Ellison & Schneier 2000). PKI relied on the digital certificates, sold by third-party venders, called certificate authorities (CA), to encrypt an email and sign the email with a unique verified signature. The certificate has to be bought on an annual basis, and requires that each person is issued an identification that is linked to the main certificate. This method was aimed to ensured trust in which an encrypted email could be sent where both the sender and recipient are able to encrypt, verify, and decrypt an email (Ellison & Schneier 2000). With separate identities being tied to one main certificate used by a company or group, there were a number of security problems that came up. First, the theft of a certificate would compromise this entire network, and give thief the ability to decrypt any email using that particular certificate. Second, the advent of having to use a third-party CA presents the possibility of uncontrolled access if the CA is compromised. Last, a large company or group may run the risk of having to provide identity certificates to people with similar names, which may create a security problem due to the confusion that could cause (Ellison & Schneier 2000).
4 4. PGP Encryption According to Carl Ellison and Bruce Schneier in, “Risks of PKI: Secure Email”, The problems addressed are the reason why a standard called Pretty Good Privacy (PGP) became more favoured for email encryption, especially for non-commercial groups and individuals concerned about privacy who did not want to pay for enterprise software or annual certificate licences. PGP certificates are free and do not require a CA to obtain them. With PGP, a user who wishes to send and receive encrypted email will generate a two keys, a public and a private key. The public key is available to the intended contacts in order for them to encrypt an email, and the private key is used to decrypt any text or file that is encrypted using the associated public key. The private key is unique for everyone and is never shared to anyone else besides the key owner. A group of multiple people can associate their identities with a set of private and public keys, and form a web-of-trust. In a web-of-trust, each individual in a group signs their public keys with the private key, minimising the risk of an unauthorised person encrypting information the a stolen certificate (Ellison & Schneier 2000). The other main reason why PGP became a standard was because the certificate was generated by free open-source cryptography programs such as OpenPGP and GNU Privacy guard (GPG) (Nguyen, 2004). As Phong Nguyen’s journal, “Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3”, illustrates, PGP implementation can have drawbacks. While the algorithm is nearly impossible for even a modern supercomputer to crack, the software that creates the keys may be subject to bugs and flaws that can compromise private encryption keys. One such flaw happened with GNU Privacy Guard (GPG) v1.2.3 encryption software. An attack on an arbitrary message generated with the ElGamal algorithm, in this particular version,
5 allowed the private key to easily be recovered. A serious bug like this showed that software does not always implement the best encryption techniques (Nguyen 2004). With the advent of PGP, S/MIME, and various other encryption tools out there, there are still a great number of challenges to ensure absolute privacy for email users. According to Jiangshan Yu, Vincent Cheval, and Mark Ryan, in “Challenges with End-to-End Email Encryption”, there are a few problems that have yet to be resolved. One is the challenge with law-enforcement. Email services that aim to provide a secure email platform are threatened to shut down if the government agencies aren’t provided access to plain text data. For example, the secure email company, lavabit, was forced “to shut down its service to prevent being forced by the NSA to sabotage its own encryption”. The same fate was met for PrivateSky, which shut down “because of the pressure from GCHQ” (Yu, Cheval & Ryan 2014). 5. Future Development As for the future of email security, it seems like it will remain a cat and mouse game between privacy advocates and the global governments that want access to information. The development of modern email communication networks are going down to the root of the problem with email, and moving away from using the SMTP protocol. According to Danny Bradbury, the creators of the now defunct lavabit and Silent Circle, are working on a new project of securing email communication called Dark Mail. The purpose of Dark Mail is to replace the SMTP with a protocol called Extensible Messaging and Presence Protocol (XMPP). If an email from an SMTP supported service is introduced to the Dark Mail server, the message will be converted to ensure that the Dark Mail network is secure. With this service, headers would not be included in the email, and only the IP address would be exposed, something that can be hidden using an anonymiser program (Bradbury 2014).
6 Possibly, the introduction to an end-to-end email system like Dark Mail, that will require little to no effort on the user’s part to secure a message, is something that could possibly help encourage more people to encrypt their email messages. According to “Challenges With End-to- End Encryption”, a new proposed project, named Confimail, is attempting to do just that. The idea behind Confimail is to “provide e2e email encryption, claimed to be user friendly, while without requiring a trusted party” (Yu, Cheval & Ryan 2014). More future development of email encryption services would possibly become more focused on the user experience. According to Phillip Hallam-Baker’s article, “Privacy Protected Email”, the reason why most people do not encrypt email is because “the number of users who can accept an encrypted email is vanishingly small”. Encrypting an email can be very difficult to do. GPG and most other encryption software do not have a graphical user interface, and instead rely on terminal commands to work. On top of that, the person sending an email has to do all of the work of installing the encryption software, generating the keys, and making sure that the recipient can receive and decrypt the email message (Hallam-Baker 2014). The increased use of webmail has also made encryption more complex. In order to encrypt an email message in gmail for instance, it would require a third party javascript in order to achieve that (Yu, Cheval & Ryan 2014). 6. Conclusion While the issue of civil liberties and the right to privacy, there may be a good reason why law-enforcement is nervous about email communication that is untraceable. People involved in criminal organisations will go through any length to hide their activities from law-enforcement, including the use of encryption. As much as it seems like the NSA is hunting random data just because they can, national security plays a big role in their decisions to have access to secure
7 email services. In “Organized Crime, Terrorism and Cybercrime”, Louise I. Shelley reveals that “The hijackers of the September, 11th planes were aware that their phones and cell phones might be tapped”, and that “international drug traffickers are among the most widespread users of encrypted messages, coded messages by cell and satellite phones and use anonymizer features on computers” (Shelley 2003). The truth is, security professionals and political activists will always try to find ways to protect the right to privacy, whether it is helping develop new ways to encrypt messages or using the tools already available on the market. And as time goes on, new email protocols such as XMPP will greatly improve the usability and anonymity that S/MIME and PGP had failed to address.
8 Works Cited Bradbury, D. (2014, March). Can we make email secure? Network Security, 2014(3), 13-16. Retrieved May 27, 2014, from ACM Database. Ellison, C., & Schneier, B. (2000). Risks of pki: Secure email. Communications of the ACM, 43(1), 160. Hallam-Baker P. (2014). Privacy protected email. Retrieved from https://www.w3.org/2014/strint/papers/01.pdf Nguyen P. (2004). Can we trust cryptographic software? cryptographic flaws in gnu privacy guard V1.2.3. In C. Cachin and J. Camenisch (Eds.), Advances in Cryptology - EUROCRYPT 2004, 3027, 555-570. Shelley L. I. (2003). Organized crime, terrorism and cybercrime. In A. Bryden, P. Fluri (Eds.), Security sector reform: Institutions, society and good governance (pp. 303-312). Baden-Baden, DE: Nomos Verlagsgesellschaft. Yu J., Cheval V., Ryan M. (2014). Challenges with end-to-end email encryption. Retrieved from https://www.w3.org/2014/strint/papers/08.pdf

Recommended

Generation of Anonymous Signature and Message using Identity Based Group Blin...
Generation of Anonymous Signature and Message using Identity Based Group Blin...Generation of Anonymous Signature and Message using Identity Based Group Blin...
Generation of Anonymous Signature and Message using Identity Based Group Blin...IDES Editor
 
Advance Cipher Technique to Secure Email Contents
Advance Cipher Technique to Secure Email ContentsAdvance Cipher Technique to Secure Email Contents
Advance Cipher Technique to Secure Email Contentsvivatechijri
 
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTIONSECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTIONadeij1
 
Reports on Fairness aware and privacy preserving friend matching protocol in ...
Reports on Fairness aware and privacy preserving friend matching protocol in ...Reports on Fairness aware and privacy preserving friend matching protocol in ...
Reports on Fairness aware and privacy preserving friend matching protocol in ...Shailesh kumar
 
The Digital Signature and the X.509/OpenPGP Authentication Models
The Digital Signature and the X.509/OpenPGP Authentication ModelsThe Digital Signature and the X.509/OpenPGP Authentication Models
The Digital Signature and the X.509/OpenPGP Authentication ModelsDashamir Hoxha
 
A SECURE KEY TRANSFER PROTOCOL FOR GROUP COMMUNICATION
A SECURE KEY TRANSFER PROTOCOL FOR GROUP COMMUNICATIONA SECURE KEY TRANSFER PROTOCOL FOR GROUP COMMUNICATION
A SECURE KEY TRANSFER PROTOCOL FOR GROUP COMMUNICATIONacijjournal
 
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward SecurityCost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security1crore projects
 
A secure key computation protocol for secure group communication with passwor...
A secure key computation protocol for secure group communication with passwor...A secure key computation protocol for secure group communication with passwor...
A secure key computation protocol for secure group communication with passwor...csandit
 

Recommended

Generation of Anonymous Signature and Message using Identity Based Group Blin...
Generation of Anonymous Signature and Message using Identity Based Group Blin...Generation of Anonymous Signature and Message using Identity Based Group Blin...
Generation of Anonymous Signature and Message using Identity Based Group Blin...IDES Editor
 
Advance Cipher Technique to Secure Email Contents
Advance Cipher Technique to Secure Email ContentsAdvance Cipher Technique to Secure Email Contents
Advance Cipher Technique to Secure Email Contentsvivatechijri
 
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTIONSECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTION
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTIONadeij1
 
Reports on Fairness aware and privacy preserving friend matching protocol in ...
Reports on Fairness aware and privacy preserving friend matching protocol in ...Reports on Fairness aware and privacy preserving friend matching protocol in ...
Reports on Fairness aware and privacy preserving friend matching protocol in ...Shailesh kumar
 
The Digital Signature and the X.509/OpenPGP Authentication Models
The Digital Signature and the X.509/OpenPGP Authentication ModelsThe Digital Signature and the X.509/OpenPGP Authentication Models
The Digital Signature and the X.509/OpenPGP Authentication ModelsDashamir Hoxha
 
A SECURE KEY TRANSFER PROTOCOL FOR GROUP COMMUNICATION
A SECURE KEY TRANSFER PROTOCOL FOR GROUP COMMUNICATIONA SECURE KEY TRANSFER PROTOCOL FOR GROUP COMMUNICATION
A SECURE KEY TRANSFER PROTOCOL FOR GROUP COMMUNICATIONacijjournal
 
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward SecurityCost-Effective Authentic and Anonymous Data Sharing with Forward Security
Cost-Effective Authentic and Anonymous Data Sharing with Forward Security1crore projects
 
A secure key computation protocol for secure group communication with passwor...
A secure key computation protocol for secure group communication with passwor...A secure key computation protocol for secure group communication with passwor...
A secure key computation protocol for secure group communication with passwor...csandit
 
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...cscpconf
 
4.authentication and key agreement based on anonymous identity for peer to-pe...
4.authentication and key agreement based on anonymous identity for peer to-pe...4.authentication and key agreement based on anonymous identity for peer to-pe...
4.authentication and key agreement based on anonymous identity for peer to-pe...Venkat Projects
 
UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...
UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...
UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...IJECEIAES
 
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modiMohit Modi
 
IRJET-A Survey On Group Key Agreement for Securely Sharing a Secret Key
IRJET-A Survey On Group Key Agreement for Securely Sharing a Secret KeyIRJET-A Survey On Group Key Agreement for Securely Sharing a Secret Key
IRJET-A Survey On Group Key Agreement for Securely Sharing a Secret KeyIRJET Journal
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
A study of index poisoning in peer topeer
A study of index poisoning in peer topeerA study of index poisoning in peer topeer
A study of index poisoning in peer topeerIJCI JOURNAL
 
Cloud Security and Data Integrity with Client Accountability Framework
Cloud Security and Data Integrity with Client Accountability FrameworkCloud Security and Data Integrity with Client Accountability Framework
Cloud Security and Data Integrity with Client Accountability FrameworkIDES Editor
 
A novel paradigm in authentication system
A novel paradigm in authentication systemA novel paradigm in authentication system
A novel paradigm in authentication systemIJNSA Journal
 
IJSRED-V2I2P55
IJSRED-V2I2P55IJSRED-V2I2P55
IJSRED-V2I2P55IJSRED
 
5.[40 44]enhancing security in cloud computing
5.[40 44]enhancing security in cloud computing5.[40 44]enhancing security in cloud computing
5.[40 44]enhancing security in cloud computingAlexander Decker
 
Anonymizing Networks
Anonymizing NetworksAnonymizing Networks
Anonymizing Networkspauldeng
 
Do s and d dos attacks at osi layers
Do s and d dos attacks at osi layersDo s and d dos attacks at osi layers
Do s and d dos attacks at osi layersHadeel Sadiq Obaid
 
Collusion Attack: A Kernel-Based Privacy Preserving Techniques in Data Mining
Collusion Attack: A Kernel-Based Privacy Preserving Techniques in Data MiningCollusion Attack: A Kernel-Based Privacy Preserving Techniques in Data Mining
Collusion Attack: A Kernel-Based Privacy Preserving Techniques in Data Miningdbpublications
 
sweeney_brendan-css527-20141118-research_proposal
sweeney_brendan-css527-20141118-research_proposalsweeney_brendan-css527-20141118-research_proposal
sweeney_brendan-css527-20141118-research_proposalBrendan Sweeney
 
Report dna
Report dnaReport dna
Report dnaDrAliKMattar
 
Control Cloud Data Access Using Attribute-Based Encryption
Control Cloud Data Access Using Attribute-Based EncryptionControl Cloud Data Access Using Attribute-Based Encryption
Control Cloud Data Access Using Attribute-Based Encryptionpaperpublications3
 
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyTowards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyIRJET Journal
 
cryptography
cryptographycryptography
cryptographyBalaji Ravi
 
CRYPT.pptx
CRYPT.pptxCRYPT.pptx
CRYPT.pptxVMahesh5
 
PGP.ppt
PGP.pptPGP.ppt
PGP.pptssuserec53e73
 
Email security
Email securityEmail security
Email securitySultanErbo
 

More Related Content

What's hot

A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...cscpconf
 
4.authentication and key agreement based on anonymous identity for peer to-pe...
4.authentication and key agreement based on anonymous identity for peer to-pe...4.authentication and key agreement based on anonymous identity for peer to-pe...
4.authentication and key agreement based on anonymous identity for peer to-pe...Venkat Projects
 
UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...
UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...
UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...IJECEIAES
 
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modiMohit Modi
 
IRJET-A Survey On Group Key Agreement for Securely Sharing a Secret Key
IRJET-A Survey On Group Key Agreement for Securely Sharing a Secret KeyIRJET-A Survey On Group Key Agreement for Securely Sharing a Secret Key
IRJET-A Survey On Group Key Agreement for Securely Sharing a Secret KeyIRJET Journal
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
A study of index poisoning in peer topeer
A study of index poisoning in peer topeerA study of index poisoning in peer topeer
A study of index poisoning in peer topeerIJCI JOURNAL
 
Cloud Security and Data Integrity with Client Accountability Framework
Cloud Security and Data Integrity with Client Accountability FrameworkCloud Security and Data Integrity with Client Accountability Framework
Cloud Security and Data Integrity with Client Accountability FrameworkIDES Editor
 
A novel paradigm in authentication system
A novel paradigm in authentication systemA novel paradigm in authentication system
A novel paradigm in authentication systemIJNSA Journal
 
IJSRED-V2I2P55
IJSRED-V2I2P55IJSRED-V2I2P55
IJSRED-V2I2P55IJSRED
 
5.[40 44]enhancing security in cloud computing
5.[40 44]enhancing security in cloud computing5.[40 44]enhancing security in cloud computing
5.[40 44]enhancing security in cloud computingAlexander Decker
 
Anonymizing Networks
Anonymizing NetworksAnonymizing Networks
Anonymizing Networkspauldeng
 
Do s and d dos attacks at osi layers
Do s and d dos attacks at osi layersDo s and d dos attacks at osi layers
Do s and d dos attacks at osi layersHadeel Sadiq Obaid
 
Collusion Attack: A Kernel-Based Privacy Preserving Techniques in Data Mining
Collusion Attack: A Kernel-Based Privacy Preserving Techniques in Data MiningCollusion Attack: A Kernel-Based Privacy Preserving Techniques in Data Mining
Collusion Attack: A Kernel-Based Privacy Preserving Techniques in Data Miningdbpublications
 
sweeney_brendan-css527-20141118-research_proposal
sweeney_brendan-css527-20141118-research_proposalsweeney_brendan-css527-20141118-research_proposal
sweeney_brendan-css527-20141118-research_proposalBrendan Sweeney
 
Control Cloud Data Access Using Attribute-Based Encryption
Control Cloud Data Access Using Attribute-Based EncryptionControl Cloud Data Access Using Attribute-Based Encryption
Control Cloud Data Access Using Attribute-Based Encryptionpaperpublications3
 
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyTowards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyIRJET Journal
 

What's hot (19)

A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
 
4.authentication and key agreement based on anonymous identity for peer to-pe...
4.authentication and key agreement based on anonymous identity for peer to-pe...4.authentication and key agreement based on anonymous identity for peer to-pe...
4.authentication and key agreement based on anonymous identity for peer to-pe...
 
UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...
UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...
UDP Pervasive Protocol Integration with IoT for Smart Home Environment using ...
 
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modi
 
IRJET-A Survey On Group Key Agreement for Securely Sharing a Secret Key
IRJET-A Survey On Group Key Agreement for Securely Sharing a Secret KeyIRJET-A Survey On Group Key Agreement for Securely Sharing a Secret Key
IRJET-A Survey On Group Key Agreement for Securely Sharing a Secret Key
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
A study of index poisoning in peer topeer
A study of index poisoning in peer topeerA study of index poisoning in peer topeer
A study of index poisoning in peer topeer
 
Cloud Security and Data Integrity with Client Accountability Framework
Cloud Security and Data Integrity with Client Accountability FrameworkCloud Security and Data Integrity with Client Accountability Framework
Cloud Security and Data Integrity with Client Accountability Framework
 
A novel paradigm in authentication system
A novel paradigm in authentication systemA novel paradigm in authentication system
A novel paradigm in authentication system
 
IJSRED-V2I2P55
IJSRED-V2I2P55IJSRED-V2I2P55
IJSRED-V2I2P55
 
5.[40 44]enhancing security in cloud computing
5.[40 44]enhancing security in cloud computing5.[40 44]enhancing security in cloud computing
5.[40 44]enhancing security in cloud computing
 
Anonymizing Networks
Anonymizing NetworksAnonymizing Networks
Anonymizing Networks
 
Do s and d dos attacks at osi layers
Do s and d dos attacks at osi layersDo s and d dos attacks at osi layers
Do s and d dos attacks at osi layers
 
Collusion Attack: A Kernel-Based Privacy Preserving Techniques in Data Mining
Collusion Attack: A Kernel-Based Privacy Preserving Techniques in Data MiningCollusion Attack: A Kernel-Based Privacy Preserving Techniques in Data Mining
Collusion Attack: A Kernel-Based Privacy Preserving Techniques in Data Mining
 
sweeney_brendan-css527-20141118-research_proposal
sweeney_brendan-css527-20141118-research_proposalsweeney_brendan-css527-20141118-research_proposal
sweeney_brendan-css527-20141118-research_proposal
 
Report dna
Report dnaReport dna
Report dna
 
Control Cloud Data Access Using Attribute-Based Encryption
Control Cloud Data Access Using Attribute-Based EncryptionControl Cloud Data Access Using Attribute-Based Encryption
Control Cloud Data Access Using Attribute-Based Encryption
 
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyTowards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
 
cryptography
cryptographycryptography
cryptography
 

Similar to YosefGamble_Writing_Sample_Email_Security

CRYPT.pptx
CRYPT.pptxCRYPT.pptx
CRYPT.pptxVMahesh5
 
Email security
Email securityEmail security
Email securitySultanErbo
 
computer netwok security Pretty Good Privacy PGP.ppt
computer netwok security Pretty Good Privacy PGP.pptcomputer netwok security Pretty Good Privacy PGP.ppt
computer netwok security Pretty Good Privacy PGP.pptjayaprasanna10
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolVishal Kumar
 
Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified MailMatthew Chang
 
Using PGP for securing the e-mail
Using PGP for securing the e-mailUsing PGP for securing the e-mail
Using PGP for securing the e-maildavidepiccardi
 
Balancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecurityBalancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecuritySymantec
 
Top 10 Secure Email Providers to Consider in 2022
Top 10 Secure Email Providers to Consider in 2022Top 10 Secure Email Providers to Consider in 2022
Top 10 Secure Email Providers to Consider in 2022Temok IT Services
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security PresentationYosef Gamble
 
Encrypting E-mail Messages
Encrypting E-mail MessagesEncrypting E-mail Messages
Encrypting E-mail MessagesD's Surti
 
E-mail and Instant MessagingChapter 16Principles of Co.docx
E-mail and Instant MessagingChapter 16Principles of Co.docxE-mail and Instant MessagingChapter 16Principles of Co.docx
E-mail and Instant MessagingChapter 16Principles of Co.docxbrownliecarmella
 
Email security presentation
Email security presentationEmail security presentation
Email security presentationSubhradeepMaji
 
Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Tania Agni
 

Similar to YosefGamble_Writing_Sample_Email_Security (20)

CRYPT.pptx
CRYPT.pptxCRYPT.pptx
CRYPT.pptx
 
PGP.ppt
PGP.pptPGP.ppt
PGP.ppt
 
Email security
Email securityEmail security
Email security
 
Pgp
PgpPgp
Pgp
 
computer netwok security Pretty Good Privacy PGP.ppt
computer netwok security Pretty Good Privacy PGP.pptcomputer netwok security Pretty Good Privacy PGP.ppt
computer netwok security Pretty Good Privacy PGP.ppt
 
Network Security CS2
Network Security CS2Network Security CS2
Network Security CS2
 
Eseminar1
Eseminar1Eseminar1
Eseminar1
 
email security
email securityemail security
email security
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
 
Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified Mail
 
Using PGP for securing the e-mail
Using PGP for securing the e-mailUsing PGP for securing the e-mail
Using PGP for securing the e-mail
 
Balancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecurityBalancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With Security
 
Cryptography
CryptographyCryptography
Cryptography
 
Top 10 Secure Email Providers to Consider in 2022
Top 10 Secure Email Providers to Consider in 2022Top 10 Secure Email Providers to Consider in 2022
Top 10 Secure Email Providers to Consider in 2022
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security Presentation
 
Encrypting E-mail Messages
Encrypting E-mail MessagesEncrypting E-mail Messages
Encrypting E-mail Messages
 
2
22
2
 
E-mail and Instant MessagingChapter 16Principles of Co.docx
E-mail and Instant MessagingChapter 16Principles of Co.docxE-mail and Instant MessagingChapter 16Principles of Co.docx
E-mail and Instant MessagingChapter 16Principles of Co.docx
 
Email security presentation
Email security presentationEmail security presentation
Email security presentation
 
Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/
 

More from Yosef Gamble

Water Rights Documentation
Water Rights DocumentationWater Rights Documentation
Water Rights DocumentationYosef Gamble
 
Cainet Meeting August 20 2014 (2).pptx
Cainet Meeting August 20 2014 (2).pptxCainet Meeting August 20 2014 (2).pptx
Cainet Meeting August 20 2014 (2).pptxYosef Gamble
 
ASCWU BOT 13 May.pptx_2
ASCWU BOT 13 May.pptx_2ASCWU BOT 13 May.pptx_2
ASCWU BOT 13 May.pptx_2Yosef Gamble
 
COB Brother 2 Brother Funding
COB Brother 2 Brother FundingCOB Brother 2 Brother Funding
COB Brother 2 Brother FundingYosef Gamble
 

More from Yosef Gamble (7)

Design Report
Design ReportDesign Report
Design Report
 
Water Rights Documentation
Water Rights DocumentationWater Rights Documentation
Water Rights Documentation
 
BOT 3 Oct.pptx
BOT 3 Oct.pptxBOT 3 Oct.pptx
BOT 3 Oct.pptx
 
Cainet Meeting August 20 2014 (2).pptx
Cainet Meeting August 20 2014 (2).pptxCainet Meeting August 20 2014 (2).pptx
Cainet Meeting August 20 2014 (2).pptx
 
ASCWU BOT 13 May.pptx_2
ASCWU BOT 13 May.pptx_2ASCWU BOT 13 May.pptx_2
ASCWU BOT 13 May.pptx_2
 
B2B Consulting
B2B ConsultingB2B Consulting
B2B Consulting
 
COB Brother 2 Brother Funding
COB Brother 2 Brother FundingCOB Brother 2 Brother Funding
COB Brother 2 Brother Funding
 

YosefGamble_Writing_Sample_Email_Security

  • 1. 1 Yosef Gamble 10 June 2014 CS 325 - Dr. Harper Email Security & Future Development Abstract This paper outlines some of the problems of email communications, specifically, the issue of privacy of the Simple Mail Transfer Protocol (SMTP). This paper also explores 2 attempts to solve email security, Public key infrastructure (PKI) and Pretty Good Privacy (PGP) encryption, and the issues with these attempts that can still make encrypted information vulnerable to theft. Also discussed, are solutions that are in current development. Modern email encryption solutions are aiming to replace SMTP with new protocols such as Extensible Messaging and Presence Protocol (XMPP) to address the problem of metadata leaks and difficult usability. 1. Introduction Internet privacy has become the forefront of discussion in the media and online for the last two years. With the role of the United States’ National Security Agency (NSA) being revealed, people around the world have become more concerned about their own personal privacy online, especially in regards to text-based communication. Communication mediums such as email, text messaging, and social networking have all come under scrutiny for providing global government agencies with easy access to private information without a person’s consent. But there are a very limited amount of options for people to secure their data. For some people, there is a lack of knowledge or ability to be able to encrypt information, but many experienced computer users know that the real reason is because snooping government agencies were not
  • 2. 2 always on the minds of security professionals who helped make internet communication the way it is today. 2. Email Security The way that email works is naturally insecure and vulnerable to cyber-criminals. According to Danny Bradbury, in “Can We Make Email Secure”, “Email has always been insecure”. Bradbury states that email relies upon an outdated system that has not evolved to accommodate the modern necessities of internet communication. The modern standard for email communication, called Simple Mail Transfer Protocol (SMTP), was developed when “collaboration and openness” were necessary. But as internet grew and online services became more security conscious, email did not change to accommodate the modern concerns regarding security and privacy (Bradbury 2014). Danny Bradbury explains that when an email is sent, the message is formatted in plain text, using the Multipurpose Internet Mail Extension (MIME) and includes metadata that contains the email sender’s IP address and route information that the email travelled through a server, revealing exactly where the email came from and who possibly sent it. Using the IP address in the email header, a reverse lookup could reveal the geographic location of the email sender (Bradbury 2014). The main reason why information is so vulnerable in email is because of the way it travels, In order for the email to reach the recipient’s inbox, it is relayed to an SMTP server that belongs to the domain name contained in the email address. The relay process uses a list of addresses in the server called a mail exchange (MX) record to look up the inbox that the email should be sent to. If the email is valid and the inbox is found, the email arrives in the correct inbox. If the email is not found, or if there are complications in finding the correct server, the
  • 3. 3 email is “bounced” around until the right inbox is found. The problem with this protocol is that there is a possibility that the email could be intercepted during this process. There is a way to encrypt the email contents called Secure Multipurpose Internet Mail Extension (S/MIME), but it is not widely used and does not address the problem with metadata (Bradbury 2014). Since the email protocol hasn’t been changed, the best way to send sensitive information via email is by encrypting the email message itself. 3. PKI Encryption According to Carl Ellison and Bruce Schneier’s article, “Risks of PKI: Secure Email”, an encryption standard called Public-key infrastructure (PKI) became the “cure all for security problems”. PKI provided a level of security, trust, and privacy for corporate email users (Ellison & Schneier 2000). PKI relied on the digital certificates, sold by third-party venders, called certificate authorities (CA), to encrypt an email and sign the email with a unique verified signature. The certificate has to be bought on an annual basis, and requires that each person is issued an identification that is linked to the main certificate. This method was aimed to ensured trust in which an encrypted email could be sent where both the sender and recipient are able to encrypt, verify, and decrypt an email (Ellison & Schneier 2000). With separate identities being tied to one main certificate used by a company or group, there were a number of security problems that came up. First, the theft of a certificate would compromise this entire network, and give thief the ability to decrypt any email using that particular certificate. Second, the advent of having to use a third-party CA presents the possibility of uncontrolled access if the CA is compromised. Last, a large company or group may run the risk of having to provide identity certificates to people with similar names, which may create a security problem due to the confusion that could cause (Ellison & Schneier 2000).
  • 4. 4 4. PGP Encryption According to Carl Ellison and Bruce Schneier in, “Risks of PKI: Secure Email”, The problems addressed are the reason why a standard called Pretty Good Privacy (PGP) became more favoured for email encryption, especially for non-commercial groups and individuals concerned about privacy who did not want to pay for enterprise software or annual certificate licences. PGP certificates are free and do not require a CA to obtain them. With PGP, a user who wishes to send and receive encrypted email will generate a two keys, a public and a private key. The public key is available to the intended contacts in order for them to encrypt an email, and the private key is used to decrypt any text or file that is encrypted using the associated public key. The private key is unique for everyone and is never shared to anyone else besides the key owner. A group of multiple people can associate their identities with a set of private and public keys, and form a web-of-trust. In a web-of-trust, each individual in a group signs their public keys with the private key, minimising the risk of an unauthorised person encrypting information the a stolen certificate (Ellison & Schneier 2000). The other main reason why PGP became a standard was because the certificate was generated by free open-source cryptography programs such as OpenPGP and GNU Privacy guard (GPG) (Nguyen, 2004). As Phong Nguyen’s journal, “Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3”, illustrates, PGP implementation can have drawbacks. While the algorithm is nearly impossible for even a modern supercomputer to crack, the software that creates the keys may be subject to bugs and flaws that can compromise private encryption keys. One such flaw happened with GNU Privacy Guard (GPG) v1.2.3 encryption software. An attack on an arbitrary message generated with the ElGamal algorithm, in this particular version,
  • 5. 5 allowed the private key to easily be recovered. A serious bug like this showed that software does not always implement the best encryption techniques (Nguyen 2004). With the advent of PGP, S/MIME, and various other encryption tools out there, there are still a great number of challenges to ensure absolute privacy for email users. According to Jiangshan Yu, Vincent Cheval, and Mark Ryan, in “Challenges with End-to-End Email Encryption”, there are a few problems that have yet to be resolved. One is the challenge with law-enforcement. Email services that aim to provide a secure email platform are threatened to shut down if the government agencies aren’t provided access to plain text data. For example, the secure email company, lavabit, was forced “to shut down its service to prevent being forced by the NSA to sabotage its own encryption”. The same fate was met for PrivateSky, which shut down “because of the pressure from GCHQ” (Yu, Cheval & Ryan 2014). 5. Future Development As for the future of email security, it seems like it will remain a cat and mouse game between privacy advocates and the global governments that want access to information. The development of modern email communication networks are going down to the root of the problem with email, and moving away from using the SMTP protocol. According to Danny Bradbury, the creators of the now defunct lavabit and Silent Circle, are working on a new project of securing email communication called Dark Mail. The purpose of Dark Mail is to replace the SMTP with a protocol called Extensible Messaging and Presence Protocol (XMPP). If an email from an SMTP supported service is introduced to the Dark Mail server, the message will be converted to ensure that the Dark Mail network is secure. With this service, headers would not be included in the email, and only the IP address would be exposed, something that can be hidden using an anonymiser program (Bradbury 2014).
  • 6. 6 Possibly, the introduction to an end-to-end email system like Dark Mail, that will require little to no effort on the user’s part to secure a message, is something that could possibly help encourage more people to encrypt their email messages. According to “Challenges With End-to- End Encryption”, a new proposed project, named Confimail, is attempting to do just that. The idea behind Confimail is to “provide e2e email encryption, claimed to be user friendly, while without requiring a trusted party” (Yu, Cheval & Ryan 2014). More future development of email encryption services would possibly become more focused on the user experience. According to Phillip Hallam-Baker’s article, “Privacy Protected Email”, the reason why most people do not encrypt email is because “the number of users who can accept an encrypted email is vanishingly small”. Encrypting an email can be very difficult to do. GPG and most other encryption software do not have a graphical user interface, and instead rely on terminal commands to work. On top of that, the person sending an email has to do all of the work of installing the encryption software, generating the keys, and making sure that the recipient can receive and decrypt the email message (Hallam-Baker 2014). The increased use of webmail has also made encryption more complex. In order to encrypt an email message in gmail for instance, it would require a third party javascript in order to achieve that (Yu, Cheval & Ryan 2014). 6. Conclusion While the issue of civil liberties and the right to privacy, there may be a good reason why law-enforcement is nervous about email communication that is untraceable. People involved in criminal organisations will go through any length to hide their activities from law-enforcement, including the use of encryption. As much as it seems like the NSA is hunting random data just because they can, national security plays a big role in their decisions to have access to secure
  • 7. 7 email services. In “Organized Crime, Terrorism and Cybercrime”, Louise I. Shelley reveals that “The hijackers of the September, 11th planes were aware that their phones and cell phones might be tapped”, and that “international drug traffickers are among the most widespread users of encrypted messages, coded messages by cell and satellite phones and use anonymizer features on computers” (Shelley 2003). The truth is, security professionals and political activists will always try to find ways to protect the right to privacy, whether it is helping develop new ways to encrypt messages or using the tools already available on the market. And as time goes on, new email protocols such as XMPP will greatly improve the usability and anonymity that S/MIME and PGP had failed to address.
  • 8. 8 Works Cited Bradbury, D. (2014, March). Can we make email secure? Network Security, 2014(3), 13-16. Retrieved May 27, 2014, from ACM Database. Ellison, C., & Schneier, B. (2000). Risks of pki: Secure email. Communications of the ACM, 43(1), 160. Hallam-Baker P. (2014). Privacy protected email. Retrieved from https://www.w3.org/2014/strint/papers/01.pdf Nguyen P. (2004). Can we trust cryptographic software? cryptographic flaws in gnu privacy guard V1.2.3. In C. Cachin and J. Camenisch (Eds.), Advances in Cryptology - EUROCRYPT 2004, 3027, 555-570. Shelley L. I. (2003). Organized crime, terrorism and cybercrime. In A. Bryden, P. Fluri (Eds.), Security sector reform: Institutions, society and good governance (pp. 303-312). Baden-Baden, DE: Nomos Verlagsgesellschaft. Yu J., Cheval V., Ryan M. (2014). Challenges with end-to-end email encryption. Retrieved from https://www.w3.org/2014/strint/papers/08.pdf