Email Security
1 / 43 Secure Email General Strategy Some Details Transit Issues Signing Headers General Flow Securing Transit Mail Steps MTA to MTA Security Secure Email Traffic Analysis
PGP and S/MIME
Spam
Phishing
2 / 43 General Strategy
Secure Email ■ General Strategy Basic scheme is pretty straight-forward Some Details ■ Transit Issues Encrypt the message body with a symmetric Signing Headers cipher, using a randomly-generated traffic key General Flow ■ Securing Transit Use public key cryptography to encrypt the Mail Steps MTA to MTA traffic key to all recipients Security ■ Traffic Analysis Digitally sign a hash of the message PGP and S/MIME ■ But there are many details Spam
Phishing
3 / 43 Some Details
Secure Email ■ General Strategy Obvious ones: which symmetric, public key, Some Details Transit Issues and hash algorithms to use? Signing ■ Headers More subtle: which algorithms do the General Flow Securing Transit recipients understand? Mail Steps ■ MTA to MTA Where do certificates come from? Security ■ Traffic Analysis Do you sign the plaintext or the ciphertext? PGP and S/MIME ■ How do you handle BCC? Spam ■ Phishing Will the ciphertext survive transit intact? ■ How are header lines protected? ■ What about attachments? ■ Many possible answers to all of these questions
4 / 43 Transit Issues
Secure Email ■ General Strategy Not all mail systems accept all characters Some Details ■ Transit Issues Very few are 8-bit clean Signing ■ Headers Cryptographic transforms won’t survive even General Flow Securing Transit minor changes Mail Steps ■ MTA to MTA EBCDIC vs. ASCII? Unicode? Tabs versus Security Traffic Analysis blanks? PGP and S/MIME ■ Solution: encode all email in base 64, using Spam
Phishing characters all systems accept: A-Za-z0-9+/ ■ Use 4 bytes to represent 3; overhead is 33% ■ For padding, use = sign (see RFC 3548) ■ Only those characters matter; everything else is deleted on receipt, including white space
5 / 43 Signing
Secure Email ■ General Strategy If you sign the plaintext and then encrypt, the Some Details Transit Issues sender’s identity is hidden from all except the Signing Headers proper recipients General Flow ■ Securing Transit If you sign the ciphertext, a gateway can verify Mail Steps MTA to MTA signatures and present mail accordingly — Security Traffic Analysis perhaps better for anti-spam and anti-phishing PGP and S/MIME
Spam
Phishing
6 / 43 Headers
Secure Email ■ General Strategy Headers change in transit Some Details ■ Transit Issues Obvious example: Received: lines are added Signing ■ Headers Less-obvious example: Email addresses are General Flow Securing Transit often rewritten to hide internal machines, and Mail Steps MTA to MTA present clearer addresses to the outside: Security → Traffic Analysis [email protected] [email protected] PGP and S/MIME ■ Consequence: headers are not protected by Spam
Phishing secure email schemes ■ But — users look at (and search on) the headers
7 / 43 General Flow
Secure Email ■ General Strategy Collect input message Some Details ■ Transit Issues Put in canonical form Signing ■ Headers Encrypt and sign, or sign and encrypt General Flow ■ Securing Transit Add metadata: encrypted traffic key, your Mail Steps MTA to MTA certificate, algorithm identifiers, etc. Security ■ Traffic Analysis Convert to transit form PGP and S/MIME ■ Embed in email message Spam
Phishing
8 / 43 Securing Transit
Secure Email ■ General Strategy Many pieces — but we can usually use TLS Some Details ■ Transit Issues POP, IMAP, connection to submission server: Signing Headers all are by prearrangement General Flow ■ Securing Transit Protect content; more important, protect Mail Steps MTA to MTA passwords Security ■ Traffic Analysis Problem area: road warriors vs. firewalls and PGP and S/MIME anti-spam Spam
Phishing
9 / 43 Mail Steps
Secure Email General Strategy 1. Normal process: user composes mail on MUA; Some Details Transit Issues submits it to local submission server. Signing Headers 2. Optional internal hops General Flow Securing Transit 3. Outbound MTA contacts recipient’s MTA — Mail Steps MTA to MTA interorganizational hop Security Traffic Analysis 4. Optional internal hops to recipient’s mail PGP and S/MIME server (IMAP or POP) Spam
Phishing 5. IMAP or POP retrieval 6. How do we protect Step 3?
10 / 43 MTA to MTA Security
Secure Email ■ General Strategy Do we need to protect it at all? Some Details ■ Transit Issues These are hard-to-tap links: phone company Signing Headers fiber, ISP backbones, etc. General Flow ■ Securing Transit What about government wiretaps? Mail Steps ■ MTA to MTA Can use TLS — but what is the other side’s Security Traffic Analysis key? No PKI for Internet email! PGP and S/MIME ■ One answer: don’t worry; it’s still better than Spam
Phishing cleartext against passive eavesdroppers ■ But — what about routing attacks?
11 / 43 Traffic Analysis
Secure Email ■ General Strategy Another reason to secure transit: traffic Some Details Transit Issues analysis Signing ■ Headers Protect against traffic analysis — who is General Flow Securing Transit talking to whom Mail Steps ■ MTA to MTA Also: length, timing Security ■ Traffic Analysis In practice, extremely valuable for law PGP and S/MIME enforcement and intelligence agencies Spam ■ Phishing Less protected by US law
12 / 43 Secure Email
PGP and S/MIME Approaches to Protecting Content Certificate Style Web of Trust Does the Web of Trust Work? Finding Public Keys Which Style is Better? PGP and S/MIME Spam
Phishing
13 / 43 Approaches to Protecting Content
Secure Email ■ Two major standards, PGP and S/MIME PGP and S/MIME Approaches to ■ Protecting Content Many minor syntactic differences Certificate Style ■ Web of Trust Major split by audience: computer scientists Does the Web of Trust Work? like PGP; mainstream users use S/MIME Finding Public Keys Which Style is ■ Biggest technical difference: how certificates Better?
Spam are signed
Phishing
14 / 43 Certificate Style
Secure Email ■ S/MIME uses standard X.509 certificate PGP and S/MIME Approaches to Protecting Content format Certificate Style ■ Web of Trust More importantly, X.509 certificates form a Does the Web of Trust Work? traditional PKI, with a root and a hierarchical Finding Public Keys Which Style is structure Better? ■ Spam Works well within an organization Phishing ■ Between organizations, can work if it’s easy to find that organization’s root ■ CU has no PKI — what is the PKI under which you’d find my cert? Why should you trust its root?
15 / 43 Web of Trust
Secure Email ■ PGP use a “web of trust” — rather than a PGP and S/MIME Approaches to Protecting Content tree, certificates form an arbitrary graph Certificate Style ■ Anyone Web of Trust can sign a certificate Does the Web of ■ Trust Work? Most people have more than one signature — Finding Public Keys Which Style is I have 65 signatures on my primary PGP key Better? ■ Spam Do you know and trust any of my signers? Phishing ■ See my key at http://www.cs.columbia.edu/~smb/smbpgp.txt
16 / 43 Does the Web of Trust Work?
Secure Email ■ Number of signatures alone is meaningless; I PGP and S/MIME Approaches to Protecting Content can create lots of identities if I want Certificate Style ■ Web of Trust I can even forge names — is the “Angelos Does the Web of Trust Work? Keromytis” who signed my key the same one Finding Public Keys Which Style is who’s a professor here? How do you know? Better? ■ Spam There are at least six PGP keys purporting to Phishing belong to “George W. Bush”. One is signed by “Yes, it’s really Bush!” ■ You have to define your own set of trust anchors, as well as policies on how long a signature chain is too long
17 / 43 Finding Public Keys
Secure Email ■ Many mailers cache received certificates PGP and S/MIME Approaches to ■ Protecting Content Some organizations list people’s certificates in Certificate Style Web of Trust an LDAP database Does the Web of ■ Trust Work? Some people have them on their web site Finding Public Keys ■ Which Style is For PGP, there are public key servers — Better?
Spam anyone can upload keys Phishing ■ Is that safe? Sure — the security of a certificate derives from the signature, not from where you found it
18 / 43 Which Style is Better?
Secure Email ■ PGP was easier to start — it doesn’t need an PGP and S/MIME Approaches to Protecting Content infrastructure Certificate Style ■ Web of Trust Many security and network conferences have Does the Web of Trust Work? “PGP key-signing parties” Finding Public Keys ■ Which Style is S/MIME is better for official use — it makes it Better?
Spam clearer when someone is speaking in an Phishing organizational role, since the organization issued the certificate. ■ Both have usability issues, though PGP is probably worse
19 / 43 Secure Email
PGP and S/MIME
Spam Spam Originating Machines Effective Defenses Today’s Defenses Blacklisting Port 25 Blocks Origin Spam Authentication SPF Records DKIM Authentication The Real Issue with Origin Authentication Semantic and Keyword Filters Charging for Email
Phishing
20 / 43 Spam
Secure Email ■ We all know what it is. . . PGP and S/MIME ■ Spam Defending against it is very hard Spam ■ Originating It is unlikely that the problem will ever go away Machines Effective Defenses Today’s Defenses Blacklisting Port 25 Blocks Origin Authentication SPF Records DKIM Authentication The Real Issue with Origin Authentication Semantic and Keyword Filters Charging for Email
Phishing
21 / 43 Originating Machines
Secure Email ■ Originally from the spammer’s own machines PGP and S/MIME
Spam — those were blacklisted Spam ■ Originating Next: open relays — those have mostly been Machines Effective Defenses closed down Today’s Defenses Blacklisting ■ Now: hacked home machines Port 25 Blocks Origin ■ Occasionally: routing attacks to hide source Authentication SPF Records DKIM Authentication The Real Issue with Origin Authentication Semantic and Keyword Filters Charging for Email
Phishing
22 / 43 Effective Defenses
Secure Email ? PGP and S/MIME
Spam Spam Originating Machines Effective Defenses Today’s Defenses Blacklisting Port 25 Blocks Origin Authentication SPF Records DKIM Authentication The Real Issue with Origin Authentication Semantic and Keyword Filters Charging for Email
Phishing
23 / 43 Today’s Defenses
Secure Email ■ Blacklisting PGP and S/MIME ■ Spam Especially blacklisting of “non-mail” machines: Spam Originating dial-ups, home machines, etc. Machines Effective Defenses ■ Port 25 blocks Today’s Defenses Blacklisting ■ Origin authentication: digital signatures, SPF, Port 25 Blocks Origin DKIM Authentication SPF Records ■ DKIM Semantic and keyword filters Authentication The Real Issue with Origin Authentication Semantic and Keyword Filters Charging for Email
Phishing
24 / 43 Blacklisting
Secure Email ■ Mostly works, but. . . PGP and S/MIME ■ Spam False positives Spam ■ Originating Often, lack of resonsiveness by blacklisting Machines Effective Defenses sites Today’s Defenses Blacklisting ■ Some are trying to dodge lawsuits by Port 25 Blocks Origin spammers Authentication SPF Records ■ DKIM Others are trying dodge denial-of-service Authentication The Real Issue with attacks. . . Origin Authentication ■ Semantic and Affects legitimate but unusual users — home Keyword Filters Charging for Email users who run their own MTA, some travelers, Phishing etc.
25 / 43 Port 25 Blocks
Secure Email ■ Many ISPs block outbound port 25 PGP and S/MIME ■ Spam Force all email to go through ISP’s servers Spam ■ Originating Monitor for “too much” Machines Effective Defenses ■ Demand password (but malware steals Today’s Defenses Blacklisting passwords anyway) Port 25 Blocks Origin Authentication SPF Records DKIM Authentication The Real Issue with Origin Authentication Semantic and Keyword Filters Charging for Email
Phishing
26 / 43 Origin Authentication
Secure Email ■ Concept: prevent spam from forged addresses PGP and S/MIME ■ Spam But — most spam isn’t “joe job” spam Spam ■ Originating Causes problems with mailing lists Machines Effective Defenses ■ Causes problems for portable addresses Today’s Defenses Blacklisting ■ SPF — not a standard — especially bad in Port 25 Blocks Origin this respect Authentication SPF Records ■ DKIM Origin authentication better used for whitelists Authentication The Real Issue with Origin Authentication Semantic and Keyword Filters Charging for Email
Phishing
27 / 43 SPF Records
Secure Email ■ Columbia’s SPF record (in the DNS): PGP and S/MIME Spam v=spf1 ip4:128.59.28.0/24 Spam Originating ip4:128.59.29.0/24 ip4:128.59.59.0/24 Machines Effective Defenses ip4:128.59.62.0/24 Today’s Defenses Blacklisting ip4:128.59.28.160/27 Port 25 Blocks Origin Authentication ip4:128.59.29.0/28 ip4:128.59.31.0/24 SPF Records DKIM ip4:128.59.39.0/24 ~all Authentication The Real Issue with ■ Those IP addresses, and no others, are allowed Origin Authentication Semantic and to send mail claiming to be from Keyword Filters Charging for Email @columbia.edu addresses Phishing ■ What if you use your Gmail account with a CU return address?
28 / 43 DKIM Authentication
Secure Email ■ Digital signature of (some) mail headers and PGP and S/MIME Spam message body Spam Originating ■ Being standardized by the IETF Machines Effective Defenses ■ Generally done at the originating gateway Today’s Defenses Blacklisting ■ Granularity is generally per-site, but per-user Port 25 Blocks Origin Authentication keys are supported (e.g., for laptops for road SPF Records DKIM warriors) Authentication The Real Issue with ■ Public keys are in the DNS, rather than in Origin Authentication Semantic and separate certificates Keyword Filters ■ Charging for Email Doesn’t change the mail body the way that Phishing S/MIME does ■ Intended to be lighter-weight
29 / 43 The Real Issue with Origin Authentication Secure Email ■ Most people want to permit email from PGP and S/MIME
Spam unknown parties Spam ■ Originating Knowing that the message really is from Machines Effective Defenses [email protected] Today’s Defenses Blacklisting doesn’t tell me if it’s spam or not Port 25 Blocks Origin ■ It prevents “joe jobs”, and it’s good for Authentication SPF Records DKIM whitelisting Authentication The Real Issue with ■ It doesn’t block spam Origin Authentication ■ Semantic and We’re seeing the difference between Keyword Filters Charging for Email authentication and authorization
Phishing
30 / 43 Semantic and Keyword Filters
Secure Email ■ Look for keywords, improbable text, etc. PGP and S/MIME ■ Spam But — spammers include real text excerpts Spam ■ Originating Some spam is in attachments, especially image Machines Effective Defenses attachments Today’s Defenses Blacklisting ■ Other spam changes words slightly: Viagra → Port 25 Blocks Origin V1agra or V*i*a*g*r*a Authentication SPF Records ■ DKIM Who has a better polymorphic engine? Authentication The Real Issue with Origin Authentication Semantic and Keyword Filters Charging for Email
Phishing
31 / 43 Charging for Email
Secure Email ■ Some people suggesting charging for email — PGP and S/MIME
Spam email “postage” Spam ■ Originating Goal: increase the cost to the spammer Machines Effective Defenses ■ Lots of reasons it doesn’t work well — the Today’s Defenses Blacklisting main one is that the spammers are using Port 25 Blocks Origin hacked machines to send their email. Authentication SPF Records ■ DKIM Requiring postage would mean they’d steal Authentication The Real Issue with money, too. . . Origin Authentication Semantic and Keyword Filters Charging for Email
Phishing
32 / 43 Secure Email
PGP and S/MIME
Spam
Phishing What is Phishing? A Phish What’s Wrong? The Login Box The URL Bar They Want Data. . . Phishing Some Mail Headers Other Issues Tricks with URLs Final Thoughts on Phishing
33 / 43 What is Phishing?
Secure Email ■ Spoofed emails, purportedly from a financial PGP and S/MIME
Spam institution Phishing ■ Ask you to login to “reset” or “revalidate” What is Phishing? A Phish your account What’s Wrong? The Login Box ■ Often claim that your account has been The URL Bar They Want Data. . . suspended Some Mail Headers Other Issues Tricks with URLs Final Thoughts on Phishing
34 / 43 A Phish
Secure Email
PGP and S/MIME From: [email protected] Spam To: undisclosed-recipients:; Phishing Subject: YOUR ACCOUNT HAS BEEN SUSPENDED !!! What is Phishing? A Phish Date: Fri, 29 Sep 2006 09:29:25 -0500 What’s Wrong? The Login Box The URL Bar ... They Want Data. . . Some Mail Headers Other Issues If you fail to provide information about your Tricks with URLs Final Thoughts on account you’ll discover that your account has been Phishing automatically deleted from Flagstar Bank database.
Please click on the link below to start the update process:
https://www.flagstar.com/Signon.cgi?update Flagstar Bank
35 / 43 What’s Wrong?
Secure Email ■ The URL is a booby trap: PGP and S/MIME
Spam
Phishing What is Phishing? A Phish What’s Wrong? The Login Box The URL Bar They Want Data. . . Some Mail Headers ■ Other Issues When I clicked on it, I was actually redirected Tricks with URLs Final Thoughts on to a site in Colombia, via yet another Phishing indirection. . . ■ The login page appears identical to the real one ■ (One of the web sites I visited seemed to have several variant “bank” pages)
36 / 43 The Login Box
Secure Email
PGP and S/MIME
Spam
Phishing What is Phishing? A Phish What’s Wrong? The Login Box The URL Bar They Want Data. . . Some Mail Headers Other Issues Tricks with URLs Final Thoughts on Phishing
37 / 43 The URL Bar
Secure Email
PGP and S/MIME
Spam
Phishing What is Phishing? A Phish What’s Wrong? The Login Box The URL Bar They Want Data. . . Some Mail Headers Other Issues Tricks with URLs Final Thoughts on Phishing
38 / 43 They Want Data. . .
Secure Email
PGP and S/MIME
Spam
Phishing What is Phishing? A Phish What’s Wrong? The Login Box The URL Bar They Want Data. . . Some Mail Headers Other Issues Tricks with URLs Final Thoughts on Phishing
39 / 43 Some Mail Headers
Secure Email
PGP and S/MIME Received: from plesk.salesforcefoundation.org Spam ([198.87.81.9]) Phishing by cs.columbia.edu (8.12.10/8.12.10) What is Phishing? A Phish (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA What’s Wrong? bits=256 verify=NOT) for
40 / 43 Other Issues
Secure Email ■ Why is the email from PGP and S/MIME
Spam flagstarbanking2.com? Phishing ■ The domain for the bank is flagstar.com — What is Phishing? A Phish no “ing” and no “2”. What’s Wrong? The Login Box ■ That’s legit! — the real web site for their The URL Bar They Want Data. . . online service is flagstarbanking2.com Some Mail Headers Other Issues ■ We have trained users to accept weird, Tricks with URLs Final Thoughts on Phishing seemingly gratuitous differences; it can make life easier for the phisher
41 / 43 Tricks with URLs
Secure Email ■ http://[email protected]/foo PGP and S/MIME
Spam cnn.com is a userid Phishing ■ http://2151288839/foo What is Phishing? A Phish 2151288839 is 128.58.16.7, What’s Wrong? The Login Box cluster.cs.columbia.edu The URL Bar They Want Data. . . ■ Some Mail Headers Other Issues http://rds.yahoo.com/_ylt=A0g...http%3a//www.freebsd.o Tricks with URLs Final Thoughts on Phishing So the search engine knows what you clicked on
42 / 43 Final Thoughts on Phishing
Secure Email ■ We have the basic technical mechanisms to PGP and S/MIME
Spam authenticate email and web sites Phishing ■ Human interaction with these mechanisms What is Phishing? A Phish remains a very challenging problem What’s Wrong? The Login Box ■ Security is a systems problem The URL Bar They Want Data. . . Some Mail Headers Other Issues Tricks with URLs Final Thoughts on Phishing
43 / 43