Email Security

Table of Contents

Messaging Security Email ............................................................................................................... 2

Email Security .................................................................................................................................. 3

SSL/TLS -1 ........................................................................................................................................ 5

SSL/TLS -2 ........................................................................................................................................ 6

SSL/TLS -3 ........................................................................................................................................ 8

SSL/TLS -4 ........................................................................................................................................ 9

S/MIME ......................................................................................................................................... 10

Exchange ActiveSync -1 ................................................................................................................. 12

Exchange ActiveSync -2 ................................................................................................................. 14

Notices .......................................................................................................................................... 15

Page 1 of 15

Messaging Security Email

29

Messaging SecurityEmail

**029 So let's talk about Messaging Security Email.

Page 2 of 15

Email Security

30

Email Security

When discussing e-mail security the following features may be used to secure e-mail stored and/or sent from a device:

• Passwords• Encryption

— SSL/TLS— Full Disk Encryption— S/MIME

• Policies (Exchange ActiveSync)• Information Rights Management• Certificates• Remote Wipe

**030 Email Security. When we discuss email security, the following features may be used to secure email stored and/or sent from a device: Passwords; different kinds of encryption. SSL/TLS is used on some devices when you're accessing Webmail to protect the Webmail access. Full disk encryption would be used to protect the data at rest. S/MIME is an alternate method you can use to encrypt the email. And with S/MIME, unlike with SSL/TLS-- SSL/TLS only encrypts the message while it's being transmitted. So once

Page 3 of 15

the other- one side receives the message-- so I send it to Google; once Google receives the message, SSL or TLS do not provide any more security. It only prevents the secure- or it only encrypts or protects the message in route. Once it's on one side or the other, it's no longer protected. Full disk encryption of course protects your device, if your device has full disk encryption on it. S/MIME-- and we'll talk about it in depth-- can be used to encrypt the message, and it will stay encrypted even while it's at rest; unless the person has the proper certificate to decode the message. And if they ever lose the certificate, or if it's revoked for some reason, that message they will not be able to access the contents of it anymore. Exchange policies or domino policies or other email client-- Lotus Notes policies. You can have policies that provide email security. Information Rights Management, certificates and remote wipe.

Page 4 of 15

SSL/TLS -1

31

SSL/TLS -1

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that secures communication over the Internet.

SSL 3.0 was released in 1996 and has been replaced by TLS (current version 1.2); however, most devices allow the user to specify whether a SSL, TLS, or neither is used for communication.

SSL and TLS are designed to encrypt network connections above the Transport Layer.

**031 So what exactly is SSL and TLS? SSL is Secure Socket Layer and TLS is Transport Layer Security. They're cryptographic protocols that secure communication over the internet. SSL version 3 was released in '96, and has been replaced by TLS, which is currently version 1.2 However, most devices allow the user to specify whether SSL, TLS or neither is used for communication. They are designed to encrypt network connections above the Transport layer.

Page 5 of 15

So if you know your network layers, there's different layers. And SSL and TLS work at the Transport layer. They're considered roughly equivalent in terms of security. So even though TLS has replaced SSL, SSL is still used in a lot of Web traffic because it still provides roughly equivalent security.

SSL/TLS -2

32

SSL/TLS -2

SSL and TLS are considered roughly equivalent in terms of security. The primary difference being that SSL connections begin with security, TLS connections switch to a secured communication once the handshake between the client and server is successful.

The main benefits for TLS are:• TLS is an open standard.• TLS is backward compatible with SSL.• TLS allows secure and insecure connections over the same port;

while SSL requires a secure-only port.

**032 The primary difference being that SSL connects- connections begin with security. TLS connections switch to a secured communication once the handshake between the client and server is successful.

Page 6 of 15

So with an SSL connection, if I'm accessing my Gmail account over SSL, I tell the server: I need a secure connection with you. And the server goes: Okay. And they go through the process of securing that connection. And once it's secured, then the rest of the information is secured from that point on. With TLS, the connection isn't secured until after the handshake occurs. So with SSL, as soon as I send the request to the server, the whole traffic is encrypted. With TLS, it doesn't start encrypting it until after the server and client agree to the session; and at that point it becomes encrypted. There's three main benefits of TLS. TLS is an open standard, and due to it being an open standard there's no royalties associated with using TLS. It's backwards compatible with SSL. So if you're using TLS and the other side only supports SSL, it will still be able to accept a connection. TLS also allows secure and insecure connections over the same port. SSL requires a secure only port. So if I'm trying to log into a server, over a certain port, if I'm trying to use SSL and the server suddenly requests a different port, it has to re-initiate the connection over the new port.

Page 7 of 15

Whereas TLS doesn't really care. It can do both secure and insecure over that same port.

SSL/TLS -3

33

SSL/TLS -3

SSL and TLS only secures the communications channel, it does not provide protection for the e-mail message or for data at rest. Furthermore, SSL and TLS CANNOT be enforced for all SMTP hosts that might transmit messages.

http://technet.microsoft.com/en-us/library/cc781476(WS.10).aspx

**033 Like I mentioned, SSL and TLS only secure the communication channel. It does not provide protection for the email messenger data at rest. Furthermore, SSL and TLS cannot be enforced for all SMTP hosts that might transmit the messages. So this diagram shows the protocol layers for SSL and TLS. SSL and TLS are working across the record layer and the handshake layer.

Page 8 of 15

SSL/TLS -4

34

SSL/TLS -4

Handshake• Used to negotiate session information between the client and the

server• Composed of:

— Session ID— Peer certificates— Cipher spec to be used— Compression algorithm— Shared secret used to generate keys

**034 So what is a handshake? The handshake is used to negotiate a session; information between the client and the server. These things are used to initiate the session: First of all a session ID. The server and the client have to agree what is the session ID for this request? Then their certificates; do both of us have a valid certificate to use this type of connection-- yes or no? What cipher is going to be used? What type of encryption are we going to actually use in here? What type of

Page 9 of 15

compression algorithm are we going to use? How do we compress the data so that it more readily transmits over the network? And what is the shared secret used to generate the keys? So they have to agree on each of these components in order to have a successful handshake.

S/MIME

35

S/MIME

Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and the signing of MIME data.

S/MIME can be used to:• Digitally “sign” messages

— Proving authenticity• Encrypt Messages

— Requires that certificates be shared between the sender and receiver

http://www.ghacks.net/2007/04/26/encrypt-and-sign-all-your-email-traffic/

**035 So S/MIME, what is it? S/MIME is Secure/Multipurpose Internet Mail Extensions. It is a standard for public key encryption and for the signing of MIME data.

Page 10 of 15

So MIME is just Multipurpose Internet Mail Extensions. It's the default. S/MIME is how we go about securing MIME. It can be used to do one of two things. It can digitally sign messages that-- and digitally signing is used to prove that the message actually came from somebody; a lot of times when companies send out messages. So Company X, you'll see at the bottom of their message: Signed by-- and then you'll see the digital signature for them. That digital signature proves that it was the person that-- or is supposed to prove-- it's the person that owns that certificate actually sent that message. Now if for some reason somebody got access to their key, then you can't necessarily prove it because they could sign whatever they want. But then there was a key leak and you have to worry about that anyway. Or it can be used to encrypt the message. So if I don't want anybody else to be able to read the message, except somebody, the person I'm explicitly sending it to, I can require-- or to encrypt it, it requires that certificates be shared between the sender and receiver. Same with PGP; pretty much the same principle as PGP. The people have to share the certificate prior to the encrypted message being sent. Because if they don't, there's no way to decrypt the message.

Page 11 of 15

And of course you don't want to send the decryption key with the message you're sending because that doesn't do any good. So both sides already have to have a way to decrypt or encrypt the message.

Exchange ActiveSync -1

36

Exchange ActiveSync -1

Organizations using Microsoft Exchange for organizational email management can use Exchange ActiveSync to define smartphone policies.

Policies can be set to:• A user• A group

http://technet.microsoft.com/en-us/library/bb123484.aspx

**036 Exchange ActiveSync. Organizations using Microsoft Exchange-- and we're going to focus on Exchange; but other suites- other software suites can do the same thing; but we're just going to focus on Microsoft's Exchange ActiveSync program. Organizations using Microsoft Exchange for email management can use Exchange ActiveSync to set smartphone policies. The policies

Page 12 of 15

can be set on both a user or group level. And it's up to the administrator to decide what policies are we going to put into place? And it's up to the device whether those policies are enforceable on that device. So as we mentioned, Windows Phone 7.5: Encryption is not supported. Well as an Exchange administrator, I can't force Windows Phone 7.5 to use encryption since it's not supported in the first place. So the operating system has to support it, and the system administrator for the Exchange server has to enable it. That's the two features that need to happen for ActiveSync to work.

Page 13 of 15

Exchange ActiveSync -2

37

Exchange ActiveSync -2

Exchange ActiveSync support is dependent on the version of ActiveSync the phone is capable of running and on the features implemented by the OS developer.

iOS 5.0• Supports 28 policies

Microsoft 7.5• Supports 31 policies

Android 4.0• Supports 25 policies

Blackberry• Requires a third-party application to support ActiveSync

**037 Exchange ActiveSync support is dependent on the version of ActiveSync the phone is capable of running, and on the features implemented by the OS developer; which is what I just said. So iOS 5 supports 28 different policies. Microsoft 7.5 supports 31 policies. Android 4.0 supports 25 policies. BlackBerry, by default, does not support any ActiveSync policies. There are third-party applications out there that allow ActiveSync to work with BlackBerry devices. Normally with BlackBerry, if there's a lot of BlackBerries in the environment, normally they'll be handled by the BlackBerry Enterprise Server or the BES.

Page 14 of 15

Notices

NoticesCopyright 2013 Carnegie Mellon University

This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT® is a registered mark of Carnegie Mellon University..

Page 15 of 15