S/MIME:
S/MIME functionality and inter-operate between them.
Cryptographic services provided by S/MIME:
To utilize S/MIME, an individual key/certificate is required to be generated by a local, internal or external CA (certificate authority) or from numerous public CAs. The best practices standard method to improve security of the private keys and certificates requires escrow of the encryption key to prevent possible disclosure of the signature key and thereby invalidate non-repudiation. Generating an email or document and encrypting requires the author to encrypt using the public certificate of the recipient. Normally a user sends out his/her public certificate attached to emails when using S/MIME to facilitate encryption. Thunderbird Claws is one example of email software which supports the standard.
There are 2 levels or classes of user certificates to obtain for certification of a user (Class 1 or 2) and are dependent upon the level of validation required of the user. Businesses require validation of a user with more thorough investigation of the user's identity (Class 2 CA validated user) whereas the Class 1 certificates can be self-generated and validated using a web-of-trust method often used during key-signing parties (often held at Linux conferences). Most home users requiring or wanting to use encryption for email will use PKI instead of using the more complicated CA methods and can use the web-of-trust to provide validation of the sender to the recipient.
This method of encryption is problematic with webmail clients (browsers primarily) as the private key must be kept accessible to the user but not the webmail server. This issue is resolved by GnuPGP or PGP Desktop applications whereby the clipboard is used for signing the message and passing the data back to the browser or webmail client. This method is utilized by Android apps such as Enigmail and K-9 to provide end-to-end encryption of email.
Speaking of end-to-end encryption, S/MIME encryption encapsulation of message bodies includes any attachments which could contain malware targeted at the end users' machine. Given that inspection software must evaluate all data arriving at a system, true end-to-end encryption must be technically broken; This is used throughout most business situations to open and inspect the content of the message(s) and attachment(s).
Common methods:
Proper key storage of the private key must be maintained for future decryption of messages encrypted for S/MIME. Attention to this issue should be provided for proper future access to emails.
Cryptographic services provided by S/MIME:
- Authentication
- Message integrity
- Non-repudiation (signatures)
- Privacy
- Data security (encryption)
To utilize S/MIME, an individual key/certificate is required to be generated by a local, internal or external CA (certificate authority) or from numerous public CAs. The best practices standard method to improve security of the private keys and certificates requires escrow of the encryption key to prevent possible disclosure of the signature key and thereby invalidate non-repudiation. Generating an email or document and encrypting requires the author to encrypt using the public certificate of the recipient. Normally a user sends out his/her public certificate attached to emails when using S/MIME to facilitate encryption. Thunderbird Claws is one example of email software which supports the standard.
There are 2 levels or classes of user certificates to obtain for certification of a user (Class 1 or 2) and are dependent upon the level of validation required of the user. Businesses require validation of a user with more thorough investigation of the user's identity (Class 2 CA validated user) whereas the Class 1 certificates can be self-generated and validated using a web-of-trust method often used during key-signing parties (often held at Linux conferences). Most home users requiring or wanting to use encryption for email will use PKI instead of using the more complicated CA methods and can use the web-of-trust to provide validation of the sender to the recipient.
This method of encryption is problematic with webmail clients (browsers primarily) as the private key must be kept accessible to the user but not the webmail server. This issue is resolved by GnuPGP or PGP Desktop applications whereby the clipboard is used for signing the message and passing the data back to the browser or webmail client. This method is utilized by Android apps such as Enigmail and K-9 to provide end-to-end encryption of email.
Speaking of end-to-end encryption, S/MIME encryption encapsulation of message bodies includes any attachments which could contain malware targeted at the end users' machine. Given that inspection software must evaluate all data arriving at a system, true end-to-end encryption must be technically broken; This is used throughout most business situations to open and inspect the content of the message(s) and attachment(s).
Common methods:
- Store private keys on the gateway server to allow decryption prior to a the gateway malware scan.
- Store private keys in malware scanners to inspect messages and relay the message or a message with infected/blocked status to the user.
Proper key storage of the private key must be maintained for future decryption of messages encrypted for S/MIME. Attention to this issue should be provided for proper future access to emails.
This is an especially important issue home users should consider when using any encryption of their data should they or their families require access in the future. Often this can be resolved by storing the private key on a CD or USB media locked in a vault, safety deposit box or other secured location.
More to come in part 4:
IPSEC, & SSH
(1) - https://en.wikipedia.org/wiki/S/MIME
More to come in part 4:
IPSEC, & SSH
(1) - https://en.wikipedia.org/wiki/S/MIME
No comments:
Post a Comment