Category: Information Technology

Electronic Authentication Technologies: E-mail Security and Digital Certificates

Working Through the Maze of Options and Opportunities

May 2000

Many of us communicate with our clients, customers, colleagues and co-workers on a daily basis using e-mail... unsecured e-mail. Unfortunately, sending an e-mail without any regard to security issues may prove disastrous for many. Imagine the effects if mail - especially the ones that are private, confidential, and in some cases, privileged communications, winding up in the wrong hands!

We talk about the cause and effect of the Internet all the time, but an often-overlooked arena is the growth of e-mail traffic. Worldwide, it is estimated that we will send over 5 trillion messages this year, and most of these will be sent without any regard to security. All communications over the Internet are inherently open and unsecured unless steps are taken to protect
them.

We have all heard this before. Most CPAs in firms and those who work for companies, the government and even in academia have Internet usage policies in place that deal with this issue. It probably reads like this: "Confidential information is not to be transmitted over the Internet without proper encryption." This is great in theory, but seldom used in practice, because e-mail is so easy to use that we don't typically think about the security aspects. And besides, who would want to read your mail anyway? With the advances we have experienced in e-mail technologies and related groupware products, the increase in productivity has allowed us to become very complacent with regard to security.

E-mail Problems
There are four inherent problems when using e-mail, authenticity of origin, data integrity, non-repudiation and access control/
confidentiality.

With authenticity of origin, we are concerned with who sent the message. Just because the "From" field in a message has a name that is recognizable does not necessarily mean that it is from that person. "Spoofing" is a technique that makes an impostor's message appear as if it came from the real sender.

Data integrity is concerned with the contents of the message as it travels from the sender to the recipient. Messages can be intercepted en-route and changed.

Non-repudiation is related to the authenticity of the messages origin. The sender may try to argue that the message was not the one he/she sent or that they never sent the message at all.
With access control/confidentiality, we are concerned with whom can see the message. To help, a "sniffer" captures and reads all of the mail that passes by it over a network, and is a device (either software or hardware) that is placed on the network that can be used to perform legitimate network analysis or to steal information that travels over the network.

There are a number of ways to overcome these problems. Some solutions deal with only one aspect, while others deal with all four. If you look at the issues, it becomes apparent that the only way to deal with all four is to have some kind of writer-to-reader security.

Securing Your Mail
Today, there are many common methods of protection in use. The most common of these are instituted at levels 2 - 4 of the ISO 7-Layer Reference Model. These levels are the data link, network and transport layers of the model, and include such technologies as SSL (secure sockets layer) and VPN (Virtual Private Networks). These methods are session-oriented; after the session is started, a secure pipe is created between the parties. As long as the session is in progress, the access control/confidentiality issue is dealt with due to the encryption that occurs. If a digital signature is used, authenticity and non-repudiation can be established. There is no way that these methods can address the data integrity issue.

Another common method used is to encrypt the information is a file attached to the e-mail message. The e-mail message is nothing more than a transport mechanism for the attached file. Saving a file in Word or Excel, or something like WinZip with a password, will encrypt the file.

Still, there are a couple of problems with this method. The first is that the recipient needs to know the password to open the file. How does he or she get it? (I have seen them sent in the body of the e-mail!) And what about the password itself? Passwords are a notorious weak link. Another problem is that there are commercially available programs to recover these files when passwords are forgotten. As you can see, this method can only deal with access control/confidentiality, and is very susceptible to tampering.

The last method takes place at the Application Layer (level 7) of the ISO 7-Layer Reference Model. Some of these technologies include S/MIME, PGP, PEM, X.400 and MOSS. In their application, these protocols use public key cryptographic technology to secure the entire message prior to being sent to the recipient, so the message is protected from the time it leaves the sender until the recipient opens it. All four issues are dealt with using this method.

Of all of these methods to secure e-mail, it becomes quite obvious that public key cryptographic technology is the preferred method because it provides for writer-to-reader security. So which technology should you choose? Much of this decision already is made for you based on the e-mail application software you are using. Some applications may use one of the standards mentioned above, or they may be using some proprietary technology.

The Technologies-S/MIME is Preferred
PGP or Pretty Good Privacy is a popular standard for e-mail encryption on the Internet, and is the simplest one. PGP is packaged and performs both encryption and decryption, provides a digital signature, performs the verification process and does its own key management. It is an effective tool when used in a small community of users.

Problems arise in how the keys are managed. It uses a trust model, and you must go through the authentication with someone who is trusted by you. The problem surfaces when you inherit all of their trusts, or when all of your own trusts are inherited by them. If there is a bad apple somewhere in the chain, your security has been breeched! This is why PGP is used primarily in small groups.

PEM (Privacy Enhanced Mail), X.400, and MOSS (MIME Object Security Services) all have interoperability problems and thus have not had much vendor support.

S/MIME seems to be the standard many vendors are adopting. Products from Microsoft, Netscape, Lotus and Novell have adopted its use. Developed in 1995 by a group of software vendors led by RSA Data Security, Inc., this technology defines how digital signatures and encryption are used to secure e-mail, and effectively deals with the four issues outlined above.

So what exactly is S/MIME? S/MIME stands for Secure MIME, and MIME is short for Multipurpose Internet Mail Extensions-a set of specifications that deal with formatting non-ASCII messages (graphics, audio, video and others) so they can be delivered over the Internet. This technology also provides support to interchange text in languages that use different character sets. S/MIME additionally applies two Public-Key Cryptographic Standards (PKCS) and makes use of X.509 certificates, a standard that defines digital certificates.

A side note: S/MIME can be used with any transport protocol that transmits MIME objects, including HTML. S/MIME is also being used for EDI transactions over the Internet (www.verisign.com/server/prod/edi/index.html). In order for you to start securing your e-mail, you must have a S/MIME certificate or "Digital Certificate."

Digital Certificates
A Digital Certificate is the representation of a Digital ID. In plain terms, it is the electronic equivalent of a driver's license. Certificates reside in your Internet browser and e-mail software, and are used to prove your identity, gain access to information and encrypt e-mail. This ID binds your identity to a pair of electronic keys. A Digital ID is issued by a Certification Authority (CA) and is signed with the CA's private key. Verisign, Inc., a CA, is the leading provider of these services (www.verisign.com), and another well-known CA is Thawte Consulting (www.thawte.com).

The Certificate will contain the owner's public key, the owner's name, the expiration date of the public key, the CA's name, the serial number of the Digital ID and the digital signature of the CA. Digital IDs use two related keys (key pair): a public key and a private key. Through the CA, the public key is made available to anyone wanting to correspond with the owner, and is used to verify the signer with their private key. The owner can encrypt messages that can only be decrypted using his or her private key. When a Digital ID is installed in an Internet browser, it can function as your credentials when you enter a site. Using the Digital ID in this fashion can eliminate the need for entering passwords to gain access to certain sites.

Digital IDs also provide a digital signature that cannot be altered or forged, but the legal status of these signatures is still not well defined. The Federal government has indicated that it will support the legal authority of these signatures, and there are efforts in various states to legislate the legality of these signatures.

Getting a certificate is an easy process. At the Verisign Web site, www.verisign.com/client/enrollment/index.html, for example, you can buy a certificate valid for one year for $9.95 or one on a 60-day trial certificate. Users simply complete an application, and an e-mail is sent to you with a PIN, instructing you to Verisign's secure Digital ID Center at digitalid.verisign.com/enrollment/mspickup.htm to retrieve your Digital ID. Once you enter the PIN and press submit, you will be instructed to install the Digital ID by pressing the install button. After you have completed this step, you are ready to send and receive secure e-mail!

Sending and Receiving Secure Mail
After the Digital ID has been installed, using it is very easy. In the following example, Outlook Express v5.0 will be used. Let's first check the installation of the Digital ID. Open Outlook Express and go to "Tools, Options, Security." Click on the button that says "Digital Ids;" your digital ID should be listed in the box.

Now we will create a new message that is digitally signed and send it to ourselves. Once you have created the message, you can click on the button on the toolbar that says "Sign" or go to "Tools" and click on the option that say "Digitally Sign." Once this is done, you will see a red ribbon at the end of the "From" box. Press send. The retrieved message looks like a normal message with the red ribbon at the end of the "From" box that you can now click on and read the certificate information.

Now create another message. Click on the button to digitally sign the message and also click on the button to encrypt the message or go to "Tools" and click on "Encrypt." Send the message. Once you have retrieved the message and try to open it, a box will appear that says "Using your private exchange key to decrypt." Press OK.

The next screen that appears tells you that the message has been
digitally signed and encrypted (this can be turned off for all future occurrences). You will notice in the header there is a new line labeled "Security" that says the message has been digitally signed, verified and encrypted. Pressing the "Continue" button at the bottom will take you to the body of the message.

You do not need another person's Digital ID to send a digitally signed message; however, when you want to send encrypted messages, you will need to have the recipient's Digital ID. The easiest way to get this is to have the recipient(s) send you a signed message and add the information to your address book. To do this, open the message, choose "File, Properties" and then select the Security tab. Choose "Add Digital ID to Address Book." In addition, you can retrieve someone's Digital ID from a Directory Service such as Four11, import it from a file or retrieve it from the CA's repository.

Final Thoughts
The information contained in this article is somewhat complex and fraught with acronyms. Trying to keep it simple to gain a basic understanding by brushing over or eliminating details is unavoidable unless you want to read a book.

Hopefully you will read this article, go out and get your Digital ID and be on your way to "safe" e-mailing. Don't be surprised when someone responds to your mail "I can't read your message." They are just a little behind the times! Lastly, let me know that you have signed up by sending me a digitally signed message to gww@onesourcepsg.com (maybe we can trash my server with the volume of mail!).