1

E-mail Clients and Security

BIT- 301

IT Methodologies

Inderjeet Singh

BIT-301, Inderjeet Singh Email Clients and Security

E mail Clients

• An email client, email reader or more

formally mail user agent (MUA) is a computer

program used to access and manage a

user's email.

• A web application that provides message

management, composition, and reception

functions is sometimes also considered an email

client, but more commonly referred to

as webmail.

BIT-301, Inderjeet Singh Email Clients and Security 2

Netscape Messenger

• Netscape Messenger is a standalone,

multiplatform e-mail and news client that was

developed by Netscape.

• Announced on June 11, 2007 as Netscape

Mercury, the program was intended to

accompany the web browserNetscape Navigator

9, and was based on Mozilla's Thunderbird.

BIT-301, Inderjeet Singh Email Clients and Security 3

Setup Netscape Messenger

• Start Netscape Messenger from the Start menu

or icon on the desktop or hard drive.

• Click on Edit Pull-down Menu

• Select Preferences.

• Click on the + or > in front of Mail &

Newsgroups to show the sub-categories

• Click on Identity. Fill in:

– Your name

– Internet E-mail Address

– Organization (RIT) As shown on screen

BIT-301, Inderjeet Singh Email Clients and Security 4

Setup Netscape Messenger

BIT-301, Inderjeet Singh Email Clients and Security 5

Setup Netscape Messenger

• Create a signature file by clicking on the Edit Card button or you can

use one of yours present in system by clicking Choose and selecting

that file.

• Fill in your First Name, Last Name, Organization, Title,

E-mail address, Phone No, Fax No etc.

• Note: abc1234@rit.edu where abc1234 would be replaced by your RIT

username and same with first name and last name.

• Optional: Click Contact tab and fill in additional information if you

choose.

• Click OK.

Optional: Check off the " Attach my personal card to messages.", if

you wish to have your contact information always automatically attached

to all your messages.

BIT-301, Inderjeet Singh Email Clients and Security 6

Setup Netscape Messenger

BIT-301, Inderjeet Singh Email Clients and Security 7

Setup Netscape Messenger

• Click on Mail Server (under Identity) and Click Add.

• Fill in Server Name based on the system where you read your e-mail.

See the table below this image.

• In Server Type choose IMAPfrom

options. This will keep your e-mail organized if you read e-mail from

more than one computer(i.e. lab, office, home)

• In User Name fill in your DCE user name(same as grace or vax

username) i.e. abc1234

• Important: If you use the grace/OSF settings, click Advanced and set

your IMAP server directory: mail

• Click OK.

BIT-301, Inderjeet Singh Email Clients and Security 8

Setup Netscape Messenger

BIT-301, Inderjeet Singh Email Clients and Security 9

Setup Netscape Messenger

• Now fill in Outgoing Mail(SMTP) server based on the system where

you read your e-mail.

• In Outgoing mail server user name type your DCE username

i.e. abc1234

• Select the radio button for "If Possible" for the Use SSL option.

• Don't hit OK yet. If you already did that then open preferences again

from Edit menu.

• Click Messages sub-category andcheck-off the "Wrap incoming plain

text messages to window width“

• Click Formatting (In the Mail and Newsgroups Sub-category). Select

the radio button for "Ask me what to do if the message has HTML

formatting, otherwise send plain text.“

• Click OK

BIT-301, Inderjeet Singh Email Clients and Security 10

Setup Netscape Messenger

BIT-301, Inderjeet Singh Email Clients and Security 11

Setup Netscape Messenger

BIT-301, Inderjeet Singh Email Clients and Security 12

Setup Netscape Messenger

BIT-301, Inderjeet Singh Email Clients and Security 13

Microsoft Outlook

• Microsoft Outlook is a personal information

manager from Microsoft, available as a part of

the Microsoft Officesuite.

• Although often used mainly as

an email application, it also includes

a calendar, task manager, contact manager,note

taking, journal, and web browsing.

BIT-301, Inderjeet Singh Email Clients and Security 14

Microsoft Outlook- Features

• Office Fluent "ribbon" user interface (though not for the

main window)

• Changed calendar views

• Send your calendar information with calendar snapshots

• Ability to publish calendars in Internet Calendar format

• Send text and picture messages from Outlook with

Outlook Mobile Service to a mobile phone.

• Integrated RSS aggregator

• 'Instant Search' through a context indexer based search

engine with Windows Desktop Search

• Enhanced integration with Microsoft Office SharePoint

Portal Server BIT-301, Inderjeet Singh Email Clients and Security 15

Setting up Microsoft Outlook (2007)

• Start Outlook.

• On the Tools menu, click Account Settings.

• Click New.

• Click Microsoft Exchange, POP3, IMAP, or HTTP, and

then click Next.

• In the Auto Account Setup dialog box, click to select

the Manually configure server settings or additional

server types check box, and then click Next.

• Click Internet E-Mail, and then click Next.

• In the Server Information section,

select IMAP for Account Type.

BIT-301, Inderjeet Singh Email Clients and Security 16

Setting up Microsoft Outlook (2007) • In the Your Name box, enter your name exactly as you

want it to appear to recipients.

• In the E-mail Address box, type your e-mail address.

• In the User Name box, type your account name.

• In the Password box, type your password.

• In the Incoming mail server box, type the name of your

IMAP4 server.

• In the Outgoing mail server (SMTP) box, type the name of

your SMTP server.

Note IMAP4 is a retrieval protocol. You must have SMTP to

send your messages.

• Click Next after you have completed entering this

configuration information, and then click Finish.

BIT-301, Inderjeet Singh Email Clients and Security 17

18

Security Services for E-mail

• privacy

• authentication

• integrity

• non-repudiation

• anonymity

• proof of submission

• proof of delivery

• message flow confidentiality, etc.

BIT-301, Inderjeet Singh Email Clients and Security

19

Key Management

• A per-message symmetric key is used for

message encryption,

• which is conveyed in the mail, encrypted under a

long-term key (typically a public key)

• Long-term keys can be established,

– offline

– online, with help from a trusted third party

– online, through a webpage (for public keys)

BIT-301, Inderjeet Singh Email Clients and Security

BIT-301, Inderjeet Singh Email Clients and Security 20

Multiple Recipients

• Message key will be encrypted under each recipients long term key in the message header.

– Bob’s ID, KBob{S}

– Carol’s ID, KCarol{S}

– Ted’s ID, KTed{S}

– S{m}

• E.g.: To: Bob, Carol, Ted

From: Alice

Key-info: Bob-4276724736874376

Key-info: Carol-78657438676783457

Key-info: Ted-12873486743009

Msg-info: UHGuiy77t65fhj87oi.....

BIT-301, Inderjeet Singh Email Clients and Security 21

Text Format Issues

• Mail gateways/forwarders may modify the format

of the message (wrapping long lines, end-of-line

character, high order bits, etc.), causing the

integrity check to fail

• Encode messages in a format supported by all

mailers. 6-bit representation, no long lines, etc.

(similar to uuencode)

BIT-301, Inderjeet Singh Email Clients and Security 22

Text Format Issues (cont’d)

• Problem: Non-supportive clients should be able

to read authenticated (but not encrypted)

messages, which they no longer can.

• Two options:

– MAC without encoding

(subject to corruption by mail routers)

– Encode & MAC/encrypt

(may not be readable at the other end)

BIT-301, Inderjeet Singh Email Clients and Security 23

Providing Different Services

• confidentiality: by encryption

• auth./integrity: by signature or MAC

• non-repudiation: by signature

• some eccentric services,

– anonymity

– message flow confidentiality

– non-repudiation with secret keys

can be provided by TTP support.

BIT-301, Inderjeet Singh Email Clients and Security 24

PEM & S/MIME

• Privacy Enhanced Mail (PEM)

– Developed by IETF, to add encryption, source

authentication & integrity protection to e-mail

– Allows both public & secret long-term keys

Message key is always symmetric

– Specifies a detailed certification hierarchy

• Secure/MIME (S/MIME)

– PEM never took off; CA hierarchy difficult to realize

– S/MIME: PEM design incorporated into MIME

BIT-301, Inderjeet Singh Email Clients and Security 25

PEM Key Exchange & Encryption

• “Interchange keys”: Users’ long-term PEM keys

– public (a detailed PKI is defined)

– secret (pre-shared symmetric keys)

• Encryption

– A symmetric per-message key is sent encrypted under

the interchange key.

– The message is encrypted under the per-message key

(typically with DES in CBC mode)

• Authentication

– Message is authenticated by a “MIC”

(Q: Any authentication for the per-message key?)

BIT-301, Inderjeet Singh Email Clients and Security 26

PEM Certificate Hierarchy

• The root CA: “Internet Policy Registration Authority”

(IPRA)

• “Policy Certification Authorities”: Second-level, CA-

certifying CAs, each with a different policy:

– High Assurance (HA): super-secure

• implemented on secure platforms

• regulates that the child CAs (also HACAs) enforce the same rules

– Discretionary Assurance (DA): secure

• requires that the child CAs own their names

– No Assurance (NA): no constraints

• can be used to certify Internet personas (pseudonyms)

• Lower-level CAs, certifying individuals or other CAs

BIT-301, Inderjeet Singh Email Clients and Security 27

S/MIME vs. PEM

• Incorporated into MIME; no other encoding

• Any sequence of sign & encrypt is supported

(each as a recursive MIME encapsulation)

• Has more options than PEM

• ASN.1 header encoding

• No prescribed certification hierarchy

• Has a good prospect of deployment for

commercial & organizational usage

BIT-301, Inderjeet Singh Email Clients and Security 28

Pretty Good Privacy (PGP)

• Popular mail & file encryption tool

• Developed by Phil Zimmermann, 1991

• Based on RSA, IDEA, MD5 (later DSS,

ElGamal (DH), 3DES, SHA1)

• Many different versions have emerged (from

PGP, from GNU (GPG), from IETF (Open PGP))

BIT-301, Inderjeet Singh Email Clients and Security 29

PGP Operation

• All long-term user keys are public

• Signature: Message & timestamp are hashed (MD5 or SHA1) and

signed (RSA or DSS)

• Compression (ZIP)

• Encryption: – Message is encrypted with a per-message symmetric

key (typically with IDEA in CFB mode)

– which is encrypted with the recipient’s public key (RSA or DH (ElGamal))

• Radix-64 (6-bit) encoding

BIT-301, Inderjeet Singh Email Clients and Security 30

PGP Operation

BIT-301, Inderjeet Singh Email Clients and Security 31

Trust Model & Key Management

• Any user can certify any other (anarchy model)

• Each user decides whom to trust and how much

• “Key Ring”: Data structure to store public keys

held by a user, with their levels of trust

• Public keys can be obtained,

– offline (in person, over the phone, etc.)

– through personal webpages

– through a trusted friend (“web of trust”)

– through a trusted CA

BIT-301, Inderjeet Singh Email Clients and Security 32

DKIM – Domain Keys Identified Mail

• An effort to stop spam with forged domain addresses (e.g. phishing attacks).

• Standardized by RFC 4871; supported by Yahoo, Gmail, FastMail etc.

• Each domain has an email signature key. Public keys will be retrieved over DNS.

• If signature verification fails, mail will be dropped.

BIT-301, Inderjeet Singh Email Clients and Security 33

DKIM

• Once deployed, it will significantly limit phishing

attacks with forged domain addresses.

• Deployment is increasing rapidly.

• Example: Gmail’s collaboration with PayPal &

eBay