internet security
play

Internet Security Enhanced Security Services for S/MIME Thomas - PowerPoint PPT Presentation

May 24, 2023 •211 likes •956 views

Internet Security Enhanced Security Services for S/MIME Thomas Gttlicher April 20, 2004 Agenda Basics Technical Signed receipts Security labels Secure mailing lists Signed certificates 1 Basics Basics

  1. Internet Security Enhanced Security Services for S/MIME Thomas Göttlicher April 20, 2004

  2. Agenda • Basics • Technical • Signed receipts • Security labels • Secure mailing lists • Signed certificates

  3. 1 Basics

  4. Basics • S/MIME = Secure MIME • protect MIME e-mail

  5. Basics • S/MIME = Secure MIME • protect MIME e-mail MIME e-mail text text Excel sheet Word document

  6. Basics • S/MIME = Secure MIME • protect MIME e-mail signed S/MIME e-mail text text Excel sheet Word document S/MIME digital signature

  7. Basics • S/MIME = Secure MIME • protect MIME e-mail encrypted S/MIME e-mail text text Excel sheet Word document S/MIME encrypted envelope

  8. 2 Technical • Internet Layer • Compatibility • Triple Wrapping

  9. Internet Layer S/MIME application layer transport layer network layer link layer physical layer

  10. Compatibility • S/MIME v3 can read messages from S/MIME v2 • BUT: S/MIME v3 messages are unreadable by S/MIME v2

  11. Triple Wrapping • Message has been signed, encrypted and signed again • Inside signature: content integrity • Encrypted body: confidentiality • Outside signature: integrity for information produced hop-by-hop

  12. Triple Wrapping (continued) C ontent-type: multipart/signed; protocol="application/pkcs7-signature"; boundary=outerboundary --outerboundary Content-type: application/pkcs7-mime; smime-type=enveloped-data Content-type: multipart/signed; protocol="application/pkcs7-signature"; boundary=innerboundary --innerboundary Content-type: text/plain Original content --innerboundary Content-type: application/pkcs7-signature inner SignedData block (eContent is missing) --innerboundary-- --outerboundary Content-type: application/pkcs7-signature outer SignedData block (eContent is missing) --outerboundary--

  13. Triple Wrapping (continued) C ontent-type: multipart/signed; protocol="application/pkcs7-signature"; boundary=outerboundary --outerboundary Content-type: application/pkcs7-mime; smime-type=enveloped-data Content-type: multipart/signed; protocol="application/pkcs7-signature"; boundary=innerboundary --innerboundary Content-type: text/plain Original content --innerboundary Content-type: application/pkcs7-signature inner SignedData block (eContent is missing) --innerboundary-- --outerboundary inner signature computed over Content-type: application/pkcs7-signature encrypted data outer SignedData block (eContent is missing) outer signature computed over --outerboundary--

  14. 3 Signed Receipts

  15. Signed Receipts • Proof of delivery of a message • Before processing a receipt-request: the receiving agent must verify the signature => no receipt if signature is invalid • Receiving user agent software should automatically create a signed receipt when requested

  16. Signed Receipts (Example) A B

  17. Signed Receipts (Example) A B

  18. Signed Receipts (Example) A B

  19. Signed Receipts (continued) • Receipts can be requested from – all recipients

  20. Signed Receipts (Example) B A C D

  21. Signed Receipts (Example) B A C D

  22. Signed Receipts (Example) B A C D

  23. Signed Receipts (continued) • Receipts can be requested from – all recipients – a specific list of recipients

  24. Signed Receipts (Example) B A C D

  25. Signed Receipts (Example) B A C D

  26. Signed Receipts (Example) B A C D

  27. Signed Receipts (continued) • Receipts can be requested from – all recipients – a specific list of recipients – first tier (= recipients that did not receive the message as members of a mailing list)

  28. Signed Receipts (Example) B A C Mail List

  29. Signed Receipts (Example) B A C Mail List

  30. Signed Receipts (Example) B A C Mail List

  31. Signed Receipts (continued) • Receipts can be requested from – all recipients – a specific list of recipients – first tier (= recipients that did not receive the message as members of a mailing list) • Sender can indicate that receipts be sent to many places – receipt not just to the sender

  32. Signed Receipts (Example) A B

  33. Signed Receipts (Example) A B

  34. Signed Receipts (Example) A B

  35. Signed Receipts (continued) • Receipts can be requested from – all recipients – a specific list of recipients – first tier (= recipients that did not receive the message as members of a mailing list) • Sender can indicate that receipts be sent to many places – receipt not just to the sender – not even to the sender

  36. Signed Receipts (Example) A B

  37. Signed Receipts (Example) A B

  38. Signed Receipts (Example) A B

  39. Signed Receipts (continued) • Receipts can be requested from – all recipients – a specific list of recipients – first tier (= recipients that did not receive the message as members of a mailing list) • Sender can indicate that receipts be sent to many places – receipt not just to the sender – not even to the sender • Multiple Receipt Requests: Each recipient should only return one receipt • No singed receipt for a signed receipt

  40. 4 Security Labels

  41. Security Labels • Set of security information regarding the sensitivity of the content that is protected by S/MIME encapsulation • Access control: receiving agent examines the security labels and determines whether or not the recipient is allowed to see the contents • Security Labels must be signed attributes • Signature must be verified and valid, before processing a security label • Classification: unmarked, unclassified, restricted, confidential, secret, top-secret; other values can be defined by any organization

  42. Security Labels (Example) A B

  43. Security Labels (Example) A B

  44. Security Labels (Example) A B

  45. Security Labels (Example) A B

  46. Equivalent Security Labels • Organizations are allowed to define their own security policies, many different security policies will exist => Equivalences between different security policies of different organizations • Receiving agents have the option to process EquivalentLabels attributes • Receiving agent processes equivalent labels only if it trusts the signer • If the receiving agent understands the security label, it must ignore all equivalent labels

  47. Security Labels (Example) A B

  48. Security Labels (Example) A B

  49. Security Labels (Example) A "unmarked" ⇒ "anyone" B

  50. Security Labels (Example) A B

  51. Security Labels (Example) A B

  52. 5 Secure Mailing Lists • Mail List Management • Mail Loops • Receipts

  53. Mail List Management • Sending agents must create recipient-specific data structures for each recipient of an encrypted message. • Large number of recipients => resources needs • Mail List Agents (MLA) can take a singe message and perform the recipient-specific encryption

  54. Mail List Management - Mail Loops • One mailing list is member of a second and the second is member of the first. • MLA have to prevent Mail loops – Each Time a MLA expands a message it adds its own identifier to the history – If own unique identifier is in the history => Mail loop • Don't send the message to the list again • Warning to a human mail list administrator

  55. Mail List Management - Mail Loops (Example) MLA1 MLA2 A

  56. Mail List Management - Mail Loops (Example) expanded by MLA1 MLA1 MLA2 A

  57. Mail List Management - Mail Loops (Example) MLA1 MLA2 A expanded by MLA1 expanded by MLA2

  58. Mail List Management - Mail Loops (Example) MLA1 MLA2 A expanded by MLA1 expanded by MLA2

  59. Mail List Management - Mail Loops (Example) MLA1 MLA2 A Admin

  60. Mail List Management - Receipts • Mail List Agent Signed Receipt Policy Processing – A MLA often needs to propagate forward the receipt policy – Any MLA adds "insteadOf" , "inAdditionTo" , "none" to the history – Only last recipient needs to process • No receipt, if originator has not requested • If originator has requested, but MLA supersedes request: MLA may inform the originator

  61. Mail List Management - Receipts (Example) receipts to: X A X B

  62. Mail List Management - Receipts (Example) receipts to: X A's Policy: insteadOf: A A X B

  63. Mail List Management - Receipts (Example) receipts to: X A's Policy: insteadOf: A A receipts to: A X B

  64. Mail List Management - Receipts (Example) receipts to: X A's Policy: insteadOf: A A receipts to: A X B's Policy: none B

  65. Mail List Management - Receipts (Example) receipts to: X A's Policy: insteadOf: A A receipts to: A X B's Policy: none B receipts to: -

  66. Mail List Management - Receipts (Example) receipts to: X A's Policy: insteadOf: A A receipts to: A X B's Policy: none B receipts to: -

  67. 6 Signed Certificates • Attacks • Responses

Recommend

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with Carnegie Mellon University. It is a cross-sector, internationally- based trade association devoted to cyber security. ISA has individual corporate

349 views • 30 slides
Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet Server Client Attack vectors MAN DNS LAN Client Internet Back Bone Router Networking WWW overview MITM (Man In The Middle) 3 2 4 5 LAN

244 views • 23 slides
Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second edition Firewall and Internet Security, the Second Hundred (Internet)

801 views • 78 slides
Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Internet Security Internet Security Secure Email Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 its335y15s2l10,

450 views • 25 slides
The Internet Security Alliance The Internet Security Alliance is a collaborative effort between

The Internet Security Alliance The Internet Security Alliance is a collaborative effort between

The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon Universitys Software Engineering Institute (SEI) and its CERT Coordination Center (CERT/CC) and the Electronic Industries Alliance

294 views • 10 slides
Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

CSS441 Internet Security Web Security TLS/SSL Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

832 views • 32 slides
Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things

Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things

Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things (IoT)? Why is IoT Security so Important? Dyn DDOS Attack What are the security challenges of an IoT network? A Proposed Taxonomy

176 views • 14 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
ICANN & Internet Security (DNS) Security Albert Daniels Albert.daniels@icann.og Internet

ICANN & Internet Security (DNS) Security Albert Daniels Albert.daniels@icann.og Internet

ICANN & Internet Security (DNS) Security Albert Daniels Albert.daniels@icann.og Internet Week Guyana 11 th October 2017 | 1 What Does ICANN Mean for the End User? POLIC Y The Domain Name System Policy Development is an L-Root is one

636 views • 32 slides
The Economy is reliant on the Internet The state of Internet security is eroding quickly. Trust

The Economy is reliant on the Internet The state of Internet security is eroding quickly. Trust

The Economy is reliant on the Internet The state of Internet security is eroding quickly. Trust in online transactions is evaporating, and it will require strong security leadership for that trust to be restored. For the Internet to remain the

433 views • 29 slides
COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus

COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus

COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus Worm Trojan Spyware Adware Messenger Service 2 VIRUS VIRUS A virus must meet two A computer virus is a small criteria:

525 views • 23 slides
Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security

370 views • 33 slides
Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Compiler Infrastructure Systems and Internet Infrastructure Security

603 views • 23 slides
Namespaces Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Sects

Namespaces Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Sects

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Namespaces Systems and Internet Infrastructure Security (SIIS)

1.13k views • 49 slides
Larry Clinton President & CEO Internet Security Alliance lclinton@ISAlliance.org

Larry Clinton President & CEO Internet Security Alliance lclinton@ISAlliance.org

Larry Clinton President & CEO Internet Security Alliance lclinton@ISAlliance.org 703-907-7028 202-236-0001 Cyber Security and the Economy The state of Internet security is eroding quickly. Trust in online transactions is evaporating,

321 views • 18 slides
CMPSC 497 Security Basics Trent Jaeger Systems and Internet Infrastructure Security (SIIS)

CMPSC 497 Security Basics Trent Jaeger Systems and Internet Infrastructure Security (SIIS)

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Security Basics Trent Jaeger Systems and Internet

397 views • 28 slides
Advanced Systems Security: Internet of Things Trent Jaeger Systems and Internet

Advanced Systems Security: Internet of Things Trent Jaeger Systems and Internet

Advanced Systems Security: Internet of Things Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1 Connecting Things Product

553 views • 33 slides
Internet Security Certficate Extensions and Attributes Supporting Authentication in PPP and

Internet Security Certficate Extensions and Attributes Supporting Authentication in PPP and

Internet Security Certficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN Daniel Schwarz Nrnberg, Internet Security Dozent: Prof. Dr. Trommler 27.April 2004 Overview: 1. Introduction I. PKIX 2. Basics

560 views • 35 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Larry Clinton Operations Officer Internet Security Alliance lclinton@ISAlliance.org

Larry Clinton Operations Officer Internet Security Alliance lclinton@ISAlliance.org

Larry Clinton Operations Officer Internet Security Alliance lclinton@ISAlliance.org 703-907-7028 202-236-0001 The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon Universitys

433 views • 21 slides
Larry Clinton Operations Officer Internet Security Alliance lclinton@isalliance.org

Larry Clinton Operations Officer Internet Security Alliance lclinton@isalliance.org

Larry Clinton Operations Officer Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001 The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon Universitys

314 views • 12 slides
Security and Networking Basics Security and Networking Basics Internet Security [1] VU Engin

Security and Networking Basics Security and Networking Basics Internet Security [1] VU Engin

Security and Networking Basics Security and Networking Basics Internet Security [1] VU Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at Outline Introduction and Motivation Security Threats Open

725 views • 46 slides
Constraint Solving Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline

Constraint Solving Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Constraint Solving Systems and Internet Infrastructure Security (SIIS)

455 views • 18 slides
Detecting Security Problems and Internet Measurement Evaluating Security Solutions The

Detecting Security Problems and Internet Measurement Evaluating Security Solutions The

Detecting Security Problems and Internet Measurement Evaluating Security Solutions The Internet as a whole is poorly CS 239 measured Advanced Topics in Network And, hence, poorly understood Security No existing network-wide

354 views • 4 slides

More recommend