is dane the future of secure mail
play

Is DANE the Future of Secure Mail? Evaluation of DNS-based - PowerPoint PPT Presentation

Dec 20, 2023 •403 likes •987 views

Chair for Network Architectures and Services Technische Universit at M unchen Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in the Context of Electronic Mail Security Stefan Fochler April 7,

  1. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in the Context of Electronic Mail Security Stefan Fochler April 7, 2016 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen Stefan Fochler – Is DANE the Future of Secure Mail? 1

  2. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Motivation for Enhancing Email Transport Security Background on Security Goals & Email Lifecycle Analysis of Methods for Email Security Improving Email Transport Security with DANE Evaluation of DANE Conclusion Stefan Fochler – Is DANE the Future of Secure Mail? 2

  3. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Motivation for Enhancing Email Transport Security Stefan Fochler – Is DANE the Future of Secure Mail? 3

  4. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Motivation for Enhancing Email Transport Security ◮ Email is used for a lot of sensitive information ◮ Email Transport over SMTP uses optimistic encryption ◮ Can be intervened easily during handshake ◮ Large portions of email get transported unencrypted ◮ What mechanisms can be introduced to secure Email transport? Stefan Fochler – Is DANE the Future of Secure Mail? 4

  5. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Background on Security Goals & Email Lifecycle Stefan Fochler – Is DANE the Future of Secure Mail? 5

  6. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Security Goals Confidentiality ◮ Protect data from being visible to unauthorized parties ◮ Assumes passive attacker model ◮ Differenciate between contents and meta-data Stefan Fochler – Is DANE the Future of Secure Mail? 6

  7. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Security Goals Confidentiality ◮ Protect data from being visible to unauthorized parties ◮ Assumes passive attacker model ◮ Differenciate between contents and meta-data Integrity & Authenticity ◮ Data read by receiver equal to data sent? ◮ Modifications to message have to be detected or prevented ◮ Usage of digital signature schemes can provide both integrity and authenticity Stefan Fochler – Is DANE the Future of Secure Mail? 6

  8. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Security Goals Availability ◮ Mail infrastructure is critical ◮ Profitable target to Denial-of-Service attacks ◮ Unsolicited Commercial Email poses challenges to availability ◮ (Typically) only little application-layer protection Stefan Fochler – Is DANE the Future of Secure Mail? 7

  9. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA Internet Stefan Fochler – Is DANE the Future of Secure Mail? 8

  10. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA Internet Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  11. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA creation Internet Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  12. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA submission Internet Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  13. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA submission Internet processing & storage Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  14. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA submission Internet transfer Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  15. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA submission Internet processing & storage Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  16. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA submission retrieval Internet Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  17. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Analysis of Methods for Email Security Stefan Fochler – Is DANE the Future of Secure Mail? 9

  18. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Security Measures End-to-End Encryption ◮ Secure/Multipurpose Internet Mail Extensions (RFC 5751) ◮ Signatures and encryption based on certificates ◮ OpenPGP (RFC 4880) ◮ Cross-signed keys instead of certificate authorities Stefan Fochler – Is DANE the Future of Secure Mail? 10

  19. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Security Measures End-to-End Encryption ◮ Secure/Multipurpose Internet Mail Extensions (RFC 5751) ◮ Signatures and encryption based on certificates ◮ OpenPGP (RFC 4880) ◮ Cross-signed keys instead of certificate authorities Mail Origin Safeguarding ◮ Sender Policy Framework (SPF) & DMARC (RFC 7208 & 7489) ◮ Whitelist hosts for sending mail ◮ Request reports for unsolicited email ◮ DomainKeys Identified Mail (DKIM) (RFC 6376) ◮ Email signatures ◮ Domain’s public key in DNS Stefan Fochler – Is DANE the Future of Secure Mail? 10

  20. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Active Attacks on Email Transport Security STARTTLS Stripping ◮ SMTP negotiates encryption using the STARTTLS command (optimistic encryption) ◮ ISPs or network security hardware remove or invalidate this command ◮ No integrity protection availabile to detect this attack ◮ [6] found up to 96,13 % stripping in Tunesia in 2015 Stefan Fochler – Is DANE the Future of Secure Mail? 11

  21. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Active Attacks on Email Transport Security STARTTLS Stripping ◮ SMTP negotiates encryption using the STARTTLS command (optimistic encryption) ◮ ISPs or network security hardware remove or invalidate this command ◮ No integrity protection availabile to detect this attack ◮ [6] found up to 96,13 % stripping in Tunesia in 2015 DNS Hijacking ◮ Public DNS servers or integrated DNS servers ◮ Deliver fraudulent IP addresses for MX records ◮ Third-party mail servers can man-in-the-middle the intended connection ◮ 2 % of public DNS servers affected [6] Stefan Fochler – Is DANE the Future of Secure Mail? 11

  22. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Improving Email Transport Security with DANE Stefan Fochler – Is DANE the Future of Secure Mail? 12

  23. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Idea DNS-based Authentication of Named Entities (DANE) [5] ◮ Mechanism to make TLS connections more secure ◮ Use DNS to express Certificate Assertions using entries of type TSLA ◮ Use DNSSEC for security and specific behaviour to avoid downgrading Stefan Fochler – Is DANE the Future of Secure Mail? 13

  24. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen DNS Setup Requirements (1) [2] 1. DANE must support multiple services differenciated by port and transport mechanism on one host Stefan Fochler – Is DANE the Future of Secure Mail? 14

  25. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen DNS Setup Requirements (1) [2] 1. DANE must support multiple services differenciated by port and transport mechanism on one host Solutions (1) 1. Introduce scheme for DNS record expressing Certificate Assertions: Prefix with port and transport 443. tcp.example.com. ... ◮ 25. tcp.mail.example.com ... ◮ Stefan Fochler – Is DANE the Future of Secure Mail? 14

  26. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Certificate Assertions Requirements (2) [2] 2. DANE must support asserting the specific certificate authority for this domain 3. DANE must support asserting the use of a specific certificate for this domain 4. DANE must support presenting a self-signed certificate that does not come from a well-known CA 1 1 Note the security implications of this [2, p. 8] Stefan Fochler – Is DANE the Future of Secure Mail? 15

Recommend

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com>

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com>

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview My Background In scope topics Securing E-Mail Requirements Implementing Each Requirement 2 wes.hardaker@parsons.com My Background

910 views • 25 slides
Enterprise 2.0 Secure Cloud Mail and Content Collaboration

Enterprise 2.0 Secure Cloud Mail and Content Collaboration

Use Case Sharing: Enterprise 2.0 Secure Cloud Mail and Content Collaboration Market Development Director / Andy Lin Secure Mail & Collaboration Solution Provider 4 5 On-Premise Cloud OEM Cloud

657 views • 32 slides
DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant, Opportunistic Security for Server To Server E-Mail Delivery Overview Server-to-Server E-Mail background SMTP Vulnerabilities DANE/SMTP to

360 views • 16 slides
Sending E-Mail Today MX Priority #1 SMTP Exchange

Sending E-Mail Today MX Priority #1 SMTP Exchange

DANE and SMTP: TLS Protec4on for SMTP Using DANE and DNSSEC Russ Mundy & Wes Hardaker Parsons <Russ.Mundy@parsons.com> <mundy@4slabs.com> 7/17/13

481 views • 9 slides
DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public

DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public

DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public Protection & Judiciary Committee INTRODUCTIONS David Way Curtiss Pulitzer Patrick Jablonski Eric Lawson Jan Horsfall OVERVIEW OF THE REPORT

583 views • 57 slides
Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane

Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane

Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane Bank s reasons for considering conversion to Academy Status Opportunity for governors to find out more about how parents and carers feel

562 views • 35 slides
DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD

DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD

DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD ODUCTION ONS Curtiss Pulitzer Patrick David Way Jan Horsfall Project Justice Jablonski, PhD Architect Manager Specialist Statistician

856 views • 57 slides
DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic

DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic

DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic c Protect ection & Judici ciary Committee ee June 13, 2017 INTROD ODUCTION ONS Curtiss Pulitzer Cheryl Gallant David Way Jan Horsfall

440 views • 41 slides
Dane County Council on Climate Change Buildings Working Group recommendation May 8, 2018 Dane

Dane County Council on Climate Change Buildings Working Group recommendation May 8, 2018 Dane

Dane County Council on Climate Change Buildings Working Group recommendation May 8, 2018 Dane County OECC Buildings Working Group National talent local commitment to place Technical rigor Market alignment Deeply

442 views • 23 slides
Secure SDN Authentication (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee

Secure SDN Authentication (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee

IETF93 22 July 2015 Prague SDNRG WG Secure SDN Authentication (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Summary Problem: No flexibly for PKI model Solution: Combination of DANE, DNSSEC and

341 views • 13 slides
Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de>

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de>

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de> Wed Apr 18, 2012 University of the German Federal Armed Forces, Munich Slide 1 Outline History Design Goals SSL/TLS Stack

439 views • 15 slides
Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@

Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@

Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@ www. `whoami` Christian-Schneider.net Software Developer, Whitehat Hacker & Trainer Freelancer since 1997 Focus on JavaEE &

773 views • 59 slides
Research Project 1: Implementing DANE Pieter Lexis System and Network Engineering Wed, Feb 8

Research Project 1: Implementing DANE Pieter Lexis System and Network Engineering Wed, Feb 8

Research Project 1: Implementing DANE Pieter Lexis System and Network Engineering Wed, Feb 8 2012 1 of 21 Table of contents Basics DNS and DNSSEC PKIX and trust DANE Research Swede Features Reactions Tests and results Conclusion 2 of

841 views • 24 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Extremely Sensitive Communication Secure, Secret, and Private e-mail Loek Sangers UvA KPMG

Extremely Sensitive Communication Secure, Secret, and Private e-mail Loek Sangers UvA KPMG

Introduction Requirements Available Systems Solutions Proposed System Conclusion Summary Summary Extremely Sensitive Communication Secure, Secret, and Private e-mail Loek Sangers UvA KPMG June 30, 2016 Loek Sangers UvA KPMG Research

636 views • 18 slides
A Policy Framework for a Secure Future Internet Future Internet Jad Naous (Stanford University)

A Policy Framework for a Secure Future Internet Future Internet Jad Naous (Stanford University)

A Policy Framework for a Secure Future Internet Future Internet Jad Naous (Stanford University) Arun Seehra (UT Austin) Michael Walfish (UT Austin) David Mazires (Stanford University) Antonio Nicolosi (Stevens Institute of Tech) Scott

1.14k views • 99 slides
Entropy and sustainable investment beliefs: A simple metric for analysing belief organisation Dane

Entropy and sustainable investment beliefs: A simple metric for analysing belief organisation Dane

Entropy and sustainable investment beliefs: A simple metric for analysing belief organisation Dane Rook University of Oxford D.Phil. Researcher, Geography & the Environment dane.p.rook@ouce.ox.ac.uk [How] can investors make long term

419 views • 16 slides
A A secure future for farmers and our neighbors Wh Who we e are Farmer-led, not-for-profit

A A secure future for farmers and our neighbors Wh Who we e are Farmer-led, not-for-profit

A A secure future for farmers and our neighbors Wh Who we e are Farmer-led, not-for-profit organization in Kewaunee and southern Door counties Farmers, businesses, agencies focused on improving surface and ground water quality

418 views • 22 slides
The future of Messaging is integrated Secure and GDPR-ready video-, voice and chat solution

The future of Messaging is integrated Secure and GDPR-ready video-, voice and chat solution

Grape Chat Presentation 2019 The future of Messaging is integrated Secure and GDPR-ready video-, voice and chat solution that lives inside your favourite tools. The secure Autobahn of communication Integrate Grape with market leading

568 views • 25 slides
Social Security www.socialsecurity.gov Save for a Secure Future Social Security is the

Social Security www.socialsecurity.gov Save for a Secure Future Social Security is the

Social Security www.socialsecurity.gov Save for a Secure Future Social Security is the foundation for a secure retirement, but you also will need other savings and investments. If you want to learn more about how and why to save, visit

352 views • 33 slides
Secure your future its never too late to start HR presentation Retirees Workshop

Secure your future its never too late to start HR presentation Retirees Workshop

Secure your future its never too late to start HR presentation Retirees Workshop Presentation Rowina Nefdt Benefits & Exits Officer UCT Human Resources Department 26 September 2019 Agenda Explain the Retirement process

568 views • 12 slides
Dane County Parks and Open Space Plan 2018-2023 Connect People to the Land and Water Resources

Dane County Parks and Open Space Plan 2018-2023 Connect People to the Land and Water Resources

Dane County Parks and Open Space Plan 2018-2023 Connect People to the Land and Water Resources of Dane County 2012 2017 Dane County Parks and Open Space Plan Vision Statement March 30 th , 2017 Public Information Meeting 3 2017

655 views • 52 slides
Towards Towards Secure Secure and and Relia liable Io IoT Applica Applicatio ions Gang Gang Tan,

Towards Towards Secure Secure and and Relia liable Io IoT Applica Applicatio ions Gang Gang Tan,

Towards Towards Secure Secure and and Relia liable Io IoT Applica Applicatio ions Gang Gang Tan, Tan, CSE, CSE, Penn Penn State State Nov 15th, 2019 @ 2 nd IoT Security and Privacy Workshop Internet of Things (IoT) enables the future Power

686 views • 51 slides
Opportunistic SMTP Security Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview

Opportunistic SMTP Security Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview

Opportunistic SMTP Security Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview E-Mail Overview Where E-Mail Can Go Wrong Securing E-Mail Requires DNSSEC Securing SMTP Using DNSSEC and DANE 2 wes.hardaker@parsons.com

678 views • 31 slides

More recommend