is dane the future of secure mail
play

Is DANE the Future of Secure Mail? Evaluation of DNS-based - PowerPoint PPT Presentation

Dec 20, 2023 •403 likes •987 views

Chair for Network Architectures and Services Technische Universit at M unchen Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in the Context of Electronic Mail Security Stefan Fochler April 7,

  1. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Is DANE the Future of Secure Mail? Evaluation of DNS-based Authentication of Named Entities in the Context of Electronic Mail Security Stefan Fochler April 7, 2016 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen Stefan Fochler – Is DANE the Future of Secure Mail? 1

  2. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Motivation for Enhancing Email Transport Security Background on Security Goals & Email Lifecycle Analysis of Methods for Email Security Improving Email Transport Security with DANE Evaluation of DANE Conclusion Stefan Fochler – Is DANE the Future of Secure Mail? 2

  3. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Motivation for Enhancing Email Transport Security Stefan Fochler – Is DANE the Future of Secure Mail? 3

  4. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Motivation for Enhancing Email Transport Security ◮ Email is used for a lot of sensitive information ◮ Email Transport over SMTP uses optimistic encryption ◮ Can be intervened easily during handshake ◮ Large portions of email get transported unencrypted ◮ What mechanisms can be introduced to secure Email transport? Stefan Fochler – Is DANE the Future of Secure Mail? 4

  5. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Background on Security Goals & Email Lifecycle Stefan Fochler – Is DANE the Future of Secure Mail? 5

  6. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Security Goals Confidentiality ◮ Protect data from being visible to unauthorized parties ◮ Assumes passive attacker model ◮ Differenciate between contents and meta-data Stefan Fochler – Is DANE the Future of Secure Mail? 6

  7. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Security Goals Confidentiality ◮ Protect data from being visible to unauthorized parties ◮ Assumes passive attacker model ◮ Differenciate between contents and meta-data Integrity & Authenticity ◮ Data read by receiver equal to data sent? ◮ Modifications to message have to be detected or prevented ◮ Usage of digital signature schemes can provide both integrity and authenticity Stefan Fochler – Is DANE the Future of Secure Mail? 6

  8. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Security Goals Availability ◮ Mail infrastructure is critical ◮ Profitable target to Denial-of-Service attacks ◮ Unsolicited Commercial Email poses challenges to availability ◮ (Typically) only little application-layer protection Stefan Fochler – Is DANE the Future of Secure Mail? 7

  9. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA Internet Stefan Fochler – Is DANE the Future of Secure Mail? 8

  10. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA Internet Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  11. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA creation Internet Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  12. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA submission Internet Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  13. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA submission Internet processing & storage Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  14. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA submission Internet transfer Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  15. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA submission Internet processing & storage Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  16. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Lifecycle Origin MUA Destination MUA submission retrieval Internet Origin MSA/MTA Destination MRA/MDA Stefan Fochler – Is DANE the Future of Secure Mail? 8

  17. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Analysis of Methods for Email Security Stefan Fochler – Is DANE the Future of Secure Mail? 9

  18. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Security Measures End-to-End Encryption ◮ Secure/Multipurpose Internet Mail Extensions (RFC 5751) ◮ Signatures and encryption based on certificates ◮ OpenPGP (RFC 4880) ◮ Cross-signed keys instead of certificate authorities Stefan Fochler – Is DANE the Future of Secure Mail? 10

  19. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Email Security Measures End-to-End Encryption ◮ Secure/Multipurpose Internet Mail Extensions (RFC 5751) ◮ Signatures and encryption based on certificates ◮ OpenPGP (RFC 4880) ◮ Cross-signed keys instead of certificate authorities Mail Origin Safeguarding ◮ Sender Policy Framework (SPF) & DMARC (RFC 7208 & 7489) ◮ Whitelist hosts for sending mail ◮ Request reports for unsolicited email ◮ DomainKeys Identified Mail (DKIM) (RFC 6376) ◮ Email signatures ◮ Domain’s public key in DNS Stefan Fochler – Is DANE the Future of Secure Mail? 10

  20. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Active Attacks on Email Transport Security STARTTLS Stripping ◮ SMTP negotiates encryption using the STARTTLS command (optimistic encryption) ◮ ISPs or network security hardware remove or invalidate this command ◮ No integrity protection availabile to detect this attack ◮ [6] found up to 96,13 % stripping in Tunesia in 2015 Stefan Fochler – Is DANE the Future of Secure Mail? 11

  21. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Active Attacks on Email Transport Security STARTTLS Stripping ◮ SMTP negotiates encryption using the STARTTLS command (optimistic encryption) ◮ ISPs or network security hardware remove or invalidate this command ◮ No integrity protection availabile to detect this attack ◮ [6] found up to 96,13 % stripping in Tunesia in 2015 DNS Hijacking ◮ Public DNS servers or integrated DNS servers ◮ Deliver fraudulent IP addresses for MX records ◮ Third-party mail servers can man-in-the-middle the intended connection ◮ 2 % of public DNS servers affected [6] Stefan Fochler – Is DANE the Future of Secure Mail? 11

  22. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Improving Email Transport Security with DANE Stefan Fochler – Is DANE the Future of Secure Mail? 12

  23. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Idea DNS-based Authentication of Named Entities (DANE) [5] ◮ Mechanism to make TLS connections more secure ◮ Use DNS to express Certificate Assertions using entries of type TSLA ◮ Use DNSSEC for security and specific behaviour to avoid downgrading Stefan Fochler – Is DANE the Future of Secure Mail? 13

  24. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen DNS Setup Requirements (1) [2] 1. DANE must support multiple services differenciated by port and transport mechanism on one host Stefan Fochler – Is DANE the Future of Secure Mail? 14

  25. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen DNS Setup Requirements (1) [2] 1. DANE must support multiple services differenciated by port and transport mechanism on one host Solutions (1) 1. Introduce scheme for DNS record expressing Certificate Assertions: Prefix with port and transport 443. tcp.example.com. ... ◮ 25. tcp.mail.example.com ... ◮ Stefan Fochler – Is DANE the Future of Secure Mail? 14

  26. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Certificate Assertions Requirements (2) [2] 2. DANE must support asserting the specific certificate authority for this domain 3. DANE must support asserting the use of a specific certificate for this domain 4. DANE must support presenting a self-signed certificate that does not come from a well-known CA 1 1 Note the security implications of this [2, p. 8] Stefan Fochler – Is DANE the Future of Secure Mail? 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com>

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com>

DANE Secured E-Mail Demonstration Wes Hardaker Parsons <wes.hardaker@parsons.com> Overview My Background In scope topics Securing E-Mail Requirements Implementing Each Requirement 2 wes.hardaker@parsons.com My Background

910 views • 25 slides
Enterprise 2.0 Secure Cloud Mail and Content Collaboration

Enterprise 2.0 Secure Cloud Mail and Content Collaboration

Use Case Sharing: Enterprise 2.0 Secure Cloud Mail and Content Collaboration Market Development Director / Andy Lin Secure Mail & Collaboration Solution Provider 4 5 On-Premise Cloud OEM Cloud

657 views • 32 slides
DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant,

DNSSEC, DANE and SMTP Security A Mid-level Overview Wes Hardaker Parsons Downgrade Resistant, Opportunistic Security for Server To Server E-Mail Delivery Overview Server-to-Server E-Mail background SMTP Vulnerabilities DANE/SMTP to

360 views • 16 slides
Sending E-Mail Today MX Priority #1 SMTP Exchange

Sending E-Mail Today MX Priority #1 SMTP Exchange

DANE and SMTP: TLS Protec4on for SMTP Using DANE and DNSSEC Russ Mundy & Wes Hardaker Parsons <Russ.Mundy@parsons.com> <mundy@4slabs.com> 7/17/13

481 views • 9 slides
DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public

DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public

DANE COUNTY JAIL UPDATE STUDY GOING FROM THIS: TO THIS: Presentation to The Dane County Public Protection & Judiciary Committee INTRODUCTIONS David Way Curtiss Pulitzer Patrick Jablonski Eric Lawson Jan Horsfall OVERVIEW OF THE REPORT

583 views • 57 slides
Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane

Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane

Dane Bank Consultation 8 th November 2018 The Aim of the Meeting To find out more about Dane Bank s reasons for considering conversion to Academy Status Opportunity for governors to find out more about how parents and carers feel

562 views • 35 slides
DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD

DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD

DANE COUNTY JAIL UPDATE STUDY Presentation to the Dane County Board June 15, 2017 INTROD ODUCTION ONS Curtiss Pulitzer Patrick David Way Jan Horsfall Project Justice Jablonski, PhD Architect Manager Specialist Statistician

856 views • 57 slides
DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic

DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic

DANE COUNTY JAIL UPDATE STUDY- OPTION 3 Presen entation t n to Dane e Coun unty P Publ blic c Protect ection & Judici ciary Committee ee June 13, 2017 INTROD ODUCTION ONS Curtiss Pulitzer Cheryl Gallant David Way Jan Horsfall

440 views • 41 slides
Dane County Council on Climate Change Buildings Working Group recommendation May 8, 2018 Dane

Dane County Council on Climate Change Buildings Working Group recommendation May 8, 2018 Dane

Dane County Council on Climate Change Buildings Working Group recommendation May 8, 2018 Dane County OECC Buildings Working Group National talent local commitment to place Technical rigor Market alignment Deeply

442 views • 23 slides
Secure SDN Authentication (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee

Secure SDN Authentication (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee

IETF93 22 July 2015 Prague SDNRG WG Secure SDN Authentication (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Summary Problem: No flexibly for PKI model Solution: Combination of DANE, DNSSEC and

341 views • 13 slides
Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de>

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de>

Secure Sockets Layer Transport Layer Security BEAST Attack Dan Luedtke <mail@danrl.de> Wed Apr 18, 2012 University of the German Federal Armed Forces, Munich Slide 1 Outline History Design Goals SSL/TLS Stack

439 views • 15 slides
Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@

Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@

Security DevOps staying secure in agile projects Christian Schneider @cschneider4711 mail@ www. `whoami` Christian-Schneider.net Software Developer, Whitehat Hacker & Trainer Freelancer since 1997 Focus on JavaEE &

773 views • 59 slides
Research Project 1: Implementing DANE Pieter Lexis System and Network Engineering Wed, Feb 8

Research Project 1: Implementing DANE Pieter Lexis System and Network Engineering Wed, Feb 8

Research Project 1: Implementing DANE Pieter Lexis System and Network Engineering Wed, Feb 8 2012 1 of 21 Table of contents Basics DNS and DNSSEC PKIX and trust DANE Research Swede Features Reactions Tests and results Conclusion 2 of

841 views • 24 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Extremely Sensitive Communication Secure, Secret, and Private e-mail Loek Sangers UvA KPMG

Extremely Sensitive Communication Secure, Secret, and Private e-mail Loek Sangers UvA KPMG

Introduction Requirements Available Systems Solutions Proposed System Conclusion Summary Summary Extremely Sensitive Communication Secure, Secret, and Private e-mail Loek Sangers UvA KPMG June 30, 2016 Loek Sangers UvA KPMG Research

636 views • 18 slides
A Policy Framework for a Secure Future Internet Future Internet Jad Naous (Stanford University)

A Policy Framework for a Secure Future Internet Future Internet Jad Naous (Stanford University)

A Policy Framework for a Secure Future Internet Future Internet Jad Naous (Stanford University) Arun Seehra (UT Austin) Michael Walfish (UT Austin) David Mazires (Stanford University) Antonio Nicolosi (Stevens Institute of Tech) Scott

1.14k views • 99 slides
CSE202: Design and Analysis of Algorithms Ragesh Jaiswal, CSE, UCSD Ragesh Jaiswal, CSE, UCSD

CSE202: Design and Analysis of Algorithms Ragesh Jaiswal, CSE, UCSD Ragesh Jaiswal, CSE, UCSD

CSE202: Design and Analysis of Algorithms Ragesh Jaiswal, CSE, UCSD Ragesh Jaiswal, CSE, UCSD CSE202: Design and Analysis of Algorithms Greedy Algorithms: One more example Ragesh Jaiswal, CSE, UCSD CSE202: Design and Analysis of Algorithms

811 views • 42 slides
RDF & SPARQL 320302 Databases & WebApplications (P. Baumann) The Semantic Web Stack

RDF & SPARQL 320302 Databases & WebApplications (P. Baumann) The Semantic Web Stack

RDF & SPARQL 320302 Databases & WebApplications (P. Baumann) The Semantic Web Stack research / vapourware solid implementations RDF + RDFS WSDL + UDDI URI Unicode SOAP HTTP / SMTP / TCP 320302 Databases & WebServices (P.

640 views • 26 slides
DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #4: SYSTEM

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #4: SYSTEM

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #4: SYSTEM CATALOGS & DATABASE COMPRESSION 2 OFFICE HOURS Prashanth Dintyala Office Hours: Mon, 1:30-2:30 PM Location: Near KACB 3324 Email:

2.27k views • 86 slides
QueryCompletion/Expansion COMP90042 LECTURE 4, THE UNIVERSITY OF MELBOURNE by Matthias Petri

QueryCompletion/Expansion COMP90042 LECTURE 4, THE UNIVERSITY OF MELBOURNE by Matthias Petri

QueryCompletion/Expansion COMP90042 LECTURE 4, THE UNIVERSITY OF MELBOURNE by Matthias Petri Wed 13/3/2019 What is a query? 1/26 Whatisaquery? What is a query? What is a query? 2/26 1. Obviously the stufg I type into the search box! 2.

645 views • 27 slides
Optimizing Cost and Performance in Online Service Provider Networks Ming Zhang Microsoft

Optimizing Cost and Performance in Online Service Provider Networks Ming Zhang Microsoft

Optimizing Cost and Performance in Online Service Provider Networks Ming Zhang Microsoft Research Joint work with Zheng Zhang (Purdue), Albert Greenberg (MSR), Y. Charlie Hu (Purdue), Ratul Mahajan (MSR), and Blaine Christian (Microsoft) 1

455 views • 17 slides
Background Review Read Appendix Hao Zheng Department of Computer Science and Engineering

Background Review Read Appendix Hao Zheng Department of Computer Science and Engineering

Background Review Read Appendix Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: zheng@cse.usf.edu Phone: (813)974-4757 Fax: (813)974-5456 Hao Zheng ( Department of Computer Science

849 views • 36 slides
DNS and BGP CS642: Computer Security Professor Ristenpart

DNS and BGP CS642: Computer Security Professor Ristenpart

DNS and BGP CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

808 views • 43 slides
IXP Route Server Prefix Validation at LINX Progress & Challenges Mo Shivji, LINX

IXP Route Server Prefix Validation at LINX Progress & Challenges Mo Shivji, LINX

IXP Route Server Prefix Validation at LINX Progress & Challenges Mo Shivji, LINX Contents LINX Route-Server History Prefix Validation & Criteria Challenges Collecting the data Prefix Validation Test Results

734 views • 21 slides

More recommend