Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

One of the concerns for the network project is ensuring secure e-mail and any do

ID: 3913108 • Letter: O

Question

One of the concerns for the network project is ensuring secure e-mail and any documents sent through e-mail. Prepare a paper that explains how e-mail messages can be securely sent. The paper should include the features of secure e-mail and how secure e-mail works. Include a discussion of vulnerabilities involved in e-mail and how they can be countered. The paper should include the following: The 4 main features of secure e-mail Discussion of the 5-step process for handling secure e-mail with PGP and S/MIME Discussion of the vulnerabilities of e-mail Discussion of countermeasures that address the vulnerabilities

Explanation / Answer

how e-mail messages can be securely sent

First we'll secure the connection between your email provider and your computer. You need to set up Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption.

If you use the internet to check your email check that SSL/TLS encryption is active. If it is, the website address (URL) will begin with https instead of http. If you don't see an 'https' address type an s at the end of the 'http' and press Enter. This will usually prompt your email provider to encrypt your connection.

features of secure e-mail and how secure e-mail works

features of secure e-mail

Group mailbox

Distribution list

Alerts

Anti-virus

How secure e-mail works

Simply put, encryption creates secure email by scrambling the data so only someone with the right password or other authentication can decrypt the message. In many cases, this process of encryption and decryption takes place without users ever knowing.

discussion of vulnerabilities involved in e-mail and how they can be countered

Protecting Your Email Client against Vulnerabilities

Your computer operating system is used as a platform for your email client. Regardless of what type of client you use such as Microsoft Outlook, Outlook Express, Eudora, or other, there are steps you can take to protect your email client against vulnerabilities.

The 4 main features of secure e-mail

Algorithms

Message formats

Certificates

Trust management

Discussion of the 5-step process for handling secure e-mail with PGP

1. Create a private and public key pair. Before you can begin using PGP, you need to generate a key pair. A PGP key pair is composed of a private key to which only you have access and a public key that you can copy and make freely available to everyone with whom you exchange information. You have the option of creating a new key pair immediately after you have finished the PGP installation procedure, or you can do so at any time by opening the PGPkeys application.

       2. Exchange public keys with others. After you have created a key pair, you can begin corresponding with other PGP users. You will need a copy of their public key and they will need yours. Your public key is just a block of text, so it’s quite easy to trade keys with someone. You can include your public key in an email message, copy it to a file, or post it on a public or corporate key server where anyone can get a copy when they need it.

        3. Validate public keys. Once you have a copy of someone’s public key, you can add it to your public keyring. You should then check to make sure that the key has not been tampered with and that it really belongs to the purported owner. You do this by comparing the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s original key. When you are sure that you have a valid public key, you sign it to indicate that you feel the key is safe to use. In addition, you can grant the owner of the key a level of trust indicating how much confidence you have in that person to vouch for the authenticity of someone else’s public key.

        4. Encrypt and sign your email and files. After you have generated your key pair and have exchanged public keys, you can begin encrypting and signing email messages and files. PGP works on the data generated by other applications. Therefore the appropriate PGP functions are designed to be immediately available to you based on the task you are performing at any given moment. There are several ways to encrypt and sign with PGP:

   

        5 Decrypt and verify your email and files. When someone sends you encrypted data, you can unscramble the contents and verify any appended signature to make sure that the data originated with the alleged sender and that it has not been altered.
        • If you are using an email application that is supported by the plug-ins, you can decrypt and verify your messages by selecting the appropriate options from your application’s tool bar.
        • If your email application is not supported by the plug-ins, you can copy the message to the clipboard and perform the appropriate functions from there. If you want to decrypt and verify files, you can do so from the Clipboard, Windows Explorer, or by using PGPtools. You can also decrypt encrypted files stored on your computer, and verify signed files to ensure that they have not been tampered with.

S/MIME Discussion of the vulnerabilities of e-mail Discussion of countermeasures that address the vulnerabilities

The vulnerability comes in two parts: an HTML exfiltration attack in which a snoop sends the target an email with specially crafted web mark-up language. The HTML code would then trick the victim's email client into fetching a URL with the unencrypted message contained in plain text in the request. The attacker would then simply need to find the URL request in their web server logs to see the decoded message.

The second component, referred to as CBC/CFB gadget attack, potentially allows an attacker to send malformed data blocks that, when read by the target, would fool the email client into sending to the attacker's server the unencrypted contents of the message.

To mitigate the chance of a successful attack, users who rely on PGP or S/MIME for email encryption should disable the viewing of HTML emails, the eggheads stressed. That won't fully close the flaw, but it will cut off the primary way of exploiting it.

"The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc," the researchers – Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk – wrote.

"Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking EFAIL."

There are also limitations to these attacks. The researchers said the gadget exploit technique is more effective for S/MIME than for PGP, where it only works about one third of the time.

The researchers also noted that an attacker needs full access to the target's email account, ie: the spy has to be able to log into your inbox. Unfortunately, guarding messages from an attacker with full access to your data is one of the primary use cases for both encryption formats.

So, basically, your email account needs to be hijacked first. For a well-protected inbox, using strong passwords and two-factor authentication using hardware tokens, this should be quite a challenge.

So, how bad is it? Hacker House cofounder and Brit infosec pro Matthew Hickey told The Register while we're unlikely to see widespread abuse of EFAIL, the potential for targeted attacks against journalists, corporations, activists, and academics makes it worth taking seriously.

"It's a serious risk if you rely on PGP and S/MIME for email security which most organisations use. It is not as severe as code execution and requires HTML emails to exploit so it may not be as wide spread for attacks," Hickey explained.

"It's still a concern, and our advice is to disable email plugins until a fix is supplied and disable HTML emails to prevent additional attack vectors."

Indeed, El Reg recommends opening PGP-encrypted emails in a text editor on a secured virtual machine, host, or container, depending on your level of paranoia, rather than allow encrypted HTML messages to be parsed and rendered.

Related Questions

One of the benefits of Excel is the ability to use formulas and functions. Discu
Question #668121
One of the benefits of XML is that when using the technology to transmit informa
Question #3842656
One of the benefits of the degeneracy of the genetic code is that it conserves o
Question #897008
One of the best company in CSR practise is Microsoft. Its ia part of their DNA s
Question #373739
One of the best features of MATLAB is that arithmetic can be done between lists
Question #1718135
One of the best known examples of acquired immune deficiency syndrome(AIDS) The
Question #3477018
One of the best known of Darwin\'s sets of observations from his voyage on the B
Question #149970
One of the best memories John had growing up was when he and his dog would play
Question #3469724
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
One of the concerns for the network project is ensuring secure e-mail and any do
Next
One of the confounding issues an environmental scientist faces is communicating

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.