Docstoc

DomainKeysPresentation

Document Sample
DomainKeysPresentation Powered By Docstoc
					Trustworthy Email
 DomainKeys and MDaemon 8.0
About this Presentation
•   Summarizes major security issues of email.
•   Defines the needs both senders and recipients
    have for email integrity.
•   Highlights client and server methods of email
    identity and message content authentication.
•   Presents a high-level view of DomainKeys.
•   Surveys the MDaemon implementation of
    DomainKeys.
Security Issues for Email
•   Spam: Unwanted and inappropriate email.
•   Viruses: Content designed to harm computer
    systems and spread themselves.
•   Spoofing: Masquerading by using an email
    address without authorization.
•   Phishing: Spoofing to steal sensitive
    information—IDs, passwords, credit card
    numbers—through email and the web.
Elements of Email Integrity
 •   Senders need reasonable confidence that no
     one is spoofing their email addresses and that
     each message arrives unaltered in content.
 •   Recipients want to know that each email is
     from the claimed sender and that the message
     is unaltered.
 •   These needs require both sender and content
     authentication.
Email Authentication Today
 •   With current technology, authentication is
     lacking for most email transactions.
 •   Spoofing, the foundation of email security
     problems, is very easy to do.
 •   Proving your email identity is difficult.
 •   Preventing others from misusing your email
     identity is almost impossible.
    Authentication Goals
•   Provide reasonable assurance of the email
    identity of a sender.
•   Give credible protection against altering the
    content of an email message in transit.
•   Authentication does not encrypt email,
    because encryption is excessive effort for most
    messages.
Authentication Technologies
 •   Personal encryption and signing is available
     with programs such as PGP.
     Private key/public key encryption.
     Workable, implemented by users, but a nuisance to use for senders
     and recipients.

 •   Domain identification and message signatures
     are available through SPF, DomainKeys…
     Implemented on the server, maintained by the administrator and
     transparent to users.
    DomainKeys Overview
•   An email security protocol.
•   Authenticates the sending domain of each
    email.
•   Authenticates the integrity of each message.
•   Allows email service providers and users to
    know if messages are forgeries or legitimate,
    and if they have been altered in transit.
Signing and Authenticating
 •   DomainKeys uses public/private key
     technology to sign and authenticate messages.
 •   Public keys reside in the sending domain’s DNS
     record for use by recipient servers.
 •   Private keys live in the network of the sending
     email server for signing messages.
 •   The use of “selectors” allows each domain to
     have multiple key pairs.
    DomainKeys Selectors
•   Selectors are labels for enabling multiple
    private/public key pairs within one domain.
    Selectors might identify different servers within a domain or different
    secondary domains within a server, as examples.

•   Selector names can be almost any combination
    of letters and numbers, such as london,
    chicago986 and 2005_acc in these
    examples of DomainKeys DNS information:
    london._domainkey.poboxes.shacknet.nu
    chicago986._domainkey.poboxes.shacknet.nu
    2005_acc._domainkey.poboxes.shacknet.nu
DomainKeys Block Diagram
The system administrator creates a private / public key pair for the server and publishes the public key in
the DNS record of the domain.
DomainKeys Block Diagram
Using the private key, the sending server creates a signature for each outgoing message. Each signature
consists of a number generated from the content of the message. Created by openssl, the signature
number is an SHA1 digest of the message.
DomainKeys Block Diagram
The receiving server obtains the signature and the claimed sender domain from the email. It acquires the
public key from the claimed sender DNS. Using the public key, it determines (1) if the signature was created
by the private key and (2) if the SHA1 digest reconciles with the message content.
Authentication Success
•   Authentication success occurs when:
    The message signature is determined to have been created by using
    the private key from the claimed domain.
    The signature (SHA1 digest of the email) reconciles with the content of
    the message.

•   When this happens, the receiving server can:
    Further process the message.
    Then deliver it, if it passes other security tests.
    Authentication Failures
•   Authentication failure occurs when:
    The message from a domain using DomainKeys is not signed.
    The key processing of the email does not produce a match for the
    domain, the message content or both.

•   When this happens, the receiving server:
    Obtains mail disposition preferences from the claimed sender DNS.
    Applies local rules to the message.
DomainKeys in MDaemon
•   Implemented in MDaemon 8.0 and later.
•   First Windows-based deployment.
•   Joins Internet giants such as Yahoo!, Google
    and Earthlink in deploying DomainKeys.
•   Signs outbound messages.
•   Authenticates inbound messages.
             DomainKeys Access


Access to DomainKeys
setup is through the SPF
/DomainKeys command
in the Security menu.
         DomainKeys Verification

The DomainKeys Verification
tab contains options for setting up
authentication.
 These settings determine the policies for
 handling messages failing the DomainKeys
 authentication tests.

 Options vary from doing nothing to closing
 the SMTP session.

 White lists are available for exempting
 specified domains from verification.
                 DomainKeys Signing

The DomainKeys Signing tab
contains options for setting up
outgoing message signatures.
 Signing can apply to all messages or to
 mailing lists or to both.

 If messages to mailing lists are included in
 the DomainKeys processing, MDaemon
 signs each outgoing message to each list
 member.

 Creating private/public key pairs with
 MDaemon involves…
  Creating Private/Public Keys

Creating private/public key
pairs with MDaemon involves:
 Entering a selector name.

 Pressing the button named Create
 new public and private keys.

 Doing this creates the key pair and
 displays example information to enter
 into the DNS record for your domain.
  Creating Private/Public Keys

Creating private/public key
pairs with MDaemon involves:
 Entering a selector name.

 Pressing the button named Create
 new public and private keys.

 Doing this creates the key pair and
 displays example information to enter
 into the DNS record for your domain.
     Specify Signing Addresses

MDaemon requires source
addresses to be specified
before messages can be
signed. Editing the addresses
involves:
 Pressing the button named Define
 which messages are eligible for
 signing.

 Doing this opens a files containing the
 addresses. By default, MDaemon sets
 up your local domain for signing.
     Specify Signing Addresses

MDaemon requires source
addresses to be specified
before messages can be
signed. Editing the addresses
involves:
 Pressing the button named Define
 which messages are eligible for
 signing.

 Doing this opens a files containing the
 addresses. By default, MDaemon sets
 up your local domain for signing.
  Using DomainKeys Selectors

By default, MDaemon uses one
selector for signing all messages.

To accommodate multiple
selectors, MDaemon uses its
Content Filter to sign messages
by using the private keys of
selectors other than the default.

This provides flexibility in
implementing DomainKeys within
MDaemon.
    DomainKeys Summary
•   DomainKeys provides a method for
    authenticating email identities and content.
•   MDaemon offers the first Windows-based
    deployment of DomainKeys, for both signing
    and verifying.
•   MDaemon supports multiple DomainKeys
    selectors.
•   DomainKeys in MDaemon is easy to use.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:12
posted:7/20/2012
language:
pages:25