A security analysis of email communications

The objective of this report is to analyse the security and privacy risks of email communications and identify technical countermeasures capable of mitigating them effectively. In order to do so, the report analyses from a technical point of view the core set of communication protocols and standards that support email communications in order to identify and understand the existing security and privacy vulnerabilities. On the basis of this analysis, the report identifies and analyses technical countermeasures, in the form of newer standards, protocols and tools, aimed at ensuring a better protection of the security and privacy of email communications. The practical implementation of each countermeasure is evaluated in order to understand its limitations and identify potential technical and organisational constrains that could limit its effectiveness in practice. The outcome of the above mentioned analysis is a set of recommendations regarding technical and organisational measures that when combined properly have the potential of more effectively mitigating the privacy and security risks of today's email communications.JRC.G.6-Digital Citizen Securit

A Practical Study of E-mail Communication through SMTP

Simple Mail Transfer Protocol (SMTP) is an application layer protocol for e-mail communication. It has been adopted as a standard by Internet Engineering Task Force (IETF). SMTP has set conversational and grammatical rules for exchanging messages between connected computers. It has evolved through several revisions and extensions since its formation by Jon Postel in 1981. In SMTP, the sender establishes a full-duplex transmission channel with a receiver. The receiver may be either the ultimate destination or an intermediate forwarding agent. SMTP commands are issued by the sender and are sent to the receiver, which responds to these commands through codes. Each SMTP session between the sender and the receiver consists of three phases namely: connection establishment, mail transactions and connection termination. This paper describes and illustrates the process of e-mail communication through SMTP by issuing the individual SMTP commands directly to transmit e-mail messages. It also describes individual SMTP commands and extensions with practical implementation using a Telnet client

Collaborative intelligent email ranking system

Email has become one of the most powerful communication tools today. It is has widely proliferated in both business and personal use. It allows for fast communication between multiple parties that can be easily understood by even the most novice user, and allows for advanced transfer of data for power users. Even with that, it is one of the most abused systems on the Internet. Email systems have allowed for widespread distribution of the worst viruses on the Internet, causing billions of dollars in damage. Most of the technologies that have been deployed to prevent these types of attacks have been thwarted; A new email protocol is required to implement accreditation, authentication and reputation to overcome these issues. This new system is a combination of currently accepted systems, along with additions to make them more effective as a whole. This new system is called Collaborative Intelligent Email Ranking System (CIERS)

EXPLORATION OF THE DESIGN OF A COMPLEX E-MAIL SYSTEM

The management of an Internet service involves a variety of aspects, ranging from the economic to the technical and organizational. Cost reduction, management simplification and improvement of service quality are the fundamental targets of every Internet service project. In geographically widespread organizations where numerous servers are used in order to implement distributed network services, both costs and human labor for maintenance and management are greatly multiplied. We believe that security and maintenance problems, and thus cost, could be reduced by transferring from a distributed to a centralized service. However, this choice would undermine the flexibility needed by local administrators in order to be able to administer their own services. This paper describes a hybrid service management model (partly centralized, partly distributed) and outlines the results we obtained by applying this model to the e-mail service of our organization

IPv6 Network Mobility

Network Authentication, Authorization, and Accounting has been used since before the days of the Internet as we know it today. Authentication asks the question, “Who or what are you?” Authorization asks, “What are you allowed to do?” And fi nally, accounting wants to know, “What did you do?” These fundamental security building blocks are being used in expanded ways today. The fi rst part of this two-part series focused on the overall concepts of AAA, the elements involved in AAA communications, and highlevel approaches to achieving specifi c AAA goals. It was published in IPJ Volume 10, No. 1[0]. This second part of the series discusses the protocols involved, specifi c applications of AAA, and considerations for the future of AAA

Hybrid Session Verification through Endpoint API Generation

© Springer-Verlag Berlin Heidelberg 2016.This paper proposes a new hybrid session verification methodology for applying session types directly to mainstream languages, based on generating protocol-specific endpoint APIs from multiparty session types. The API generation promotes static type checking of the behavioural aspect of the source protocol by mapping the state space of an endpoint in the protocol to a family of channel types in the target language. This is supplemented by very light run-time checks in the generated API that enforce a linear usage discipline on instances of the channel types. The resulting hybrid verification guarantees the absence of protocol violation errors during the execution of the session. We implement our methodology for Java as an extension to the Scribble framework, and use it to specify and implement compliant clients and servers for real-world protocols such as HTTP and SMTP

An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS

Transport Layer Security (TLS) is a mature cryptographic protocol, but has flexibility during implementation which can introduce exploitable flaws. New vulnerabilities are routinely discovered that affect the security of TLS implementations. We discovered that discrete logarithm implementations have poor parameter validation, and we mathematically constructed a deniable backdoor to exploit this flaw in the finite field Diffie-Hellman key exchange. We described attack vectors an attacker could use to position this backdoor, and outlined a man-in-the-middle attack that exploits the backdoor to force Diffie-Hellman use during the TLS connection. We conducted an Internet-wide survey of ephemeral finite field Diffie-Hellman (DHE) across TLS and STARTTLS, finding hundreds of potentially backdoored DHE parameters and partially recovering the private DHE key in some cases. Disclosures were made to companies using these parameters, resulting in a public security advisory and discussions with the CTO of a billion-dollar company. We conducted a second Internet-wide survey investigating X.509 certificate name mismatch errors, finding approximately 70 million websites invalidated by these errors and additionally discovering over 1000 websites made inaccessible due to a combination of forced HTTPS and mismatch errors. We determined that name mismatch errors occur largely due to certificate mismanagement by web hosting and content delivery network companies. Further research into TLS implementations is necessary to encourage the use of more secure parameters