Sunteți pe pagina 1din 5

1

Email Authentication

Robert Ian Hawdon

A Critical Evaluation Of Current Research Aimed At Improving Email Authentication.


Robert Ian Hawdon
Faculty of Applied Sciences, University of Sunderland, United Kingdom

Abstract
Phishing is an issue thats still causing a problem for large firms, their customers, and their credit card companies. I look into the various forms of email authentication systems, and how they could be better implemented to allow users to easily spot potential threats, and avoid having their identity stolen. My research highlights the issues faced using the current systems, and suggest at ways these can be improved to cater for casual internet users who lack the expertise to set up and use the current methods.

Introduction
Phishing is a technique where criminals make a convincing looking spoof email from a legitimate business or bank, with the intent of luring the user to a fake website which, again, looks legitimate, with the intent of getting them to post enough of their personal information to allow the criminals to use their details to perform illegal activities. (Vishwanath et al., 2011) (Herzberg, 2009) Phishing cost the US public roughly $3.2 Billion in 2007 (Chen et al., 2011), which clearly shows that there isn't enough being done to flag possible phishing emails and create general awareness of the problem. (R., 2011) Research has already been done as to why people fall for the tricks pulled by these scam artists, but phishing the user details of University students via the internal email system, they conclude: The results show individuals' levels of attention to urgency cues and email subject-lines are significantly more likely to trigger a response to phishing email, while their levels of attention to the email source and grammar and spellings used in the email are significantly less likely to trigger a response. (Vishwanath et al., 2011) But as for what can be done about to ensure that people can be notified that the email they receive is genuine when common sense may be lacking, still has room for improvement. The issue faced today, regarding anything sent in an email, is trust. Standard communication systems, like electronic mail (e-mail), have a poor evidential quality. They can be compared to sending a postcard, which

lacks confidentiality, authenticity, integrity and non-repudiation services. (Tauber, 2011) Methods which sign emails, such as PGP (Pretty Good Privacy) or DKIM, can be used to generate an electronic signature which protects users from Man in the Middle attacks, as well as spoofing (Herzberg, 2009), but traditional methods of using this application can be tricky for the average computer user. Also, banks and large companies tend not to sign their emails making authenticity checking difficult.

EBIA
Most companies today still tend to identify users using Email-Based Identification and Authentication (or EBIA for short), this technique relies on the user keeping their email address and password secure, and that the email address is the identifier of the person. This technique assumes that the user can still receive email at this address, and that personal data can be sent to it (Garfinkel, 2003). The downfall to this is that email that are intercepted by man-in-the-middle attacks (Herzberg, 2009) or addresses that are phished can then be easily used to access other services linked to that account by a simple password reset request. The benefits to this system though, is its ease of use, as the user only needs to remember their email address, rather than a completely separate username or other forms of identification: Arguably, email addresses are even easier to remember than (social security numbers) (Garfinkel, 2003) Another advantage is that no specialised software

Email Authentication

Robert Ian Hawdon

is needed, all the user needs is the ability to receive an email on the address provided. A downfall of using EBIA is that anyone can register an email address under any name, so an email address alone isnt enough to identify a specific person.

attachment, which could confuse the recipient of the email. (Allman et al., 2007) Some email providers, like GMail, use DKIM not only to identify spoof messages, but also to identify trusted emails from some companies. A service can be enabled to allow recipients to indentify a genuine email from eBay and PayPal. (Taylor, 2009)

What has been done already


The main issue regarding phishing is that it's hard for people to tell the differences between a legitimate email from a fake, especially when they are receiving a large volume of emails on a daily basis. The more emails someone receives, the more likely they are to quickly do what it says to get it out of the way, without checking if it's legitimate first (Vishwanath et al., 2011). Some email providers (such as Google's Gmail, and Microsoft's Hotmail) will display a message when they think they've spotted a suspicious message, but these aren't totally accurate. The process of detecting spoof emails is usually down to looking at the headers of an email. Email headers are set out in a specific way to allow email clients and providers identify elements in the message, such as who the email is indented for (TO), who its from (FROM) and a Message-ID to identify a specific message. (Resnick, 2008) As a lot of the fields in headers can be spoofed, a few header based authentication mechanisms such as SPF and DKIM have been created to attempt to allow email providers detect spoofed messages. (Herzberg, 2009)

Figure 1: GMail's Authentication "Lab"

Figure 2: An example of a genuine message from eBay

In-Body Authentication
S/MIME (Secure/Multipurpose Internet Mail Extensions) is an in-body approach, that will allow for encryption and signing of messages. It was developed by RSA Laboratories and based on PKIX (Internet X.509 Public Key Infrastructure). Using PKI (Public Key Infrastructure) standards introduces a new level of trust, as the keys are unique to that person (Ullah et al., 2010), and rd verified by a 3 party who usually verifies the user by using other forms of identification, such as social security numbers. Other services will ensure the person is who they say they are by only allowing the user to download their certificate by entering a password sent to their email address to their website from the same computer, operating system and browser. Phil Zimmermann also created an email encryption system, again, based on the RSA data encryption algorithm, and called it 'Pretty Good Privacy' (PGP). It was designed to be an asymmetric encryption, meaning that two keys need to be created, one to encrypt a message, and the other to decrypt it again. (Garfinkel, 2003). These in-body systems can, not only be used to encrypt whole messages but also, be used to create a digital signature which verifies the sender of the message, and the contents of the message itself, the email client will warn the user if the signature attached to a message is invalid. Possible reasons a signature may be invalid include: Error in configuration rd Email went via a 3 party The message was edited or tampered

Header Based Authentication


SPF ((The) Sender Policy Framework) is a technique used to check if an email, based on the domain name, is allowed to be sent from the IP address the message originated from. This technique wont stop a scammer faking an email address, but if set up correctly email providers should be able to check with the server on the correct domain if the message received originated from an authorised server. (Wong and Schlitt, 2006) An extended version of SPF, SIDF (SenderID Framework) was also proposed which would attempt to also authenticate the recipients address. But some say its considered harmful and doesnt provide any true benefit over the SPF system (Herzberg, 2009). DKIM (DomainKeys Identified Mail) Is a system that allows for messages to be signed by a server (hosted under the domain name the email is supposed to have originated from) and is included in the header of the email. This differs from other solutions such as OpenPGP which includes the signature in the body of the text or as an

Email Authentication

Robert Ian Hawdon

with between parties The message was damaged in transit between parties The message was spoofed Keys arent verified (S/MIME) A new key has been issued and its not in your keychain

In any of the above situations, the recipient should be cautious about anything written in that message, as there is no verification that the information in the message is valid. Between the two in-body systems, they both aim to achieve the same goal, but there some differences between them. S/MIME, for example, rd relies on 3 party to generate a certificate to validate who you are before your keys are fully trusted (they will keep throwing warnings if certificates are self-signed), whereas OpenPGP certificates are created by the user and validated by individuals who personally know them (Levi and Gder, 2009). This means, although PGP can be potentially less secure, its easier to implement than S/MIME, and, by using a web of trust model, the more trusted people who sign your key, the more trust your key will have. There are a few problems using PKI in-body authentication to secure emails. Currently, these systems need to be used offline, where the user has the encryption system, and keys stored on their computer. This means it needs to be integrated with an email client. This is a bit difficult for the average user to set up. As mentioned, using a PKI system thats used for in-body authentication and/or encryption, the user who wants to verify the authenticity of the email will need a copy of the senders public key. This is either obtained having the user send their public key via attachment, hosting it on a website, or via a public name server. Finally, revoking keys may need to be done with a PKI, this could be when a key has been compromised (Ullah et al., 2010), expires or the user forgets their password/passphrase. In some cases, the user might have generated a revoke key to allow the key to be flagged as no-longer in use. As a key cant be removed from a key server, only updated, this means people may end up with a collection of keys that no longer are any value.

Focusing on Header Authentication, SPF and DKIM can, and should, be used together, as either of these signatures can be damaged during transit, and some email providers may only support one of the authentication systems, and covering all possible configurations will help reduce the chance of a false positive detection. But bearing in mind, not all senders use either SPF or DKIM, for this reason, some email providers that use these methods to authenticate messages may still flag these as threats by mistake (Herzberg, 2009). As both forms of header authentication can be used, theres no real need to discuss the pros and cons of either, as the limitations by one can be solved by using the other too. In terms of in-body authentication though, from the research, both S/MIME and OpenPGP offer the same type of service so it would be impractical to use both. OpenPGP allows for self-generated keys which can be verified by anyone who knows the recipient. Sadly, this form of authentication can be flawed, as anyone can generate a key, and trick users in to trusting this rouge key pair. S/MIME on rd the other hand, requires a 3 party to generate the keys. The disadvantage here is that not all services do a great job at validating the user signing up for a key. For convenience of key generation though, OpenPGP is a nicer system which is more readily available for the average home user. S/MIME has an advantage as its included with most popular email client programs, whereas OpenPGP requires the user to install some software to be able to use it on their system. The limitation when it comes to using in-body authentication systems themselves, is that the headers of the message arent included as part of the signature check, which could mean a potential hacker could set up a man-in-the-middle attack to trick the user into thinking an important message isnt (by modifying the subject field for example), and causing the recipient to potentially ignore what could be an important email. Another reason why in-body authentication systems could be a challenge to implement at the moment is because the user is required to use an email client, as no webmail providers support inbody authentication systems like PGP or S/MIME. This could potentially be inconvenient for the less experienced computer user who would feel uncomfortable installing the software themselves. Mobile devices are becoming more popular (Marketing Charts, 2010) and the number of inbody authentication solutions for these platforms is lacking, which means for users who travel a lot, checking the authenticity of a message based on the in-body signature on the move could be more of a challenge.

Comparing authentication techniques


Looking at the different techniques discussed in this article, we can see that there are two clear techniques, header authentication, and in-body encryption.

Email Authentication

Robert Ian Hawdon

Finally, in-body authentication such as S/MIME and OpenPGP require an offline copy of the users key pair. This would need to be stored on every machine that the user was going to use to authenticate. This could be potentially dangerous if used on a public computer, where software such as key loggers could be used and their passphrase is compromised. This means portability is also an issue when using this method. Also, the more computers the key is used on, the more chance of a copy being stolen. As the password/passphrase is the weakest point of any authentication system, the user must use a strong password to ensure the key cant be easily cracked. Because PGP is an end user solution, theoretically, it would be possible for a company, or bank, to store a copy of a users public key, and use it to send personal information, such as bank details, usernames, passwords, etc. securely by encrypting these details in an email and sending them directly to their inbox safe in the knowledge that only the intended recipient can open the message. This would mean, not only would it be easier for the user to receive their data, but could potentially save the company money by being able to send details like pin numbers out digitally, rather than in paper form. By utilising the encryption side of S/MIME or OpenPGP, messages sent to the recipient are still secure, even if an attacker managed to gain access to their email account, they would still be unable to access those specific messages due to the high level of encryption used. If these systems discussed in this article were all implemented, it would become a lot easier for a user to detect a potential threat such as phishing, as the message will either be flagged as a possible threat, an invalid signature, or no signature at all. Only trusted emails will show a valid signature, which allows the recipient to fully trust the message.

authentication is needed, which will notify users, in an obvious way, that the message they have received is either genuine or not. The current solutions are great if theyre set up by someone whos competent with what theyre doing, and are either familiar with the solutions out there, or quick to learn, but as for the casual internet users, these solutions could be too complicated to set up and use, and might deter them from using them at all. Ideally, companies would start implementing the in-body signature technique to assure the recipient that the email is legitimate. Webmail providers should also look into ways of implementing the possibility of allowing their users to generate PGP keys on their system, or allowing the user to provide one, over an SSL connection. This will bring in-body authentication to the masses, and, hopefully, make it much harder for criminals to set up a phishing attack.

Works Cited
Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J. and Thomas, M. (2007) DomainKeys Identified Mail (DKIM) Signatures, May, [Online], Available: http://www.ietf.org/rfc/rfc4871.txt [8 November 2011]. Chen, X., Bose, I., Leung, A.C.M. and Guo, C. (2011) 'Assessing the severity of phishing attacks: A hybrid data mining approach', Decision Support Systems, no. 50, p. 662672. Garfinkel, S.L. (2003) 'Email-Based Identifcation', IEEE Security & Privacy, vol. 1, no. 6, pp. 20-26. Garfinkel, S. (2003) 'Pretty Good Privacy', in Reilly, E.D. (ed.) Encyclopedia of Computer th Science, 4 edition, Chichester: John Wiley and Sons Ltd. Herzberg, A. (2009) 'DNS-based email sender authentication mechanisms: A critical review', Computers & Security, vol. 28, no. 8, pp. 731-742. Levi, A. and Gder, C.B. (2009) 'Understanding the limitations of S/MIME digital signatures for emails: A GUI based approach', Computers & Security, vol. 28, no. 3-4, pp. 105-120. Marketing Charts (2010) Mobile Device Popularity Surges, 19 February, [Online], Available: http://www.marketingcharts.com/interactive/mobile -device-popularity-surges-12020/ [16 November 2011]. R., A. (2011) Who's After Your Information Understanding Phishing Data, [Online], Available: http://www.brighthub.com/internet/security-

Evaluation
Overall, if no other option is available, the best way to avoid a phishing email is to use common sense, remain vigilant, and presume each email could be untrusted. By spotting the vital signs, such as strange links, or requests for unusual data, such as pin numbers or passwords, users should be able to identify a potentially dangerous email. Sadly, common sense can tend to be lacking in some cases, and occasionally a user will fall for a phishing scam and not realise until its too late. This research has shown that better email

Email Authentication

Robert Ian Hawdon

privacy/articles/99607.aspx [26 Oct 2011]. Resnick, P. (2008) Internet Message Format, October, [Online], Available: http://www.ietf.org/rfc/rfc5322.txt [10 November 2011]. Tauber, A. (2011) 'A survey of certified mail systems provided on the Internet', Computers & Security, no. 30, pp. 464-485. Taylor, B. (2009) New in Labs: The supertrustworthy, anti-phishing key, 13 July, [Online], Available: http://gmailblog.blogspot.com/2009/07/new-inlabs-super-trustworthy-anti.html#!/2009/07/new-inlabs-super-trustworthy-anti.html [8 November 2011].

Ullah, S., Shirazi, S.N.-U.-H., Nadeem, M.A. and Ikram, N. (2010) 'Secure messaging and real time media streaming using enterprise PKI and ECC based certificates', Computitional Technologies in Electrical and Electronics Engineering (SIBIRCON), 2010 IEEE Region 8 International Conference, Irkutsk Listvyanka, Russia, 159-161. Vishwanath, A., Herath, T., Chen, R., Wang, J. and Rao, H.R. (2011) 'Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model', Decision Support Systems, no. 51, pp. 576-586. Wong, M. and Schlitt, W. (2006) Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1, April, [Online], Available: http://www.ietf.org/rfc/rfc4408.txt [10 November 2011].

S-ar putea să vă placă și