Electronic mail is the most convenient way of exchanging business information over the internet or any computer network. Electronic mail is divided into mail servers and mail clients. Mail servers and mail clients are equally targeted by attackers because of the networking technology and the computing fundamentals associated with emails. Mail servers are also the targets of attack because they communicate with untrusted third parties leaving weakness points. Examples of email security issues include:
- Denial of service
- Flaws in mail server application that may be exploited for network attacks
- Sensitive information relayed to unauthorized persons in an unauthorized manner
- Alteration of information within the mail servers or under transmission between the sender and the receiver
- Malicious attacks from external attackers on a mail server host
- Misconfigurations of the mail server that allows it to send spam messages
Organizations should carefully plan and implement appropriate security management practices. The implementation of cryptographic technologies protects user authentication and email data.
The National Institute of Standards and Technology has developed guidelines that define the minimum requirements for the provision of excellent information security for all agency resources and assets. The Guidelines on Electronic Mail Security serve as the recommended security practice for designing, implementing and operating email systems on corporate and government networks. Mail servers are becoming frequent sites of attacks, and this is exacerbated by various mail types and contents of attachments. They introduce viruses and malware into the networks. The establishments of mail transport standards and SMTP ensure reliability and interoperability in mail applications and transport.
Pretty Good Privacy is a program used in encryption and decryption e-mail over the internet. It is also used to send digital signatures that allow the receiver to verify the identity of the sender. These guards against message alteration attempts for en route messages. The program is used by corporations that require a high level of security and sensitivity. The program is considered a de facto standard in email security. PGP works using the public key system. Each user is accorded an encryption key and a private key that is exclusively known to that user alone. A message is encrypted using a public key. Upon receipt, the message is decrypt using the private key. PGP is available in two versions; RSA and Diffie-Hellman. RSA uses IDEA logarithm to generate short keys for the entire message. Diffie-Hellman uses CAST algorithm for the short key and Diffie-Hellman to encrypt the short key.
DomainKeys Identified Mail Signatures (DKIM) are a standard for defining a domain-level authentication framework for e-mails. It uses a public key cryptography and key server technology to allow verification of the origin and contents of the messages using either mail transfer agents or mail user agents. The objective of this framework is to aid in the signing domain and assert responsibility for a message thereby protecting the message signer identity and the integrity of the messages they convey. Spam and phishing are controlled through the implementation of DKIM. DKIM imparts responsibility to an organization for the message it sent and on transit.
The growth of the internet and the requirement to control access to network resources has necessitated the development of means to represent, discover and exchange the policies that control access to these resources. IP security protocols such as RFC 2401-2412 and 2104 exchange keying material using IKE (RFC2409) and protects the flow of data using the AH (RFC2402). IKE is limited to the authenticated exchange of keying material and related policy information between end-points of a security association. However the availability of administrative entities that impose constraints on gateways and router files. This calls for endpoint security association for secure discovery and negotiations of access controls information. The IPSP address this problem by specifying a repository-independent information model to support IP security policies.
IP encapsulating security payload is a document that defines the internet standards track protocol for the internet community. ESP is designed to give a mix of security services for IPv4 and IPv6 and can be applied alone in combination with AH or in a hybrid version. ESP implementation will lead to support of confidentiality and integrity of data as well as authentication and protection against data tampering.
Internet key exchange is the establishment of security agreements between the computers exchanging data. The process involved is known as security association.SA is a process whereby both computers agree on a mechanism to exchange and protect data. The IEFT has established a set of standards and methods for security association and key exchange resolution. The standard is named as internet key exchange (IKE).
SA combines key negotiation, security protocol, security parameters index which together function to protect the security of communication from the sender to the receiver. Successful and secure communication can be achieved through a two phase operation. The first phase involves the establishment of secure and authenticated channel of communication. IKE automatically works out the required identity protection during the exchange. Phase one involve the following processes.
- Policy negotiation
- Diffie-Hellman exchange of public keys
The second phase known as quick mode negotiation involves the following steps.
- Policy negotiation
- Exchange of se4ssion key material
- Session key material exchange
- Transfer of SAs and keys with SPI to the IPSec driver
IPSec, IKE, and IKEv2 relies on security algorithms to provide authentication between the sender and the receiver. There are numerous algorithms available but two IPSec systems cannot interoperate with different algorithms. Therefore, there should be optional suites of algorithms that can be utilized to simplify IPSec administration. These are the cryptographic suites for IPSec and are referred as User Interface Suites. The suites include; VPN-A and VPN-B. VPN-A is commonly used in IKEv1 while VPN-B is expected to be used in future.
References
Kizza, J. M. (2009). A guide to computer network security. Springer.
Kramer, F. S. (2009). Cyberpower and national security. Springer.
Mansfield-Devine, S. (2011). DDoS: threats and mitigation. Network Security. Springer .
