Introduction to Secure Messaging Issues Russ Chung, American Eagle Group The Open Group Messaging...
-
Upload
april-ball -
Category
Documents
-
view
217 -
download
0
Transcript of Introduction to Secure Messaging Issues Russ Chung, American Eagle Group The Open Group Messaging...
Introduction toSecure Messaging Issues
Russ Chung, American Eagle Group
The Open Group Messaging Forum
July 24, 2003
AgendaOverview of Encryption Technology
Implementation Issues
Secure Messaging Models
Encryption OverviewEncryption
Symmetrical keys
Asymmetrical keys
Encryption algorithms
Digital SignaturesHash functions
Certificate
Optional Devices
Smart Cards
Biometric Devices
And more…
Implementation
Successful secure messaging implementation requires consideration of:
Technical aspects
Organizational aspects
Inter-Organizational aspects
Implementation Roles Technical Aspects of Secure Messaging
Established and controlled by technical managers
Organizational Aspects of Secure MessagingInternal Policies, Practices, Procedures
Established and controlled by Company management
Inter-Organizational Aspects of Secure MessagingExternal Policies, Practices, Procedures
Established by agreements between organizations
Often involves senior management, boards, legal counsel
Technical AspectsKey generation
Key managementDistribution and exchange of certificate and private key
Key separation
Archiving of the certificate, and if necessary, the private key
Change and validation of certificate and if necessary, the private key
Manage the access to and representative use of the certificate and private key
Freezing and destruction of certificates
Non-Technical AspectsThe non-technical aspects are often overlooked or
underestimated
OrganizationalUsage Policies, Procedures and Standards
Training
Inter-OrganizationalCertificate Policy
Certification Practice Statement
Relying Party Agreement
Secure Messaging Models
Transport Layer Encryption
-or-
Message Encryption
-or-
Both
Secure Messaging ModelsModel #1 - End to end encryption
Model #2 - Gateway to gateway encryption
Model #3 - Secure web mail
Secure Messaging ModelsModel #1 - End to end encryption
Examples: S/MIME, PGPAsymmetrical key pairs generated for each userPro
• Message is encrypted at all times• Nearly impossible for anyone except the intended recipient to
read the message
Con• Nearly impossible to check for viruses, check content of the
encrypted message• Key management is an administrative burden
Secure Messaging ModelsModel #2 - Gateway to gateway encryption
Example: DomsecOne asymmetrical key pair generated per domainPro
• Fewer keys to manage• Permits scanning for viruses, content
Con• Messages are not encrypted when in transit between the user
and the gateway (unless transport layer encryption is used)• Messages are not encrypted in storage
Secure Messaging ModelsModel #3 - Secure Web Mail
Examples: Authentica Net Recall, Tumbleweed IME
Keys may be generated per user or per message
Pro• Recipient does not require special software - only needs a web
browser
Con• Must prevent unauthorized personnel from obtaining the key
Secure Messaging ModelsModel #4 - Hybrid model
Some or all of the above
How do we interoperate?
ConclusionSuccessful secure messaging implementation involves
Technical Activities
Organizational Activities
Inter-Organizational Activities
The organizational and inter-organizational activities are the larger and the more critical part.
There are multiple secure messaging models