Download - EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
1/28
Email Security
The base protocol for email (SMTP) wasnever designed with security in mind
You are effectively sending postcards! Security mechanisms can be added
Confidentialityof email communications
can be improved through the use ofPGPGPG tools
Protecting metadata (contacts locations) iseven more difficult
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
2/28
Anonymity orConfidentiality?
"re you #nown already as a person of interestto adversaries with some control over thenetwor# infrastructure$ Andis your account
associated with you$ "nonymity already lost
%ill the use of strong cryptography (PGP) itselfidentify you as a person of interest$
&se 'TTPS as 'TTPS traffic is common
PGP encrypted email is for confidentiality
Toris a tool for anonymity torproectorg
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
3/28
Email SecurityFeatures
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
4/28
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
5/28
Different EncryptionSystems
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
6/28
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
7/28
TECHNOLOGY USED SECURITY OF MESSAGES ANONYMITY
SMTP 'eaders * +ontent unencrypted(,in theclear-) in networ#
None(sender *recipient #nown)
%ebmail ('TTP) 'eaders * +ontent sent through networ#stored by provider unencrypted
None (sender *recipient #nown)
e!mail " SS#$T#S%&TT'S(
"ll encryptedbut cryptosystem relies ontru)t of pro*iderand provider storescontent unencrypted .ecipient maylea# message unencrypted depending
on their provider
Some(sender #nown.ecipient toprovider issues)
%ebmail * SS/T/S('TTPS) * Tor
"ll encrypted but webmail providerstores content unencrypted
Full anonymity(unlessproviderrecipientcompromised)
SMT' " 'G'$G'G 'eaders unencrypted +ontent
encrypteddecrypted locally
None(sender *
recipient #nown)SMT' " IMA'$T#S "'G'$G'G
"ll encryptedwith T/S but relies on trustof provider Content encrypted locally
Some(sender #nown)
SMT' " IMA'$T#S "'G'$G'G " Tor
"ll encrypted 'eaders stored withprovider unencrypted Content
encryptedlocally
Full anonymity(unless provider
compromised)
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
8/28
PGP encrypted
email over SSL/TLS
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
9/28
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
10/28
Weakest Link Issues- End Recipient
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
11/28
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
12/28
server-to-serverencryption of
webmail providers
Modifiedfrom01ash#2n
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
13/28
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
14/28
TECHNOLOGY USED SECURITY OF MESSAGES ANONYMITY
SMTP 'eaders * +ontent unencrypted(,in theclear-) in networ#
None(sender *recipient #nown)
%ebmail ('TTP) 'eaders * +ontent sent through networ#stored by provider unencrypted
None (sender *recipient #nown)
e!mail " SS#$T#S%&TT'S(
"ll encryptedbut cryptosystem relies ontru)t of pro*iderand provider storescontent unencrypted .ecipient maylea# message unencrypted depending
on their provider
Some(sender #nown.ecipient toprovider issues)
%ebmail * SS/T/S('TTPS) * Tor
"ll encrypted butwebmail providerstores content unencrypted
Full anonymity(unlessproviderrecipientcompromised)
SMT' " 'G'$G'G 'eaders unencrypted+ontent
encrypteddecrypted locally
None(sender *
recipient #nown)SMT' " IMA'$T#S "'G'$G'G
"ll encryptedwith T/S but relies on trustof provider Content encrypted locally
Some(sender #nown)
SMT' " IMA'$T#S "'G'$G'G " Tor
"ll encrypted 'eaders stored withprovider unencrypted Content
encryptedlocally
Full anonymity(unless provider
compromised)
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
15/28
Providers and
Trust 3o you trust your email provider$ Google$
Microsoft$ Yahoo$
Should you trust them with your emailcontent$
Should you trust them with your contact
and location data (metadata)$ %hat legal urisdiction are they under$
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
16/28
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
17/28
Alternativeemail providers
4onprofit email providers
.iseupnet
"utisticiorg ("ssocia5ione 6nvestici)
+ommericial providers based outside the &S
7astmailfm
M/"Ts can still provide access to user data0 'ushmail
89ncrypted 9:Mail +ompany 'ushmail Spills to 7eds8Wired,;
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
18/28
Weakest Link Issues- Physical Security
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
19/28
Data at Rest
issues PGP protects the content of your emails if0
Your email account is compromised
Your computer is stolen or confiscated yourdis# is copied you are stopped at a bordercrossing etc and your data is forensically
e?amined
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
20/28
PGP Gotchas
4ever give away sensitive information inthe subect line of the email
Saving of draft emails to provider
9nsure you mar# your message to beencrypted @97A.9 you start typing thecontent of the email
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
21/28
Digital Signatures
and Email +ontent is verifiable from the Sender
6dentify of the Sender is not guaranteed!
"lways sign emails that contain lin#s "lways sign attachments
+ontent has not been modified in transit
4on:repudiation Sender cannot redact the email and its content
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
22/28
Attachments
METHOD P.AP9.T69S
PGP the file * Sign the file *+reate the email * "ttach file *"ttach the signature file
'eaders * 9mail +ontent in the clear"ttachment encrypted and "ttachmentsigned
PGP the file * Sign the file *+reate the email * Set email toPGP * "ttach file * "ttach thesignature file
'eaders in the clear 9mail +ontent and"ttachment encrypted and signed"ttachment name in the clear
+reate the email * Set email to
PGPM6M9 PGP Sign * "ttachfile
'eaders in the clear 9mail +ontent and
"ttachment encrypted and signed
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
23/28
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
24/28
Gotchas
4ever give away sensitive information inthe name of an attachment onlyPGPM6M9 protects the name ofattachments
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
25/28
The Risk /
Security Equation "ttaining an appropriate level of security in
a near:infinite space of vulnerability
9?pending the minimum amount of energyand resources to raise the bar beyond the
level of energy and resources youradversaries would be willing to commit
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
26/28
Further resources
Security in a +o,
step:by:step instructions for installing programs
https0securityinabo?org
by Tactical Tech and 7rontline 3efenders
Encryption or-)
more conte?t on different programs
https0pressfreedomfoundationorgencryption:wor#s
by the 7reedom of the Press 7oundation
-
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
27/28
Thanks!
Mic.ael Car!one
michael1accessnoworg
+rian /u00anduggan1newamericanet
1oe &all
oe1cdtorg#i!!y Reini).
libby1fsforg
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
7/27/2019 EPIC/PIRG "Cryptoparty" email security presentation by Michael Carbone (Access), 10/25/13
28/28
Hands-on!
7irst ma#e sure you have networ#!
Second install GnuPG Thunderbird
9nigmail 'oping you8ve done this already!
https0wwwenigmailnetdocumentationBuic#startphp
Generating a #eys sending to #eyserver Send first signed emailC encrypted email
Abtain #ey (securely) from others
https://www.enigmail.net/documentation/quickstart.phphttps://www.enigmail.net/documentation/quickstart.php