New technologies make it possible to monitor all types of information that one individual might send to another. Carnivore is one example of such a technology. This controversial program was developed by the Federal Bureau of Investigation (FBI) to give the U.S. government the ability to monitor the Internet and email activities of suspected criminals.
Some Internet applications have little or no built-in security. Instant messaging (IM) is a good example. Many corporations allow or use IM, but it was built for chatting, not security. Most IM applications lack encryption capabilities, have insecure password management, and have features that actively work to bypass firewalls. IM can be vulnerable to sniffing attacks, can be used to spread viruses and worms, and can be targeted for buffer overflow attacks.
Standard email is also very insecure. Sending an email message is much like sending a postcard to Mom through the U.S. Mail. Anyone who happens to see the card during transit can read the message you sent her from your trip to Niagara Falls. If you need a little privacy, you must use encryption. Using encryption is the equivalent of sending a letter: The sealed envelope will prevent the casual snoop from learning about your trip to Niagara Falls. Email protection mechanisms include Pretty Good Privacy (PGP), Secure Multipurpose Internet Mail Extensions (S/MIME), and Privacy Enhanced Mail (PEM).
Phil Zimmerman initially developed Pretty Good Privacy (PGP) in 1991 as a free email security application. It is as close to military grade encryption as a private individual can get and works well at securing email. Unlike public key infrastructure (PKI), PGP works by using a web of trust. Users distribute and sign their own public keys. Unlike the PKI certificate authority, this web of trust requires users to determine how much they trust the other parties they exchange keys with. PGP is a hybrid cryptosystem, in that it uses both public and private encryption. Some of the algorithms PGP can use include Triple DES and Twofish for symmetric encryption, and Diffie-Hellman, Digital Signature Standard (DSS), and RSA for asymmetric encryption.
Secure Multipurpose Internet Mail Extensions (S/MIME) secures email by using X.509 certificates for authentication. The public key cryptographic standard is used to provide encryption. It can work in one of two modes: signed and enveloped. Signing mode provides integrity and authentication. Enveloped mode provides confidentiality, authentication, and integrity.
Privacy Enhanced Mail (PEM)
PEM is an older email security standard. It provides encryption, authentication, and X.509 certificate-based key management.
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
We Want to Hear from You!
The CISSP Certification Exam
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Business Continuity Planning
Law, Investigations, and Ethics
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2