Why do we want secure E-mail?
There are three questions that need to be answered here:
- What is the situation that needs to be changed?
- How will security functions in E-mail change this?
- What are the other effects of using these functions?
Some common answers seem to be:
- Today faking mail is simple. If we want to use it for
purposes that may cause real cost or real damage, it should be difficult.
- Today anyone with access to the physical network can read any
mail message. If we want to use it for passing information that
should not be revealed, it should be difficult.
The security functions that people have at one time or another
requested include (terms in parentheses come from the X.400 standard;
the X.400 standard contains even more such terms)
- Verifying that the sender is who he says he is ("message origin
authentication")
- Verifying that the message was not changed after the sender
sent it ("content integrity")
- Making certain that only the intended recipient reads the message
("content confidentiality")
- Making certain that the message was delivered ("proof of
delivery")
- Making certain that all messages were delivered ("message
sequence integrity")
- Being able to prove that a sender sent a message, even though
he might want to deny it ("non-repudiation of origin")
- Being able to prove that a recipient got a message, even though
he might want to deny it ("non-repudiation of delivery")
- Labelling a message with handling instructions ("message
security labelling")
- Making certain nobody knows who you exchange mail with
("message flow confidentiality")
- Making certain nobody uses YOUR mail system without being
authorized ("secure access management")
Some of these are easy to achieve; some are almost impossible.
Some are directly relevant to the goals above; some are "nice to
have".
The cost of security
There's always a cost. For security, the cost may include:
- Cost of software and hardware to achieve security functions.
With laws like US export licensing, the hassle may cost more
than the hardware. Also, the time vendors spend on security
features is obviously not spent on other features; you may have
to choose between functionality in other areas and security
functions.
- Maintenance costs. Keys, whether public/private or shared, must
be managed. If trust is to be
achieved, it must be worked on, documented and publicized.
For instance, when someone leaves a trusted position, you have
to take explicit action to revoke that trust.
- Irritation costs. Sometimes, quite legitimate, or at least
harmless operations like linebreak changes will cause security
alarms to ring when nothing has really happened.
At other times, people will yell at your
signed-but-not-encrypted messages because they are "full of
cybercrud" that they don't need, not being able to check the
signature anyway.
These issues are common to all security mechanisms, in all security
contexts. They are not in themselves arguments about security, but
form part of the framework that one has to think about in order to
ensure that one deploys adequate security.
Harald.T.Alvestrand@uninett.no
Last modified: Fri Nov 3 10:40:38 1995