Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Email Security Trail Map - A World beyond DMARC -

Email Security Trail Map - A World beyond DMARC -

There are too many technology about email security. So it is very difficult to understand what is really necessary, what is the goal.
In this slide, I explain about the summary of each technology to understand what you really need.

HIRANO Yoshitaka

December 11, 2019
Tweet

More Decks by HIRANO Yoshitaka

Other Decks in Technology

Transcript

  1. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Email Security
    Trail Map
    ~A World beyond DMARC~
    QUALITIA CO., LTD
    HIRANO Yoshitaka

    View full-size slide

  2. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Our Company
    Name Qualitia CO., LTD
    HQ 3-11-10 Nihombashi-Kayabacho Chuo-ku Tokyo
    Capital 85M yen
    Since Oct. 1993
    CEO Ken Matsuda
    ⚫ Development and Sales of Messaging Related Solutions
    ⚫ Supporting Efficient Communication and Security Enhancement
    ⚫ Providing the Messaging Related Cloud Services and Software
    Create the Future of “Communication” and “Security” with our Customers and Partners
    Q U A L I T Y M A K E S F U T U R E

    View full-size slide

  3. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Self Introduction
    Name HIRANO Yoshitaka
    Belongs to QUALITIA Co., Ltd
    Chief Engineer
    Cert. Licensed Scrum Master
    Certified Scrum Developer
    Activities M3AAWG
    JPAAWG
    IA Japan 迷惑Mail対策委員会
    Anti-Spam mail Promotion Council (ASPC)
    Message Research Institute
    Audax Randonneurs Nihonbashi

    View full-size slide

  4. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Our Team
    We are researching
    and developing
    New Feature
    Be our
    Friend!
    Twitter Account →

    View full-size slide

  5. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Email Security?
    Where is the goal?

    View full-size slide

  6. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Technologies for Email Security
    SPF
    DKIM
    誤送信
    防止
    Sanitize
    Password
    ZIP
    Anti
    Phishing Anti
    SPAM
    DNS
    SEC
    SMTP
    AUTH
    DANE
    MTA-
    STS
    START
    TLS
    BIMI
    ARC
    DMARC
    TLS-
    RPT
    Anti
    Virus
    Virus
    Filter
    Sandb
    ox
    Anshin
    Mark
    So many things!!
    I cannot understand

    View full-size slide

  7. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    What do you want to protect
    from What?

    View full-size slide

  8. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    What we protect from
    クオリティア
    Mail
    Server
    Mail
    Server
    spoofing
    hijacking
    eavesdropping
    tampering
    stealing
    leakage
    Malware
    Mail
    Server
    phishing

    View full-size slide

  9. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    What you want to protect from
    •Spoofing, Tampering
    •Account Hijacking, Springboard
    •Eavesdropping
    •Spam, Malware, Phishing
    •Leakage

    View full-size slide

  10. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Spoofing, Tampering
    Protect from

    View full-size slide

  11. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Protect from Spoofing, Tampering
    クオリティア
    Mail
    Server
    Mail
    Server
    Mail
    Server
    Spoofing
    Tampering

    View full-size slide

  12. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Protect from Spoofing・Tampering
    •SPF
    •DKIM
    •DMARC
    •ARC
    •BIMI

    View full-size slide

  13. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    When there is no SPF
    192.0.2.1
    203.0.113.1
    Env From: [email protected]
    From: [email protected]
    Subject: Please transfer money
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    OK I transfer! Click! ×
    クオリティア
    Spoofing・Tampering

    View full-size slide

  14. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    When there is SPF
    192.0.2.1
    Env From: [email protected]
    From: [email protected]
    Subject: Please transfer money
    AR: spf=pass
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all”
    Check Source IP using Envelope From

    OK, This is right. Transfer!
    クオリティア
    Spoofing・Tampering

    View full-size slide

  15. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    When there is SPF
    192.0.2.1
    203.0.113.1
    Env From: [email protected]
    From: [email protected]
    Subject: Please transfer money
    AR: spf=fail
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all”
    Hmm, it looks fake
    ×
    クオリティア
    Spoofing・Tampering

    View full-size slide

  16. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    But!
    Spoofing・Tampering

    View full-size slide

  17. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Even if there is SPF
    192.0.2.1
    203.0.113.1
    Env From: [email protected]
    From: [email protected]
    Subject: Please transfer money
    AR: spf=none
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all”
    クオリティア
    Spoofing・Tampering
    OK I transfer! Click!
    Use badgroup domain

    View full-size slide

  18. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    OK I transfer! Click!
    badgroupのSPFで認証
    192.0.2.1
    203.0.113.1
    Env From: [email protected]
    From: [email protected]
    Subject: Please transfer money
    AR: spf=pass
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    badgroup.example txt “v=spf1 ip4:203.0.113.1 –all”
    qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all”
    クオリティア
    Spoofing・Tampering

    View full-size slide

  19. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    SPF
    •Verify if the pair of Envelope From and IP
    Address is correct or not
    •RFC4408 (2006/04)
    Source IP = Envelope From = Header From
    ?
    Spoofing・Tampering

    View full-size slide

  20. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM
    Spoofing・Tampering

    View full-size slide

  21. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    When there is no DKIM
    From: [email protected]
    Subject: Please transfer money
    AR: dkim=none
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    クオリティア
    Spoofing・Tampering
    OK I transfer! Click!

    View full-size slide

  22. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM-Signature: v=1;
    d=qualitia.co.jp; s=s1;
    h=From:Subject;
    b=abcdef・・・・
    From: [email protected]
    Subject: Please transfer money
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    When there is DKIM
    Send with signature
    s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...”
    Encryption
    Public Key
    Private Key
    hash
    クオリティア
    Spoofing・Tampering

    View full-size slide

  23. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM-Signature: v=1;
    d=qualitia.co.jp; s=s1;
    h=From:Subject;
    b=abcdef・・・・
    From: [email protected]
    Subject: Please transfer money
    AR: dkim=pass
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    When there is DKIM
    OK, it’s trustable. Transfer, click!
    s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...”
    Decryption
    Public Key
    Private Key
    hash

    クオリティア
    Spoofing・Tampering

    View full-size slide

  24. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM-Signature: v=1;
    d=qualitia.co.jp;
    h=From:Subject;
    b=abcdef・・・・
    From: [email protected]
    Subject: Please transfer money
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    When there is DKIM
    Cannot sign
    without a private key!
    encryption
    Private Key
    hash
    ×
    クオリティア
    Spoofing・Tampering

    View full-size slide

  25. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM-Signature: v=1;
    d=qualitia.co.jp; s=s1;
    h=From:Subject;
    b=abcdef・・・・
    From: [email protected]
    Subject: Please transfer money to thief
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    When there is DKIM
    Tamper
    the signed
    message
    s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...”
    Public Key
    Private Key
    クオリティア
    Spoofing・Tampering

    View full-size slide

  26. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM-Signature: v=1;
    d=qualitia.co.jp; s=s1;
    h=From:Subject;
    b=abcdef・・・・
    From: [email protected]
    Subject: 泥棒にPlease transfer money
    AR: dkim=fail
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    When there is DKIM
    Hmm, this might be tampered?
    s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...”
    decryption
    Public Key
    Private Key
    hash
    ×
    クオリティア
    Spoofing・Tampering

    View full-size slide

  27. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    But!
    Spoofing・Tampering

    View full-size slide

  28. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Even if there is DKIM
    From: [email protected]
    Subject: Please transfer money
    AR: dkim=none
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    Ok, Transfer! Click!
    s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...”
    Private Key
    Same as
    when there is not DKIM
    クオリティア
    Spoofing・Tampering
    Send without signature

    View full-size slide

  29. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    By Any Chance?
    From: [email protected]
    Subject: Please transfer money
    AR: dkim=none
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    Ehh? QUALITIA usually
    sign DKIM signature, right?
    s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...”
    Private Key
    クオリティア
    Spoofing・Tampering
    Same as
    when there is not DKIM

    View full-size slide

  30. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM-Signature: v=1;
    d=badgroup.example; s=aku;
    h=From:Subject;
    b=abcdef・・・・
    From: [email protected]
    Subject: Please transfer money
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    Even if there is DKIM
    Sign as badgroup!
    aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...”
    encryption
    Private Key
    of badgroup
    Private Key
    hash
    クオリティア
    Spoofing・Tampering

    View full-size slide

  31. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM-Signature: v=1;
    d=badgroup.example; s=aku;
    h=From:Subject;
    b=abcdef・・・・
    From: [email protected]
    Subject: Please transfer money
    AR: dkim=pass
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    Even if there is DKIM
    Ok, transfer!
    decryption
    badgroupの
    Public Key
    Private Key
    hash

    aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...”
    badgroupの
    Private Key
    クオリティア
    Spoofing・Tampering

    View full-size slide

  32. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM
    •Sign headers and body
    to protect from tampering
    Spoofing・Tampering

    View full-size slide

  33. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Problem of SPF, DKIM
    •SPF: Even if the third party spoofed the
    Envelope From, still spf will be a “pass”
    •DKIM: Even if the third party signed,still
    dkim will be a “pass”
    Spoofing・Tampering

    View full-size slide

  34. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DMARC
    Spoofing・Tampering

    View full-size slide

  35. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DMARC
    •Verify based on Header From
    •Header From
    •Envelope From Verify all domains match
    •DKIM signer
    Spoofing・Tampering

    View full-size slide

  36. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    SPF for badgroup (dmarc p=none)
    192.0.2.1
    203.0.113.1
    Env From: [email protected]
    From: [email protected]
    Subject: Please transfer money
    AR: spf=pass, dmarc=Fail
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    badgroup.example txt “v=spf1 ip4:203.0.113.1 –all”
    _dmarc.qualitia.co.jp txt “v=DMARC1; p=none”
    Oh, dmarc is fail.
    ×
    クオリティア
    Spoofing・Tampering

    View full-size slide

  37. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    SPF for badgroup (dmarc p=reject)
    192.0.2.1
    203.0.113.1
    Env From: [email protected]
    From: [email protected]
    Subject: Please transfer money
    AR: spf=pass, dmarc=Fail
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    badgroup.example txt “v=spf1 ip4:203.0.113.1 –all”
    × Reject!
    _dmarc.qualitia.co.jp txt “v=DMARC1; p=reject”
    ×
    クオリティア
    Spoofing・Tampering

    View full-size slide

  38. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM-Signature: v=1;
    d=badgroup.example; s=aku;
    h=From:Subject;
    b=abcdef・・・・
    From: [email protected]
    Subject: Please transfer money
    AR: dkim=pass, dmarc=fail
    Hi! I'm Taro @ QUALITIA.
    ・・・・
    DKIM signature for badgroup
    Public Key
    of badgroup
    aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...”
    Private Key
    of badgroup
    ×
    _dmarc.qualitia.co.jp txt “v=DMARC1; p=reject”
    ×Reject!
    クオリティア
    Spoofing・Tampering

    View full-size slide

  39. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    But!
    Spoofing・Tampering

    View full-size slide

  40. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM-Signature: v=1;
    d=qualitia.co.jp; s=s1;
    h=From:Subject;
    b=abcdef・・・・
    From: [email protected]
    Subject: [○○ML:1234] Hi! All
    AR: dkim=fail
    Hi! Long time no see!
    ・・・・
    DKIM + Mailing List
    Hmm, can I trust?
    s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...”
    decryption
    Public Key
    Private Key
    hash
    ×
    クオリティア
    Spoofing・Tampering

    View full-size slide

  41. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    ARC
    Spoofing・Tampering

    View full-size slide

  42. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    ARCがあれば
    Ok, arc=pass
    Private Key
    クオリティア
    Mailing List
    Server
    ml.example.jp
    ARC-Seal: i=1; cv=none; d=ml.example.jp;...
    ARC-Message-Signature: i=1; d=ml.example.jp;
    h=from:subject:dkim-signature:...
    ARC-Authentication-Result: i=1; ml.example.jp;
    dkim=pass; spf=pass; dmarc=pass
    DKIM-Signature: v=1; d=qualitia.co.jp; b=abcdef・・・・
    From: [email protected]
    Subject: [○○ML:1234] Hi! All
    AR: dkim=fail, arc=pass
    Hi! Long time no see!
    ・・・・
    Spoofing・Tampering

    View full-size slide

  43. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    ARC
    •The Authenticated Received Chain Protocol
    •RFC8617 (2019年7月)
    •Mailing List Server will write ARC signature
    with sequence number,
    if DKIM=pass, ARC=pass when it received.
    Spoofing・Tampering

    View full-size slide

  44. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Operation
    Spoofing・Tampering

    View full-size slide

  45. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Recent DKIM Circumstances
    •RFC8301: Cryptographic Algorithm and Key Usage Update to
    DomainKeys Identified Mail (DKIM) (Jan. 2018)
    ・Both signer and verifier MUST use rsa-sha256
    ・Both MUST NOT use rsa-sha1
    ・Sign: 1024bit~(MUST)、2048bit~(SHOULD)
    ・Verify: 1024bit~4096bit(MUST)
    ※ But 2048bit is longer than the size 255bytes which DNS can handle
    Spoofing・Tampering

    View full-size slide

  46. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Recent DKIM Circumstances
    •RFC8463: A New Cryptographic Signature Method for DomainKeys
    Identified Mail (DKIM) (Sep. 2018)
    ・Signer SHOULD implement this
    ・Verifier MUST implement this
    ・Write two signatures, Ed25519-SHA256 and
    RSA-SHA256(1024bit~) for backward compatibility
    Use Ed25519-SHA256
    BASE64 encoded size is just 44 bytes, so this can be fit into DNS
    Spoofing・Tampering

    View full-size slide

  47. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DKIM Key Rotation
    •DKIM Key has
    to be rotated
    Spoofing・Tampering
    https://www.m3aawg.org/sites/default/files/m3aawg-dkim-key-rotation-bp-2019-03.pdf

    View full-size slide

  48. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Operation for DKIM
    •Follow the latest cryptography
    •Key rotation
    Too much hassle!!!
    We are creating a service
    to DKIM-sign automatically!
    Coming Soon!
    注目
    Spoofing・Tampering

    View full-size slide

  49. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    BIMI
    Spoofing・Tampering

    View full-size slide

  50. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    BIMI
    •Show the logo
    specified by the
    sender,
    if the DMARC
    is “pass”.
    Show the logo
    注目
    Spoofing・Tampering

    View full-size slide

  51. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Protect from Spoofing, Tampering (Summary)
    •SPF
    •DKIM
    •DMARC
    •ARC
    •BIMI
    Spoofing・Tampering

    View full-size slide

  52. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    What you want to protect from
    •Spoofing・Tampering
    •Hijacking・Springboard
    •Eavesdropping
    •Spam・Malware・Phishing
    •Leakage
    Hijacking・Springboard

    View full-size slide

  53. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Hijacking・Springboard
    Hijacking・Springboard
    Protect from

    View full-size slide

  54. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Protect from Hijacking・
    Springboard
    クオリティア
    Mail
    Server
    Mail
    Server
    Hijacking
    Hijacking・Springboard

    View full-size slide

  55. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    POP before SMTP
    Hijacking・Springboard

    View full-size slide

  56. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    POP before SMTP
    If you pass the POP3 authentication,
    you can send email.
    Mail Server
    Hijacking・Springboard

    View full-size slide

  57. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    SMTP AUTH
    Hijacking・Springboard

    View full-size slide

  58. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    SMTP AUTH
    If you passed the ID/Password authentication
    on SMTP, you can send email.
    Mail Server
    RFC2554 (1999) → RFC4954 (2007)
    Hijacking・Springboard

    View full-size slide

  59. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    OP25B
    Hijacking・Springboard

    View full-size slide

  60. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    OP25B
    •If you passed the ID/Password authentication on
    SMTP(Port 587 ), you can send email.
    •ISP blocks Port 25 from customer.
    Mail Server
    Hijacking・Springboard

    View full-size slide

  61. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Multi Factor Authentication
    Hijacking・Springboard

    View full-size slide

  62. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Multi Factor Authentication
    If the multiple combinations of authentication, such
    as SMTP AUTH, device auth, biometric auth, are
    passed, you can send an email.
    Mail Server
    Device auth
    + Face auth
    OK
    Hijacking・Springboard

    View full-size slide

  63. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    デモ
    We made it!
    注目
    Hijacking・Springboard

    View full-size slide

  64. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Demo
    Mail Server
    Device Auth
    + Face Auth
    OK
    Hijacking・Springboard

    View full-size slide

  65. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Device + Face authentication
    Sender
    MUA
    Packet
    Hijacking・Springboard

    View full-size slide

  66. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    多要素認証
    SMTP Biometric Auth Service
    Looking for β users!
    注目
    Spoofing・Tampering

    View full-size slide

  67. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Protect from Hijacking・Springboard
    (Summary)
    •POP before SMTP
    •SMTP AUTH
    •OP25B
    •Multi Factor Authentication
    Hijacking・Springboard

    View full-size slide

  68. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    What you want to protect from
    •Spoofing・Tampering
    •Hijacking・Springboard
    •Eavesdropping
    •Spam・Malware・Phishing
    •Leakage
    Eavesdroppin

    View full-size slide

  69. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Eavesdropping
    Protect From
    Eavesdroppin

    View full-size slide

  70. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Protect from Eavesdropping
    クオリティア
    Mail
    Server
    Mail
    Server
    Eavesdropping
    Tampering
    Stealing
    Eavesdroppin

    View full-size slide

  71. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Encrypted ZIP
    Eavesdroppin

    View full-size slide

  72. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Encrypted ZIP
    クオリティア
    Mail
    Server
    Mail
    Server
    Eavesdropping
    Tampering
    Stealing
    Password
    Eavesdroppin

    View full-size slide

  73. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    STARTTLS
    Eavesdroppin

    View full-size slide

  74. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    STARTTLS
    クオリティア
    Mail
    Server
    Mail
    Server
    Eavesdropping
    Tampering
    Encrypt the line between mail servers
    Eavesdroppin

    View full-size slide

  75. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    But!
    Eavesdroppin

    View full-size slide

  76. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Unsupported STARTTLS
    クオリティア
    Mail
    Server
    Mail
    Server2
    Eavesdropping
    Tampering
    If the server or client does not
    support STARTTLS, the client will
    send emails by plain text
    opportunistically.
    Mail
    Server1
    Eavesdroppin

    View full-size slide

  77. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    When the network routing is hijacked
    クオリティア
    Mail
    Server
    Mail
    Server
    Encryption is meaningless.
    Mail
    Server
    ARP
    BGP
    ・・・
    Eavesdroppin

    View full-size slide

  78. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    MTA-STS
    Eavesdroppin

    View full-size slide

  79. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    MTA-STS
    •Force to use STARTTLS
    •Force to use TLS1.2 or more
    •Enforce that server has a valid certification
    •RFC8461 (Sep. 2018)
    Eavesdroppin

    View full-size slide

  80. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    When there is MTA-STS
    クオリティア
    Mail
    Server
    Mail
    Server
    Client does not send,
    if encryption is not supported
    _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;"
    version: STSv1
    mode: enforce
    mx: mx1.qualitia.co.jp
    max_age: 1296000
    https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt
    =Not Stealed
    Eavesdroppin
    Policy

    View full-size slide

  81. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    But!
    If the client did not send it
    we want to know it
    Eavesdroppin

    View full-size slide

  82. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    TLS-RPT
    Eavesdroppin

    View full-size slide

  83. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    When there is TLS-RPT
    クオリティア
    Mail
    Server
    Mail
    Server
    Send a report,
    if the encryption is not supported
    RFC8460 (Sep. 2018)
    _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;"
    version: STSv1
    mode: enforce
    mx: mx1.qualitia.co.jp
    max_age: 1296000
    https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt
    _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=mailto:[email protected]"
    Eavesdroppin

    View full-size slide

  84. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Be careful!
    クオリティア
    Mail
    Server
    Mail
    Server
    _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;"
    version: STSv1
    mode: enforce
    mx: mx1.qualitia.co.jp
    max_age: 1296000
    https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt
    _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=mailto:[email protected]"
    Server does not support TLS,
    so that client cannot send a report
    encryption
    Eavesdroppin

    View full-size slide

  85. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Report Using HTTPS
    クオリティア
    Mail
    Server
    Mail
    Server
    _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;"
    version: STSv1
    mode: enforce
    mx: mx1.qualitia.co.jp
    max_age: 1296000
    https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt
    _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=https://api.qualitia.co.jp/v1/tlsrpt"
    HTTPS is also available
    https://api.qualitia.co.jp.jp/v1/tlsrpt
    POST
    Eavesdroppin

    View full-size slide

  86. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    But!
    Eavesdroppin

    View full-size slide

  87. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DNS Hijacking
    クオリティア
    Mail
    Server
    Mail
    Server
    Disable MTA-STS
    Mail
    Server
    DNS
    Eavesdroppin

    View full-size slide

  88. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Compromised CA
    クオリティア
    Mail
    Server
    Mail
    Server
    Mail
    Server
    ARP
    BGP
    ・・・
    Certificate Authority (CA)
    署名
    qualitia.co.jp
    qualitia.co.jp
    Sign
    Compromised CA
    Everything seems fine
    for sender
    Trust
    Eavesdroppin

    View full-size slide

  89. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DANE
    Eavesdroppin

    View full-size slide

  90. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DANE
    •Do not use Certificate authority(CA)
    •You can use if you want
    •Self-signed certificate is available
    •Use DNSSEC
    •RFC7672 (Oct. 2015)
    Eavesdroppin

    View full-size slide

  91. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    DANE
    クオリティア
    Mail
    Server
    Mail
    Server
    Use DNS Trust chain instead of CA
    DNSSEC
    Certificate Authority(CA)
    No Need
    ルートDNS
    DNSSEC
    Trust
    Eavesdroppin
    _25._tcp.mx1.qualitia.co.jp. IN TLSA 3 0 1 2B73BB905F…"
    mx1.qualitia.co.jp

    View full-size slide

  92. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    But!
    Settings and Operations are not easy
    Eavesdroppin

    View full-size slide

  93. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Operation of MTA-STS, TLS-RPT, DANE
    •Operating DNSSEC is not easy
    •We cannot use DNSSEC easily (in Japan)
    •Do not want to Key-Rotate
    •Do not want to analyze the report
    Authoritative DNSSEC Service
    for Mail User
    We are now developing!
    注目
    Eavesdroppin

    View full-size slide

  94. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Protect from Eavesdropping (Summary)
    •Encrypted ZIP
    •STARTTLS
    •MTA-STS
    •TLS-RPT
    •DANE-TLS
    •DNSSEC
    •DANE-S/MIME
    Eavesdroppin

    View full-size slide

  95. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    What you want to protect from
    •Spoofing・Tampering
    •Hijacking・Springboard
    •Eavesdropping
    •Spam・Malware・Phishing
    •Leakage
    Spam・Malware・Phishing

    View full-size slide

  96. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Spam, Malware, Phishing
    Protect from
    Spam・Malware・Phishing

    View full-size slide

  97. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Protect from Spam, Malware
    Mail
    Server
    Mail
    Server
    Spoofing
    Spam
    Malware
    Phishing
    Spam・Malware・Phishing

    View full-size slide

  98. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Security for received emails
    •Spam Filtering
    •Virus Filtering
    Spam・Malware・Phishing

    View full-size slide

  99. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    But!
    Virus file is also encrypted!
    Spam・Malware・Phishing
    Virus scanners cannot detect the virus!

    View full-size slide

  100. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Decode by Password to Detect Virus
    Decode by Password
    Virus Check
    Check in Sandbox
    You can download
    if the file is safe
    注目
    Spam・Malware・Phishing

    View full-size slide

  101. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    What you want to protect from
    •Spoofing・Tampering
    •Hijacking・Springboard
    •Eavesdropping
    •Spam・Malware・Phishing
    •Leakage
    Leakage

    View full-size slide

  102. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Leakage
    Protect from
    Leakage

    View full-size slide

  103. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Mail Missending Prevention
    •Holding Email for a while
    •To, Cc → Bcc Transformation
    •Password protected ZIP
    Leakage

    View full-size slide

  104. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Web Downloading
    クオリティア
    Mail
    Server
    Mail
    Server
    Separate
    Attachment
    File
    注目
    Leakage

    View full-size slide

  105. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    EMAILを守るための技術
    •Spoofing・Tampering
    •Hijacking・Springboard
    •Eavesdropping
    •Spam・Malware・Phishing
    •Leakage
    SPF DKIM DMARC ARC BIMI
    POP before SMTP SMTP AUTH MFA
    STARTTLS MTA-STS TLS-RPT DANE DNSSEC
    AntiSPAM AntiVirus SandBox Active! zone
    Holding Passworded ZIP Web Downloading Active! gate

    View full-size slide

  106. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Introduced Products, Services
    •Web Mail for BIMI
    •DKIM signing Service
    •SMTP Bio Auth Product, Service
    •Authoritative DNSSEC + Mail Setting Service
    •TLS Report Analysis Service
    •Virus Checking for Passworded Files Product
    •Attachment Separation for Mail Missending Prevention
    βユーザ募集!

    View full-size slide

  107. Copyright© QUALITIA CO., LTD. All Rights Reserved.
    Thank you
    Thank you

    View full-size slide