Slide 1

Slide 1 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Email Security Trail Map ~A World beyond DMARC~ QUALITIA CO., LTD HIRANO Yoshitaka

Slide 2

Slide 2 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Our Company Name Qualitia CO., LTD HQ 3-11-10 Nihombashi-Kayabacho Chuo-ku Tokyo Capital 85M yen Since Oct. 1993 CEO Ken Matsuda ⚫ Development and Sales of Messaging Related Solutions ⚫ Supporting Efficient Communication and Security Enhancement ⚫ Providing the Messaging Related Cloud Services and Software Create the Future of “Communication” and “Security” with our Customers and Partners Q U A L I T Y M A K E S F U T U R E

Slide 3

Slide 3 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Self Introduction Name HIRANO Yoshitaka Belongs to QUALITIA Co., Ltd Chief Engineer Cert. Licensed Scrum Master Certified Scrum Developer Activities M3AAWG JPAAWG IA Japan 迷惑Mail対策委員会 Anti-Spam mail Promotion Council (ASPC) Message Research Institute Audax Randonneurs Nihonbashi

Slide 4

Slide 4 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Our Team We are researching and developing New Feature Be our Friend! Twitter Account →

Slide 5

Slide 5 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Email Security? Where is the goal?

Slide 6

Slide 6 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Technologies for Email Security SPF DKIM 誤送信 防止 Sanitize Password ZIP Anti Phishing Anti SPAM DNS SEC SMTP AUTH DANE MTA- STS START TLS BIMI ARC DMARC TLS- RPT Anti Virus Virus Filter Sandb ox Anshin Mark So many things!! I cannot understand

Slide 7

Slide 7 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. What do you want to protect from What?

Slide 8

Slide 8 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. What we protect from クオリティア Mail Server Mail Server spoofing hijacking eavesdropping tampering stealing leakage Malware Mail Server phishing

Slide 9

Slide 9 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want to protect from •Spoofing, Tampering •Account Hijacking, Springboard •Eavesdropping •Spam, Malware, Phishing •Leakage

Slide 10

Slide 10 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Spoofing, Tampering Protect from

Slide 11

Slide 11 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spoofing, Tampering クオリティア Mail Server Mail Server Mail Server Spoofing Tampering

Slide 12

Slide 12 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spoofing・Tampering •SPF •DKIM •DMARC •ARC •BIMI

Slide 13

Slide 13 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is no SPF 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ OK I transfer! Click! × クオリティア Spoofing・Tampering

Slide 14

Slide 14 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is SPF 192.0.2.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=pass Hi! I'm Taro @ QUALITIA. ・・・・ qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” Check Source IP using Envelope From ○ OK, This is right. Transfer! クオリティア Spoofing・Tampering

Slide 15

Slide 15 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is SPF 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=fail Hi! I'm Taro @ QUALITIA. ・・・・ qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” Hmm, it looks fake × クオリティア Spoofing・Tampering

Slide 16

Slide 16 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Spoofing・Tampering

Slide 17

Slide 17 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Even if there is SPF 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=none Hi! I'm Taro @ QUALITIA. ・・・・ qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” クオリティア Spoofing・Tampering OK I transfer! Click! Use badgroup domain

Slide 18

Slide 18 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. OK I transfer! Click! badgroupのSPFで認証 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=pass Hi! I'm Taro @ QUALITIA. ・・・・ badgroup.example txt “v=spf1 ip4:203.0.113.1 –all” qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” クオリティア Spoofing・Tampering

Slide 19

Slide 19 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. SPF •Verify if the pair of Envelope From and IP Address is correct or not •RFC4408 (2006/04) Source IP = Envelope From = Header From ? Spoofing・Tampering

Slide 20

Slide 20 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM Spoofing・Tampering

Slide 21

Slide 21 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is no DKIM From: [email protected] Subject: Please transfer money AR: dkim=none Hi! I'm Taro @ QUALITIA. ・・・・ クオリティア Spoofing・Tampering OK I transfer! Click!

Slide 22

Slide 22 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp; s=s1; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Send with signature s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Encryption Public Key Private Key hash クオリティア Spoofing・Tampering

Slide 23

Slide 23 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp; s=s1; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money AR: dkim=pass Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM OK, it’s trustable. Transfer, click! s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Decryption Public Key Private Key hash ○ クオリティア Spoofing・Tampering

Slide 24

Slide 24 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Cannot sign without a private key! encryption Private Key hash × クオリティア Spoofing・Tampering

Slide 25

Slide 25 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp; s=s1; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money to thief Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Tamper the signed message s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Public Key Private Key クオリティア Spoofing・Tampering

Slide 26

Slide 26 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp; s=s1; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: 泥棒にPlease transfer money AR: dkim=fail Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Hmm, this might be tampered? s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” decryption Public Key Private Key hash × クオリティア Spoofing・Tampering

Slide 27

Slide 27 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Spoofing・Tampering

Slide 28

Slide 28 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Even if there is DKIM From: [email protected] Subject: Please transfer money AR: dkim=none Hi! I'm Taro @ QUALITIA. ・・・・ Ok, Transfer! Click! s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Private Key Same as when there is not DKIM クオリティア Spoofing・Tampering Send without signature

Slide 29

Slide 29 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. By Any Chance? From: [email protected] Subject: Please transfer money AR: dkim=none Hi! I'm Taro @ QUALITIA. ・・・・ Ehh? QUALITIA usually sign DKIM signature, right? s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Private Key クオリティア Spoofing・Tampering Same as when there is not DKIM

Slide 30

Slide 30 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=badgroup.example; s=aku; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ Even if there is DKIM Sign as badgroup! aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...” encryption Private Key of badgroup Private Key hash クオリティア Spoofing・Tampering

Slide 31

Slide 31 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=badgroup.example; s=aku; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money AR: dkim=pass Hi! I'm Taro @ QUALITIA. ・・・・ Even if there is DKIM Ok, transfer! decryption badgroupの Public Key Private Key hash ○ aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...” badgroupの Private Key クオリティア Spoofing・Tampering

Slide 32

Slide 32 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM •Sign headers and body to protect from tampering Spoofing・Tampering

Slide 33

Slide 33 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Problem of SPF, DKIM •SPF: Even if the third party spoofed the Envelope From, still spf will be a “pass” •DKIM: Even if the third party signed,still dkim will be a “pass” Spoofing・Tampering

Slide 34

Slide 34 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DMARC Spoofing・Tampering

Slide 35

Slide 35 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DMARC •Verify based on Header From •Header From •Envelope From Verify all domains match •DKIM signer Spoofing・Tampering

Slide 36

Slide 36 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. SPF for badgroup (dmarc p=none) 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=pass, dmarc=Fail Hi! I'm Taro @ QUALITIA. ・・・・ badgroup.example txt “v=spf1 ip4:203.0.113.1 –all” _dmarc.qualitia.co.jp txt “v=DMARC1; p=none” Oh, dmarc is fail. × クオリティア Spoofing・Tampering

Slide 37

Slide 37 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. SPF for badgroup (dmarc p=reject) 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=pass, dmarc=Fail Hi! I'm Taro @ QUALITIA. ・・・・ badgroup.example txt “v=spf1 ip4:203.0.113.1 –all” × Reject! _dmarc.qualitia.co.jp txt “v=DMARC1; p=reject” × クオリティア Spoofing・Tampering

Slide 38

Slide 38 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=badgroup.example; s=aku; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money AR: dkim=pass, dmarc=fail Hi! I'm Taro @ QUALITIA. ・・・・ DKIM signature for badgroup Public Key of badgroup aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...” Private Key of badgroup × _dmarc.qualitia.co.jp txt “v=DMARC1; p=reject” ×Reject! クオリティア Spoofing・Tampering

Slide 39

Slide 39 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Spoofing・Tampering

Slide 40

Slide 40 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp; s=s1; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: [○○ML:1234] Hi! All AR: dkim=fail Hi! Long time no see! ・・・・ DKIM + Mailing List Hmm, can I trust? s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” decryption Public Key Private Key hash × クオリティア Spoofing・Tampering

Slide 41

Slide 41 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. ARC Spoofing・Tampering

Slide 42

Slide 42 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. ARCがあれば Ok, arc=pass Private Key クオリティア Mailing List Server ml.example.jp ARC-Seal: i=1; cv=none; d=ml.example.jp;... ARC-Message-Signature: i=1; d=ml.example.jp; h=from:subject:dkim-signature:... ARC-Authentication-Result: i=1; ml.example.jp; dkim=pass; spf=pass; dmarc=pass DKIM-Signature: v=1; d=qualitia.co.jp; b=abcdef・・・・ From: [email protected] Subject: [○○ML:1234] Hi! All AR: dkim=fail, arc=pass Hi! Long time no see! ・・・・ Spoofing・Tampering

Slide 43

Slide 43 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. ARC •The Authenticated Received Chain Protocol •RFC8617 (2019年7月) •Mailing List Server will write ARC signature with sequence number, if DKIM=pass, ARC=pass when it received. Spoofing・Tampering

Slide 44

Slide 44 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Operation Spoofing・Tampering

Slide 45

Slide 45 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Recent DKIM Circumstances •RFC8301: Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM) (Jan. 2018) ・Both signer and verifier MUST use rsa-sha256 ・Both MUST NOT use rsa-sha1 ・Sign: 1024bit~(MUST)、2048bit~(SHOULD) ・Verify: 1024bit~4096bit(MUST) ※ But 2048bit is longer than the size 255bytes which DNS can handle Spoofing・Tampering

Slide 46

Slide 46 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Recent DKIM Circumstances •RFC8463: A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM) (Sep. 2018) ・Signer SHOULD implement this ・Verifier MUST implement this ・Write two signatures, Ed25519-SHA256 and RSA-SHA256(1024bit~) for backward compatibility Use Ed25519-SHA256 BASE64 encoded size is just 44 bytes, so this can be fit into DNS Spoofing・Tampering

Slide 47

Slide 47 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM Key Rotation •DKIM Key has to be rotated Spoofing・Tampering https://www.m3aawg.org/sites/default/files/m3aawg-dkim-key-rotation-bp-2019-03.pdf

Slide 48

Slide 48 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Operation for DKIM •Follow the latest cryptography •Key rotation Too much hassle!!! We are creating a service to DKIM-sign automatically! Coming Soon! 注目 Spoofing・Tampering

Slide 49

Slide 49 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. BIMI Spoofing・Tampering

Slide 50

Slide 50 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. BIMI •Show the logo specified by the sender, if the DMARC is “pass”. Show the logo 注目 Spoofing・Tampering

Slide 51

Slide 51 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spoofing, Tampering (Summary) •SPF •DKIM •DMARC •ARC •BIMI Spoofing・Tampering

Slide 52

Slide 52 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Hijacking・Springboard

Slide 53

Slide 53 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Hijacking・Springboard Hijacking・Springboard Protect from

Slide 54

Slide 54 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Hijacking・ Springboard クオリティア Mail Server Mail Server Hijacking Hijacking・Springboard

Slide 55

Slide 55 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. POP before SMTP Hijacking・Springboard

Slide 56

Slide 56 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. POP before SMTP If you pass the POP3 authentication, you can send email. Mail Server Hijacking・Springboard

Slide 57

Slide 57 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. SMTP AUTH Hijacking・Springboard

Slide 58

Slide 58 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. SMTP AUTH If you passed the ID/Password authentication on SMTP, you can send email. Mail Server RFC2554 (1999) → RFC4954 (2007) Hijacking・Springboard

Slide 59

Slide 59 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. OP25B Hijacking・Springboard

Slide 60

Slide 60 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. OP25B •If you passed the ID/Password authentication on SMTP(Port 587 ), you can send email. •ISP blocks Port 25 from customer. Mail Server Hijacking・Springboard

Slide 61

Slide 61 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Multi Factor Authentication Hijacking・Springboard

Slide 62

Slide 62 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Multi Factor Authentication If the multiple combinations of authentication, such as SMTP AUTH, device auth, biometric auth, are passed, you can send an email. Mail Server Device auth + Face auth OK Hijacking・Springboard

Slide 63

Slide 63 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. デモ We made it! 注目 Hijacking・Springboard

Slide 64

Slide 64 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Demo Mail Server Device Auth + Face Auth OK Hijacking・Springboard

Slide 65

Slide 65 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Device + Face authentication Sender MUA Packet Hijacking・Springboard

Slide 66

Slide 66 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. 多要素認証 SMTP Biometric Auth Service Looking for β users! 注目 Spoofing・Tampering

Slide 67

Slide 67 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Hijacking・Springboard (Summary) •POP before SMTP •SMTP AUTH •OP25B •Multi Factor Authentication Hijacking・Springboard

Slide 68

Slide 68 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Eavesdroppin

Slide 69

Slide 69 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Eavesdropping Protect From Eavesdroppin

Slide 70

Slide 70 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Eavesdropping クオリティア Mail Server Mail Server Eavesdropping Tampering Stealing Eavesdroppin

Slide 71

Slide 71 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Encrypted ZIP Eavesdroppin

Slide 72

Slide 72 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Encrypted ZIP クオリティア Mail Server Mail Server Eavesdropping Tampering Stealing Password Eavesdroppin

Slide 73

Slide 73 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. STARTTLS Eavesdroppin

Slide 74

Slide 74 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. STARTTLS クオリティア Mail Server Mail Server Eavesdropping Tampering Encrypt the line between mail servers Eavesdroppin

Slide 75

Slide 75 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Eavesdroppin

Slide 76

Slide 76 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Unsupported STARTTLS クオリティア Mail Server Mail Server2 Eavesdropping Tampering If the server or client does not support STARTTLS, the client will send emails by plain text opportunistically. Mail Server1 Eavesdroppin

Slide 77

Slide 77 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. When the network routing is hijacked クオリティア Mail Server Mail Server Encryption is meaningless. Mail Server ARP BGP ・・・ Eavesdroppin

Slide 78

Slide 78 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. MTA-STS Eavesdroppin

Slide 79

Slide 79 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. MTA-STS •Force to use STARTTLS •Force to use TLS1.2 or more •Enforce that server has a valid certification •RFC8461 (Sep. 2018) Eavesdroppin

Slide 80

Slide 80 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is MTA-STS クオリティア Mail Server Mail Server Client does not send, if encryption is not supported _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt =Not Stealed Eavesdroppin Policy

Slide 81

Slide 81 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. But! If the client did not send it we want to know it Eavesdroppin

Slide 82

Slide 82 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. TLS-RPT Eavesdroppin

Slide 83

Slide 83 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is TLS-RPT クオリティア Mail Server Mail Server Send a report, if the encryption is not supported RFC8460 (Sep. 2018) _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=mailto:[email protected]" Eavesdroppin

Slide 84

Slide 84 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Be careful! クオリティア Mail Server Mail Server _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=mailto:[email protected]" Server does not support TLS, so that client cannot send a report encryption Eavesdroppin

Slide 85

Slide 85 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Report Using HTTPS クオリティア Mail Server Mail Server _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=https://api.qualitia.co.jp/v1/tlsrpt" HTTPS is also available https://api.qualitia.co.jp.jp/v1/tlsrpt POST Eavesdroppin

Slide 86

Slide 86 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Eavesdroppin

Slide 87

Slide 87 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DNS Hijacking クオリティア Mail Server Mail Server Disable MTA-STS Mail Server DNS Eavesdroppin

Slide 88

Slide 88 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Compromised CA クオリティア Mail Server Mail Server Mail Server ARP BGP ・・・ Certificate Authority (CA) 署名 qualitia.co.jp qualitia.co.jp Sign Compromised CA Everything seems fine for sender Trust Eavesdroppin

Slide 89

Slide 89 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DANE Eavesdroppin

Slide 90

Slide 90 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DANE •Do not use Certificate authority(CA) •You can use if you want •Self-signed certificate is available •Use DNSSEC •RFC7672 (Oct. 2015) Eavesdroppin

Slide 91

Slide 91 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. DANE クオリティア Mail Server Mail Server Use DNS Trust chain instead of CA DNSSEC Certificate Authority(CA) No Need ルートDNS DNSSEC Trust Eavesdroppin _25._tcp.mx1.qualitia.co.jp. IN TLSA 3 0 1 2B73BB905F…" mx1.qualitia.co.jp

Slide 92

Slide 92 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Settings and Operations are not easy Eavesdroppin

Slide 93

Slide 93 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Operation of MTA-STS, TLS-RPT, DANE •Operating DNSSEC is not easy •We cannot use DNSSEC easily (in Japan) •Do not want to Key-Rotate •Do not want to analyze the report Authoritative DNSSEC Service for Mail User We are now developing! 注目 Eavesdroppin

Slide 94

Slide 94 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Eavesdropping (Summary) •Encrypted ZIP •STARTTLS •MTA-STS •TLS-RPT •DANE-TLS •DNSSEC •DANE-S/MIME Eavesdroppin

Slide 95

Slide 95 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Spam・Malware・Phishing

Slide 96

Slide 96 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Spam, Malware, Phishing Protect from Spam・Malware・Phishing

Slide 97

Slide 97 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spam, Malware Mail Server Mail Server Spoofing Spam Malware Phishing Spam・Malware・Phishing

Slide 98

Slide 98 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Security for received emails •Spam Filtering •Virus Filtering Spam・Malware・Phishing

Slide 99

Slide 99 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Virus file is also encrypted! Spam・Malware・Phishing Virus scanners cannot detect the virus!

Slide 100

Slide 100 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Decode by Password to Detect Virus Decode by Password Virus Check Check in Sandbox You can download if the file is safe 注目 Spam・Malware・Phishing

Slide 101

Slide 101 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Leakage

Slide 102

Slide 102 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Leakage Protect from Leakage

Slide 103

Slide 103 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Mail Missending Prevention •Holding Email for a while •To, Cc → Bcc Transformation •Password protected ZIP Leakage

Slide 104

Slide 104 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Web Downloading クオリティア Mail Server Mail Server Separate Attachment File 注目 Leakage

Slide 105

Slide 105 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. EMAILを守るための技術 •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage SPF DKIM DMARC ARC BIMI POP before SMTP SMTP AUTH MFA STARTTLS MTA-STS TLS-RPT DANE DNSSEC AntiSPAM AntiVirus SandBox Active! zone Holding Passworded ZIP Web Downloading Active! gate

Slide 106

Slide 106 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Introduced Products, Services •Web Mail for BIMI •DKIM signing Service •SMTP Bio Auth Product, Service •Authoritative DNSSEC + Mail Setting Service •TLS Report Analysis Service •Virus Checking for Passworded Files Product •Attachment Separation for Mail Missending Prevention βユーザ募集!

Slide 107

Slide 107 text

Copyright© QUALITIA CO., LTD. All Rights Reserved. Thank you Thank you