Chapter 8
Domain Name System(DNS)
a directory lookup service that provides a mapping between the name of a host on the Internet and its numerical address.
Message Handeling Services (MHS)
accepts the message from one use and delivers it to one or more other users, creating a virtual MUA-to-MUA exchange environment
Administrative management domain(ADMD)
an Internet e-mail provider
Message Store (MS)
can be located on a remote server or the same machine as the MUA
base64
encodes data by mapping 6-bit blocks of input to 8-bit blocks of output all of which are printable ASCII characters
DomainKeys Identified Mail(DKIM)
A specification for cryptographically signing e-mail messages, permitting a signing domain to claim responsibility for a message in the mail stream Message recipients can verify the signature by querying the signer's domain directly to retrieve the appropriate public key and can thereby confirm that the message was attested to by a party in possession of the private key for the signing domain Proposed Internet Standard RFC 6376 Has been widely adopted by a range of e-mail providers and Internet Service Providers (ISPs)
Pretty Good Privacy(PGP)
An alternative e-mail security protocol Has essentially the same functionality as S/MIME Created by Phil Zimmerman and implemented as a product first released in 1991 It was made available free of charge and became quite popular for personal use The initial PGP protocol was proprietary and used some encryption algorithms with intellectual property restriction There are two significant differences between S/MIME and OpenPGP: Key certification Key distribution SP 800-177 recommends the use of S/MIME rather than PGP because of the greater confidence in the CA system of verifying public keys
DNS-based authentication of Named Entities (DANE)
DANE is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using DNSSEC It is proposed in RFC 6698 as a way to authenticate TLS client and server entities without a certificate authority (CA) The purpose of DANE is to replace reliance on the security of the CA system with reliance on the security provided by DNSSEC DANE defines a new DNS record type, TLSA, that can be used for a secure method of authenticating SSL/TLS certificates
Domain-Based Message AUthentication, Reporting, and Conformance(DMARC)
DMARC allows e-mail senders to specify policy on how their mail should be handled, the types of reports that receivers can send back, and the frequency those reports should be sent Is defined in RFC 7489, Domain-based Message Authentication, Reporting, and Conformance, March 2015 Works with SPF and DKIM DMARC standardizes how e-mail receivers perform e-mail authentication using SPF and DKIM mechanisms DMARC authentication deals with the From domain in the message header, as defined in RFC 5322 DMARC requires that From address match (be aligned with) an Authenticated Identifier from DKIM or SPF
Simple Mail Transfer Protocol(SMTP)
Encapsulates an e-mail message in an envelope and is used to relay the encapsulated messages from source to destination through multiple MTAs Was originally specified in 1982 as RFC 821 Has undergone several revisions, the most current being RFC5321 (October 2008) Is a text-based client-server protocol where the client (e-mail sender) contacts the server (next-hop recipient) and issues a set of commands to tell the server about the message to be sent, then sending the message itself The majority of these commands are ASCII text messages sent by the client and a resulting return code returned by the server
Multipurpose Internet Mail Extensions(MIME)
Extension to the RFC 5322 framework RFCs 2045 through 2049 define MIME The MIME specification includes the following elements: Five new message header fields are defined, which may be included in an RFC 5322 header, providing information about the body of the message A number of content formats are defined, thus standardizing representations that support multimedia electronic mail Transfer encodings are defined that enable the conversion of any content format into a form that is protected from alteration by the mail system
DNS Security Extension(DNSSEC)
Provides end-to-end protection through the use of digital signatures that are created by responding zone administrators and verified by a recipient's resolver software Avoids the need to trust intermediate name servers and resolvers that cache or route the DNS records originating from the responding zone administrator before they reach the source of the query Consists of a set of new resource record types and modifications to the existing DNS protocol
Sender Policy Framework(SPF)
SPF is the standardized way for a sending domain to identify and assert the mail senders for a given domain Addresses the problem of any host being able to use any domain name for each of the various identifiers in the mail header, not just the domain name where the host is located Defined in RFC 7208 SPF works by checking a sender's IP address against the policy encoded in any SPF record found at the sending domain
Session Key
A logical connection that is established when two end systems wish to communicate
STARTTLS
AN SMTP security extension that provides authentication , intergrity, non-repudiation(via digital signatures) and confidentiality (via encrption) fir the entire STMP message by running SMTP over TLS
Mail Submission Agent(MSA)
Accepts the message submitted by an MUA and enforcies the policies of the hosting domain and the requirements of Internet standards
S/MIME
Is a security enhancement to the MIME Internet e-mail format standard based on technology from RSA Data Security a complex capability that is defined in a number of documents
Message User Agents(MUA)
Operates on behalf of user actors and user applications refered to as a client e-mail program or a local network e-mail server
Message Transfer Agents(MTA)
Relays mail for one application-level hop.
Mail Delevery Agent(MDA)
Responsible for transferring the message from the MHS to the MS.
detached signature
type of digital signature that is kept separate from its signed data, as opposed to bundled together into a single file.
Cryptographic Message Syntax(CMS)
used to provide encryption and digital signature capabilities to any form of digital data.
Post Office Protocol (POP3)
• Allows an e-mail client (user agent) to download an e-mail from an e-mail server (MTA) • POP3 user agents connect via TCP to the server (usually port 110) • The user agent enters a username and password • After authorization, the UA can issue POP3 commands to retrieve and delete mail
Internet Mail Access Protocol(IMAP)
• Enables an e-mail client to access mail on an e-mail server • Uses TCP, with server TCP port 143 • Is more complex than POP3 • Provides stronger authentication that POP3 and provides other functions not supported by POP3