Opportunistic encryption: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
imported>Sandy Harris
Line 49: Line 49:
| date = February 2002
| date = February 2002
}}</ref> instead relies on [[TLS]]. This does not provide all of the benefits of end-to-end mail encryption systems such as [[PGP]]; in particular it provides no protection against an enemy with privileged access to one of the mail servers involved, or against someone monitoring the connection between the user and the mail server. However, it does prevent attacks at routers between the mail servers. It provides partial protection against wholesale mail monitoring, forcing a government that wants to do large-scale monitoring either to subvert mail servers or to get the server owners to co-operate.
}}</ref> instead relies on [[TLS]]. This does not provide all of the benefits of end-to-end mail encryption systems such as [[PGP]]; in particular it provides no protection against an enemy with privileged access to one of the mail servers involved, or against someone monitoring the connection between the user and the mail server. However, it does prevent attacks at routers between the mail servers. It provides partial protection against wholesale mail monitoring, forcing a government that wants to do large-scale monitoring either to subvert mail servers or to get the server owners to co-operate.
There are also TLS-based systems for encrypting the link between user and mail server. <ref>{{citation
| id = RFC2595
| title = Using TLS with IMAP, POP3 and ACAP
| author = C. Newman
| date = June 1999
| url = http://tools.ietf.org/html/rfc2595
}}</ref> <ref>{{citation
| id = RFC4616
| title = The PLAIN Simple Authentication and Security Layer (SASL) Mechanism
| author = K. Zeilenga, Ed.
| date = August 2006
| url = http://tools.ietf.org/html/rfc4616
}}</ref>


There are also systems which apply OE to [[TCP]] connections, Google's [http://code.google.com/p/obstcp/ obfuscated TCP] and the later [http://tcpcrypt.org/index.php TCP crypt]. These are secure against passive attacks but vulnerable to [[man-in-the-middle attack]]s.
There are also systems which apply OE to [[TCP]] connections, Google's [http://code.google.com/p/obstcp/ obfuscated TCP] and the later [http://tcpcrypt.org/index.php TCP crypt]. These are secure against passive attacks but vulnerable to [[man-in-the-middle attack]]s.

Revision as of 00:18, 31 August 2010

This article is developed but not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable, developed Main Article is subject to a disclaimer.

Opportunistic encryption, often abbreviated OE is the attempt to arrange network communication systems so that any two nodes can encrypt their communication, without any connection-specific setup by the system administrators. Once two machines are set up for OE, they can set up secure connections automatically.

One large benefit is a reduction in administrative workload. If the administrators must set up every connection, the effort required for a fully connected network of N machines scales by N2. There are several ways to avoid this disaster on large networks, including using a centralised authentication system such as Kerberos, or putting in hardware to encrypt at link level, or using IPsec to encrypt at network level. Any of these can reduce the workload to something manageable. OE, however, cuts the Gordian knot. For OE, the effort scales linearly; the work to set up N machines for OE is just N.

Another benefit is that more connections may be encrypted. Once OE is set up, any two OE-capable machines can secure their connections. If OE is sufficiently widespread, secure connections can be the default.

Like any encryption scheme, an OE system must rely on some form of source authentication. It does no good at all to encrypt messages so that only the recipient can read them unless the recipient is who you think it is. Different OE designs rely on different authentication mechanisms; see individual articles for details.

Opportunistic encryption for IP

The term "opportunistic encryption" comes from the FreeS/WAN project, who built OE into a Linux implementation of IPsec and wrote an RFC[1] documenting the design. They relied on DNS to manage authentication data. Used alone, this would be secure against passive attacks; add DNS security to protect the authentication data and it is also secure against active attacks.

Another way to use IPsec with reduced administrative overheads is better-than-nothing security or BTNS[2], IPsec done without authentication. This gives the same security level as OE done without DNS security.

Normal IPsec, FreeS/WAN-style OE and BTNS are all secure against passive eavesdroppers who only try to listen in; encrypting the connection stops them. Normal IPsec, or OE with secure DNS, are also secure against active attackers who try to trick systems into communicating with them instead of legitimate partners. BTNS, or OE without secure DNS, are not; you need authentication to block those attacks.

The Planete project are building OE for IPv6. They claim "Unlike existing schemes (e.g. FreeS/WAN), our proposal does not rely on any global Third Trusted Party (such as DNSSEC or a PKI). Hence, we claim it is more secure, easier to deploy and more robust."

OE done at the IP layer of the protocol stack protects everything above that layer, and does so without any assistance from higher-layer protocols and generally entirely transparently to the users.

Opportunistic encryption of other protocols

The most widely deployed OE system encrypts server-to-server SMTP mail transfers. The original implementation was ssmail or Secure Sendmail [3], which built encryption into the mail server code. The current standard[4] instead relies on TLS. This does not provide all of the benefits of end-to-end mail encryption systems such as PGP; in particular it provides no protection against an enemy with privileged access to one of the mail servers involved, or against someone monitoring the connection between the user and the mail server. However, it does prevent attacks at routers between the mail servers. It provides partial protection against wholesale mail monitoring, forcing a government that wants to do large-scale monitoring either to subvert mail servers or to get the server owners to co-operate.

There are also TLS-based systems for encrypting the link between user and mail server. [5] [6]


There are also systems which apply OE to TCP connections, Google's obfuscated TCP and the later TCP crypt. These are secure against passive attacks but vulnerable to man-in-the-middle attacks.

References

  1. M. Richardson & D.H. Redelmeier (December 2005), Opportunistic Encryption using the Internet Key Exchange (IKE), RFC4322
  2. N. Williams, M. Richardson, ed. (November 2008), Better-Than-Nothing Security: An Unauthenticated Mode of IPsec, RFC5386
  3. Damian Bentley, Greg Rose, Tara Whalen (1999), ssmail: Opportunistic Encryption in sendmail
  4. P. Hoffman (February 2002), SMTP Service Extension for Secure SMTP over Transport Layer Security, RFC3027
  5. C. Newman (June 1999), Using TLS with IMAP, POP3 and ACAP, RFC2595
  6. K. Zeilenga, Ed. (August 2006), The PLAIN Simple Authentication and Security Layer (SASL) Mechanism, RFC4616