The Register® — Biting the hand that feeds IT

Feeds

Military industrial complex aims to revamp email

Trust but verify

By John Leyden, 15th January 2008
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

A consortium of British and US military agencies and defense and aerospace firms have agreed a new standard for secure email. Security experts are watching the developments closely, but are unsure how much of the specification will make it into public use or commercial email security products.

The secure email specification from the The Transglobal Secure Collaboration Program (TSCP) aims to address email's inherent identity and data transmission security flaws. The specification covers a method for authenticating users that creates a Public Key Infrastucture system that could act as the backbone for other forms of electronic collaboration.

The requirements were defined and endorsed by the members of the TSCP: the US Department of Defense (DoD), UK Ministry of Defence (MoD), BAE Systems, Boeing, EADS, Lockheed Martin, Northrop Grumman, Raytheon, and Rolls-Royce.

The US Defence Department intends to use the specification to protect "controlled but unclassified information". The MoD also expects to deploy the capability enterprise-wide in 2008 for classifications up to "UK Restricted".

The TSCP implementation is based on TSCP-defined publicly available specifications which organisations must follow to assign vetted identity information to all email senders and recipients. The current implementation was constructed with commercial-off-the-shelf (COTS) products, open source software, and a commercial trusted third-party service, CertiPath. The resulting digital certificate-based system ensures that information only travels to and from trusted parties. The framework plugs into either Lotus Notes or Outlook clients.

PKI has long been touted as the next big thing in information security. But the difficulty of putting in such systems and integrating them with other platfors has made the technology complicated and costly. Even though most aspects of the TSCP approach are public, it's unclear how much impact the approach will have in the wider world outside military organisations and their contractors.

"I don't know how much of this will end up public. Certainly I'm interested. And certainly email could use a major security overhaul," security guru Bruce Schneier told El Reg. "People are abandoning the medium in favour of others that are less spam-filled." ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (24)
Latest Comments
Rich

@Rich

The solution you propose, involving the "bob" server giving "alice" his public key, is vulnerable to man in the middle attacks (as are all variants of it).

That's why SSL needs the server owner to obtain a certificate from a CA (at a cost of $$$) to protect against this. Which is basically back to the PKI problem - to use crypto email, you need to be vouched by a central authority.

0
0
Aubry Thonon

PGP/GPG in SMTP

Here's a thought:

When a domain is registered, a public key must be associated with that domain.

When mail is sent out, a signature is created by the mailing system of the sender WHICH MUST INCLUDE the sender's e-mail address and the date/time of the e-mail.

On the receiving end, the mail server receives the mail, queries its DNS for the public key and checks the mail is what it purports to be and by the person who supposedly sent it.

Advantages: It does not require individual users to create their own key (they still can, for security purposes, but they don't *have* to in order to be authenticated). Also, it allows spam e-mail to be traced back to their source of origin (assuming the signature algorithm has been written properly).

Disadvantage: You are still susceptible to xDNS attacks, where the DNS information you require (including public key) has been compromised or replaced by a new set.

0
0
Stephen Jones

*cough*

PGP/GPG?

Can anyone tell me what all this PKI nonsense does that it doesn't? Digital Signatures, check. Encryption, check. You just have to add a public key fingerprint to your business card next to the email address and you're all done. And it works fine over the existing infrastructure.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
135
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17