PGP Corp. delivers practical PKI deployment for securing e-mail with PGP Universal.
BY FRED AVOLIO
Cleartext e-mails are open to the world. Decades-old PKI technology can secure e-mail with encryption, digital signatures and authentication, but it’s notoriously problematic to administer and deploy.
PGP Corp., the company that now owns the Pretty Good Privacy technology, designed its PGP Universal with policy and self-management in mind. It provides automated key generation, encryption/decryption, and digital signatures for inbound and outbound e-mails. PGP Universal acts as an e-mail proxy that learns about users as their e-mails pass through. As it processes e-mails, it checks them against a policy that defines which e-mails to secure with public/private keys and what to do when a recipient lacks a public key. Its ability to automatically create public and private key pairs for e-mail recipients is quite impressive, as is its capacity to transparently protect e-mails.
Security managers can use PGP Universal’s SSL-secured administration interface to set e-mail policies to automatically create public and private key pairs for recipients.
The PGP Universal CD reformats and installs a hardened, specialized Red Hat Linux 7.3 system on the hard drive. Users shouldn’t be alarmed when the system automatically reboots.
Strong Administration, Weak Authentication
With PGP Universal running in internal mode, we defined the required parameters, and our box rebooted with its new identity. Configuring PGP Universal in internal mode places the proxy between users and their POP (or IMAP) and SMTP servers.
It secures all e-mail to and from the Internet, as well as e-mail remaining “inside” the network.
In external mode, PGP Universal sits outside of the POP and SMTP servers, processing all Internet-based SMTP traffic. This allows the configuration to match the existing enterprise security and e-mail policy. The difference is transparent to users and security managers — both modes allow similar administration and use.
We found that PGP Universal requires but doesn’t support all SMTPAUTH options. It uses SMTPAUTH to establish a higher level of user and server authentication, just as many ISPs use it to authenticate a connection before relaying e-mail. Our system uses the slightly more secure CRAM-MD5 — not supported in this release. The lack of support prevented PGP Universal from allowing connections until we reverted to the LOGIN mechanism. The current version only supports PLAIN and LOGIN authentication. It doesn’t support GSSAPI, KERBEROS_V4, DIGEST-MD5, and CRAM-MD5 mechanisms. This means it won’t easily talk to your SMTP server unless you’re using one of the two less secure options. PGP Corp. plans to support CRAM-MD5 in a future release.
Enterprises also use the admin interface to import existing public keys, and additional decryption keys, which the admin/installer can read from a file. PGP Universal supports only PGP keys, but PGP Corp. plans to add support for X.509 certificates. To test both features, we imported existing keys for individuals and let PGP Universal generate a new key pair for our organization.
We entered our proof of ownership, and PGP Corp. provided us a license via the Internet. Without a license, PGP Universal operates in “Learn Mode.” The documentation recommends leaving it in this mode initially. In Learn Mode, the system proxies the e-mail and logs what it would have done according to the policy, but takes no action. Examining the logs show how the e-mail security policies would behave when activated. It also gives the server an opportunity to build its self-managing security architecture.
We defined our default e-mail security policies (you can select encrypt, sign, either, both or neither), and assigned the “missing key” policy for when there’s no recipient public key.
We tested the four possible “missing key” policies: Don’t Encrypt, Bounce, Smart Trailer and Web Messenger. “Don’t encrypt” means send the digitally signed cleartext message to the intended recipient. “Bounce” means return the message to the sender as undeliverable. We checked for correct policy enforcement by examining the e-mail messages, and reading the logs through the administrative interface.
We devised situations to test the remaining “Smart Trailer” and “Web Messenger” policies. We set our user’s pop.my.domain and smtp.my.domain, pointed to our PGP Universal system, to proxy e-mail to and from our POP3 and SMTP servers. We designated our default e-mail security policy to encrypt and sign, and the “missing key” policy as “Web Messenger.” We set the same default policy, except changed the “missing key” policy to “Smart Trailer” for the second setup.
In the first scenario, our user — firstname.lastname@example.org — sent an e-mail message to a teleworkers — email@example.com. As anticipated, Lisa received Bob’s e-mail with the Smart Trailer notice of a secure message. Clicking the provided URL launched an SSL-secured connection to the PGP Universal server, which required the creation of a passphrase. Options were available for downloading a PGP Satellite proxy (a small Windows application) using an existing PGP Desktop and PGP Key, or continuing with unencrypted e-mail. After creating a required passphrase, PGP Universal Satellite proxy was downloaded, and the system generated a public key. Lisa was added to the server’s user database for receiving encrypted messages, and the Satellite program remained on her system grabbing all POP3 and SMTP traffic destined for my.domain, signing and encrypting the messages, and decrypting and verifying as they arrived.
In the second scenario, Bob, sent a cleartext message with a URL to firstname.lastname@example.org. Clicking on the URL took Dave to the server’s login page where he used his PGP Desktop client. PGP Universal displayed the e-mail in a PGP Web Messenger format, and allowed Dave to read, reply and log out. The reply to Bob traveled back through the PGP Universal system, and was digitally signed and encrypted with Dave’s public key.
Doing PKI-enabled e-mail isn’t a new idea, though it has typically been used by technically savvy users. Despite its lacking support for all SMTPAUTH options, PGP Universal proved it can take the burden and support costs out of doing a PKI secure e-mail. Users can receive decrypted and verified messages, without the need to add software or make any changes to their e-mail environment or PC settings, extending the potential use of PKI and PGP as an e-mail security option. This makes PGP Universal more than just pretty good.
FRED AVOLIO is president and founder of Avolio Consulting, a Maryland-based security consulting firm, and is an Information Security columnist.