Abstract
Securing e-mail with cryptography and PKI is an effective countermeasure against common threats like SPAM, malware, or industrial espionage. Compared to the troublesome handling of PKI-enabled applications by end-users, the idea of a centralized gateway managing all cryptographic tasks seems very attractive.
However, such a gateway represents a single point of attack as it stores a lot of keys. We show how to address this issue by means of threshold cryptography and describe the SecMGW concept which easily integrates in existing environments. SecMGW was implemented solely using open-source products making it a cost-effective solution, well-suited for small and medium enterprises.
The author's work was supported by the German National Research Foundation (DFG) as part of the PhD program “Enabling Technologies for Elecatronic Commerce„ at Technische Universität Darmstadt.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
H. Appel, I. Biehl, A. Fuhrmann, M. Ruppert, T. Takagi, A. Takura, and C. Valentin. Ein sicherer, robuster Zeitstempeldienst auf der Basis verteilter RSA-Signaturen, DuD Fachbeitr äge, vieweg, 2000. (in German)
C. Boyd. Digital multisignatures. Cryptography and Coding, Clarendon Press, 1989.
D. Boneh, X. Ding, and G. Tsudik. A method for fast revocation of public key certificates and security capabilities. Proc. 10th USENIX Security Symposium, Washington DC, USA, 2001.
D. Crocker. Standard for the Format of ARPA Internet Text Messages. RFC 822,1982.
D. Davis. Compliance defects in public-key cryptography. Proc. 5th USENIX Security Symposium, San Jose, USA, 1996.
M. Jalali-Sohi and P. Ebinger. Towards Efficient PKIs for Restricted Mobile Devices. Proc. IASTED International Conference Communications and Computer Networks, Cambridge MA, USA, 2002.
B. Friedmann, D. Hurley, D.C. Howe, E. Feiten, and H. Nissenbaum. Users’ Conception of Web Security: A Comparative Study. Proc. Conference on Human Factors in Computing Systems, Minneapolis, USA, 2002.
R.W. Gerling and S. Kelm. E-Mail-Verschl üsselungsproxies in der Praxis. Proc. 11th DFN-CERT/PCA Workshop, Hamburg, Germany, 2004. (in German)
B. Hunter and B. Filipovic. Enabling PKI Services for Thin-Clients. Datenschutz und Datensicherheit (26), 2002.
International Data Corporation (IDC): Worldwide Email Usage Forecast, 2002–2006: Know What’s Coming Your Way. 2002.
C. Kaufman, R. Perlman, Radia, and M. Speciner. Network Security: Private Communication in a Public World. Prentice Hall, 2002.
P. MacKenzie and M.K. Reiter. Networked Cryptographic Devices Resilient to Capture. International Journal of Information Security 2(1), 2003.
R. Oppliger. Secure Messaging with PGP and S/MIME, Artech House, 2001.
T. Perrin, L. Bruns, J. Moreh and T. Olkin. Delegated Cryptography, Online Trusted Third Parties, and PKI. Proc. 1st Annual PKI Research Workshop, Gaithersburg MD, USA, 2002.
N. Pohlmann. Die virtuelle Poststelle. IT-Sicherheit im verteilten Chaos, Secu-Media Verlag, 2003. (in German)
J.B. Postel. Simple Mail Transfer Protocol, RFC 821,1982
M.A. Sasse, S. Brostoff, D. Weirich. Transforming the ‘weakest link’. BT Technology Journal 19(3), 2001.
M.A. Sasse. Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery. Proc. Conference on Human Factors in Computing Systems, Fort Lauderdale, USA, 2003.
Seemann, Henning: Pragmatic Solutions to Make E-Mail Security Work. Proc. Information Security Solutions Europe, Vienna, Austria, 2003.
T. Straub. Zur Absicherung von PKI-Outsourcing mit Hilfe verteilter digitaler Signaturen. Proc. DACH Security, Basel, Switzerland, 2004. (in German)
T. Straub. How to strengthen certificate enrolment. Proc. WartaCrypt, Bedlewo, Poland, 2004. (to appear)
J. Voßbein and R. Voßbein. KES/KPMG-Sicherheitsstudie: Lagebericht zur IT-Sicherheit. kes 3 and 4, 2002, available online http://www.kes.info. (in German)
A. Whitten and J.D. Tygar. Why Johnny Can’t Encrpyt: A Usability Evaluation of PGP 5.0. Proc. 8th USENIX Security Symposium, Washington DC, USA, 1999.
T. Wu, M. Malkin, and D. Boneh. Building Intrusion Tolerant Applications. Proc. 8th USENIX Security Symposium Washington DC, USA, 1999.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2004 Friedr. Vieweg & Sohn Verlagsgesellschaft/GWV Fachverlage GmbH, Wiesbaden
About this chapter
Cite this chapter
Straub, T., Fleck, M., Grewe, R., Lenze, O. (2004). SecMGW — An Open-Source Enterprise Gateway for Secure E-Mail. In: ISSE 2004 — Securing Electronic Business Processes. Vieweg+Teubner Verlag. https://doi.org/10.1007/978-3-322-84984-7_24
Download citation
DOI: https://doi.org/10.1007/978-3-322-84984-7_24
Publisher Name: Vieweg+Teubner Verlag
Print ISBN: 978-3-528-05910-1
Online ISBN: 978-3-322-84984-7
eBook Packages: Springer Book Archive