Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Email Security Trail Map - A World beyond DMARC -

HIRANO Yoshitaka
December 11, 2019
Technology
3
130

Email Security Trail Map - A World beyond DMARC -

There are too many technology about email security. So it is very difficult to understand what is really necessary, what is the goal.
In this slide, I explain about the summary of each technology to understand what you really need.

HIRANO Yoshitaka

December 11, 2019
Tweet

More Decks by HIRANO Yoshitaka

See All by HIRANO Yoshitaka
メールとAIシリーズ:プライバシー保護のための次世代技術~NLPの未来と大規模言語モデル活用術
hirachan
2
17
Whoisの闇
hirachan
3
110
メール暗号化はSTART TLSで安心?!見落としがちな脆弱性と今すぐ取るべき対策
hirachan
1
51
自由自在にカスタマイズ!Go言語で作る あなただけのメールサーバー
hirachan
1
61
Gmail の「メール送信者のガイドライン」強化から 1 ヵ月、今後予想されるメールセキュリティの変化とは
hirachan
1
500
RM8回完走でもPBPはツライ
hirachan
1
73
LEL2017の思い出とLEL2025最新情報
hirachan
1
130
TLS1.0/1.1廃止に向けて JPAAWG 6th Open Round Table議事録
hirachan
2
65
進化し続けるフィッシングと機械学習との戦い ~ ChatGPT vs ChatGPTの世界へ ~
hirachan
2
220

Other Decks in Technology

See All in Technology
Lambdaと地方とコミュニティ
miu_crescent
2
270
プロポーザルのつくり方
〜個人技編〜 / How to come up with proposals
ohbarye
4
310
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
230
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
280
Microsoft MVPになる前、なってから/Fukuoka_Tech_Women_Community_1_baba
nina01
0
180
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
190
AIチャットボット開発への生成AI活用
ryomrt
0
140
Engineering at LY Corporation
lycorp_recruit_jp
0
340
AWS⼊社という選択肢、⾒えていますか
iwamot
2
1.1k
徹底比較!HA Kubernetes ClusterにおけるControl Plane LoadBalancerの選択肢
logica0419
2
140
マルチモーダルデータ基盤の課題と観点
neonankiti
1
110
Windows Autopilot Deployment by OSD Guy
tamaiyutaro
0
310

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
YesSQL, Process and Tooling at Scale
rocio
168
14k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
GraphQLとの向き合い方2022年版
quramy
43
13k
Unsuck your backbone
ammeep
668
57k
RailsConf 2023
tenderlove
29
890
Adopting Sorbet at Scale
ufuk
73
9.1k

Transcript

  1. Copyright© QUALITIA CO., LTD. All Rights Reserved. Email Security Trail

    Map ~A World beyond DMARC~ QUALITIA CO., LTD HIRANO Yoshitaka <[email protected]>

  2. Copyright© QUALITIA CO., LTD. All Rights Reserved. Our Company Name

    Qualitia CO., LTD HQ 3-11-10 Nihombashi-Kayabacho Chuo-ku Tokyo Capital 85M yen Since Oct. 1993 CEO Ken Matsuda ⚫ Development and Sales of Messaging Related Solutions ⚫ Supporting Efficient Communication and Security Enhancement ⚫ Providing the Messaging Related Cloud Services and Software Create the Future of “Communication” and “Security” with our Customers and Partners Q U A L I T Y M A K E S F U T U R E

  3. Copyright© QUALITIA CO., LTD. All Rights Reserved. Self Introduction Name

    HIRANO Yoshitaka Belongs to QUALITIA Co., Ltd Chief Engineer Cert. Licensed Scrum Master Certified Scrum Developer Activities M3AAWG JPAAWG IA Japan 迷惑Mail対策委員会 Anti-Spam mail Promotion Council (ASPC) Message Research Institute Audax Randonneurs Nihonbashi

  4. Copyright© QUALITIA CO., LTD. All Rights Reserved. Our Team We

    are researching and developing New Feature Be our Friend! Twitter Account →

  5. Copyright© QUALITIA CO., LTD. All Rights Reserved. Email Security? Where

    is the goal?

  6. Copyright© QUALITIA CO., LTD. All Rights Reserved. Technologies for Email

    Security SPF DKIM 誤送信 防止 Sanitize Password ZIP Anti Phishing Anti SPAM DNS SEC SMTP AUTH DANE MTA- STS START TLS BIMI ARC DMARC TLS- RPT Anti Virus Virus Filter Sandb ox Anshin Mark So many things!! I cannot understand

  7. Copyright© QUALITIA CO., LTD. All Rights Reserved. What do you

    want to protect from What?

  8. Copyright© QUALITIA CO., LTD. All Rights Reserved. What we protect

    from クオリティア Mail Server Mail Server spoofing hijacking eavesdropping tampering stealing leakage Malware Mail Server phishing

  9. Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want

    to protect from •Spoofing, Tampering •Account Hijacking, Springboard •Eavesdropping •Spam, Malware, Phishing •Leakage

  10. Copyright© QUALITIA CO., LTD. All Rights Reserved. Spoofing, Tampering Protect

    from

  11. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spoofing,

    Tampering クオリティア Mail Server Mail Server Mail Server Spoofing Tampering

  12. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spoofing・Tampering

    •SPF •DKIM •DMARC •ARC •BIMI

  13. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    no SPF 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ OK I transfer! Click! × クオリティア Spoofing・Tampering

  14. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    SPF 192.0.2.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=pass Hi! I'm Taro @ QUALITIA. ・・・・ qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” Check Source IP using Envelope From ◦ OK, This is right. Transfer! クオリティア Spoofing・Tampering

  15. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    SPF 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=fail Hi! I'm Taro @ QUALITIA. ・・・・ qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” Hmm, it looks fake × クオリティア Spoofing・Tampering

  16. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Spoofing・Tampering

  17. Copyright© QUALITIA CO., LTD. All Rights Reserved. Even if there

    is SPF 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=none Hi! I'm Taro @ QUALITIA. ・・・・ qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” クオリティア Spoofing・Tampering OK I transfer! Click! Use badgroup domain

  18. Copyright© QUALITIA CO., LTD. All Rights Reserved. OK I transfer!

    Click! badgroupのSPFで認証 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=pass Hi! I'm Taro @ QUALITIA. ・・・・ badgroup.example txt “v=spf1 ip4:203.0.113.1 –all” qualitia.co.jp txt “v=spf1 ip4:192.0.2.1 –all” クオリティア Spoofing・Tampering

  19. Copyright© QUALITIA CO., LTD. All Rights Reserved. SPF •Verify if

    the pair of Envelope From and IP Address is correct or not •RFC4408 (2006/04) Source IP = Envelope From = Header From ? Spoofing・Tampering

  20. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM Spoofing・Tampering

  21. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    no DKIM From: [email protected] Subject: Please transfer money AR: dkim=none Hi! I'm Taro @ QUALITIA. ・・・・ クオリティア Spoofing・Tampering OK I transfer! Click!

  22. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    s=s1; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Send with signature s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Encryption Public Key Private Key hash クオリティア Spoofing・Tampering

  23. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    s=s1; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money AR: dkim=pass Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM OK, it’s trustable. Transfer, click! s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Decryption Public Key Private Key hash ◦ クオリティア Spoofing・Tampering

  24. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Cannot sign without a private key! encryption Private Key hash × クオリティア Spoofing・Tampering

  25. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    s=s1; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money to thief Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Tamper the signed message s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Public Key Private Key クオリティア Spoofing・Tampering

  26. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    s=s1; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: 泥棒にPlease transfer money AR: dkim=fail Hi! I'm Taro @ QUALITIA. ・・・・ When there is DKIM Hmm, this might be tampered? s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” decryption Public Key Private Key hash × クオリティア Spoofing・Tampering

  27. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Spoofing・Tampering

  28. Copyright© QUALITIA CO., LTD. All Rights Reserved. Even if there

    is DKIM From: [email protected] Subject: Please transfer money AR: dkim=none Hi! I'm Taro @ QUALITIA. ・・・・ Ok, Transfer! Click! s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Private Key Same as when there is not DKIM クオリティア Spoofing・Tampering Send without signature

  29. Copyright© QUALITIA CO., LTD. All Rights Reserved. By Any Chance?

    From: [email protected] Subject: Please transfer money AR: dkim=none Hi! I'm Taro @ QUALITIA. ・・・・ Ehh? QUALITIA usually sign DKIM signature, right? s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” Private Key クオリティア Spoofing・Tampering Same as when there is not DKIM

  30. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=badgroup.example;

    s=aku; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money Hi! I'm Taro @ QUALITIA. ・・・・ Even if there is DKIM Sign as badgroup! aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...” encryption Private Key of badgroup Private Key hash クオリティア Spoofing・Tampering

  31. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=badgroup.example;

    s=aku; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money AR: dkim=pass Hi! I'm Taro @ QUALITIA. ・・・・ Even if there is DKIM Ok, transfer! decryption badgroupの Public Key Private Key hash ◦ aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...” badgroupの Private Key クオリティア Spoofing・Tampering

  32. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM •Sign headers

    and body to protect from tampering Spoofing・Tampering

  33. Copyright© QUALITIA CO., LTD. All Rights Reserved. Problem of SPF,

    DKIM •SPF: Even if the third party spoofed the Envelope From, still spf will be a “pass” •DKIM: Even if the third party signed,still dkim will be a “pass” Spoofing・Tampering

  34. Copyright© QUALITIA CO., LTD. All Rights Reserved. DMARC Spoofing・Tampering

  35. Copyright© QUALITIA CO., LTD. All Rights Reserved. DMARC •Verify based

    on Header From •Header From •Envelope From Verify all domains match •DKIM signer Spoofing・Tampering

  36. Copyright© QUALITIA CO., LTD. All Rights Reserved. SPF for badgroup

    (dmarc p=none) 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=pass, dmarc=Fail Hi! I'm Taro @ QUALITIA. ・・・・ badgroup.example txt “v=spf1 ip4:203.0.113.1 –all” _dmarc.qualitia.co.jp txt “v=DMARC1; p=none” Oh, dmarc is fail. × クオリティア Spoofing・Tampering

  37. Copyright© QUALITIA CO., LTD. All Rights Reserved. SPF for badgroup

    (dmarc p=reject) 192.0.2.1 203.0.113.1 Env From: [email protected] From: [email protected] Subject: Please transfer money AR: spf=pass, dmarc=Fail Hi! I'm Taro @ QUALITIA. ・・・・ badgroup.example txt “v=spf1 ip4:203.0.113.1 –all” × Reject! _dmarc.qualitia.co.jp txt “v=DMARC1; p=reject” × クオリティア Spoofing・Tampering

  38. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=badgroup.example;

    s=aku; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: Please transfer money AR: dkim=pass, dmarc=fail Hi! I'm Taro @ QUALITIA. ・・・・ DKIM signature for badgroup Public Key of badgroup aku._domainkey.badgroup.example txt “v=dkim1;p=ABCDEF...” Private Key of badgroup × _dmarc.qualitia.co.jp txt “v=DMARC1; p=reject” ×Reject! クオリティア Spoofing・Tampering

  39. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Spoofing・Tampering

  40. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM-Signature: v=1; d=qualitia.co.jp;

    s=s1; h=From:Subject; b=abcdef・・・・ From: [email protected] Subject: [◦◦ML:1234] Hi! All AR: dkim=fail Hi! Long time no see! ・・・・ DKIM + Mailing List Hmm, can I trust? s1._domainkey.qualitia.co.jp txt “v=dkim1;p=ABCDEF...” decryption Public Key Private Key hash × クオリティア Spoofing・Tampering

  41. Copyright© QUALITIA CO., LTD. All Rights Reserved. ARC Spoofing・Tampering

  42. Copyright© QUALITIA CO., LTD. All Rights Reserved. ARCがあれば Ok, arc=pass

    Private Key クオリティア Mailing List Server ml.example.jp ARC-Seal: i=1; cv=none; d=ml.example.jp;... ARC-Message-Signature: i=1; d=ml.example.jp; h=from:subject:dkim-signature:... ARC-Authentication-Result: i=1; ml.example.jp; dkim=pass; spf=pass; dmarc=pass DKIM-Signature: v=1; d=qualitia.co.jp; b=abcdef・・・・ From: [email protected] Subject: [◦◦ML:1234] Hi! All AR: dkim=fail, arc=pass Hi! Long time no see! ・・・・ Spoofing・Tampering

  43. Copyright© QUALITIA CO., LTD. All Rights Reserved. ARC •The Authenticated

    Received Chain Protocol •RFC8617 (2019年7月) •Mailing List Server will write ARC signature with sequence number, if DKIM=pass, ARC=pass when it received. Spoofing・Tampering

  44. Copyright© QUALITIA CO., LTD. All Rights Reserved. Operation Spoofing・Tampering

  45. Copyright© QUALITIA CO., LTD. All Rights Reserved. Recent DKIM Circumstances

    •RFC8301: Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM) (Jan. 2018) ・Both signer and verifier MUST use rsa-sha256 ・Both MUST NOT use rsa-sha1 ・Sign: 1024bit~(MUST)、2048bit~(SHOULD) ・Verify: 1024bit~4096bit(MUST) ※ But 2048bit is longer than the size 255bytes which DNS can handle Spoofing・Tampering

  46. Copyright© QUALITIA CO., LTD. All Rights Reserved. Recent DKIM Circumstances

    •RFC8463: A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM) (Sep. 2018) ・Signer SHOULD implement this ・Verifier MUST implement this ・Write two signatures, Ed25519-SHA256 and RSA-SHA256(1024bit~) for backward compatibility Use Ed25519-SHA256 BASE64 encoded size is just 44 bytes, so this can be fit into DNS Spoofing・Tampering

  47. Copyright© QUALITIA CO., LTD. All Rights Reserved. DKIM Key Rotation

    •DKIM Key has to be rotated Spoofing・Tampering https://www.m3aawg.org/sites/default/files/m3aawg-dkim-key-rotation-bp-2019-03.pdf

  48. Copyright© QUALITIA CO., LTD. All Rights Reserved. Operation for DKIM

    •Follow the latest cryptography •Key rotation Too much hassle!!! We are creating a service to DKIM-sign automatically! Coming Soon! 注目 Spoofing・Tampering

  49. Copyright© QUALITIA CO., LTD. All Rights Reserved. BIMI Spoofing・Tampering

  50. Copyright© QUALITIA CO., LTD. All Rights Reserved. BIMI •Show the

    logo specified by the sender, if the DMARC is “pass”. Show the logo 注目 Spoofing・Tampering

  51. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spoofing,

    Tampering (Summary) •SPF •DKIM •DMARC •ARC •BIMI Spoofing・Tampering

  52. Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want

    to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Hijacking・Springboard

  53. Copyright© QUALITIA CO., LTD. All Rights Reserved. Hijacking・Springboard Hijacking・Springboard Protect

    from

  54. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Hijacking・

    Springboard クオリティア Mail Server Mail Server Hijacking Hijacking・Springboard

  55. Copyright© QUALITIA CO., LTD. All Rights Reserved. POP before SMTP

    Hijacking・Springboard

  56. Copyright© QUALITIA CO., LTD. All Rights Reserved. POP before SMTP

    If you pass the POP3 authentication, you can send email. Mail Server Hijacking・Springboard

  57. Copyright© QUALITIA CO., LTD. All Rights Reserved. SMTP AUTH Hijacking・Springboard

  58. Copyright© QUALITIA CO., LTD. All Rights Reserved. SMTP AUTH If

    you passed the ID/Password authentication on SMTP, you can send email. Mail Server RFC2554 (1999) → RFC4954 (2007) Hijacking・Springboard

  59. Copyright© QUALITIA CO., LTD. All Rights Reserved. OP25B Hijacking・Springboard

  60. Copyright© QUALITIA CO., LTD. All Rights Reserved. OP25B •If you

    passed the ID/Password authentication on SMTP(Port 587 ), you can send email. •ISP blocks Port 25 from customer. Mail Server Hijacking・Springboard

  61. Copyright© QUALITIA CO., LTD. All Rights Reserved. Multi Factor Authentication

    Hijacking・Springboard

  62. Copyright© QUALITIA CO., LTD. All Rights Reserved. Multi Factor Authentication

    If the multiple combinations of authentication, such as SMTP AUTH, device auth, biometric auth, are passed, you can send an email. Mail Server Device auth + Face auth OK Hijacking・Springboard

  63. Copyright© QUALITIA CO., LTD. All Rights Reserved. デモ We made

    it! 注目 Hijacking・Springboard

  64. Copyright© QUALITIA CO., LTD. All Rights Reserved. Demo Mail Server

    Device Auth + Face Auth OK Hijacking・Springboard

  65. Copyright© QUALITIA CO., LTD. All Rights Reserved. Device + Face

    authentication Sender MUA Packet Hijacking・Springboard

  66. Copyright© QUALITIA CO., LTD. All Rights Reserved. 多要素認証 SMTP Biometric

    Auth Service Looking for β users! 注目 Spoofing・Tampering

  67. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Hijacking・Springboard

    (Summary) •POP before SMTP •SMTP AUTH •OP25B •Multi Factor Authentication Hijacking・Springboard

  68. Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want

    to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Eavesdroppin

  69. Copyright© QUALITIA CO., LTD. All Rights Reserved. Eavesdropping Protect From

    Eavesdroppin

  70. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Eavesdropping

    クオリティア Mail Server Mail Server Eavesdropping Tampering Stealing Eavesdroppin

  71. Copyright© QUALITIA CO., LTD. All Rights Reserved. Encrypted ZIP Eavesdroppin

  72. Copyright© QUALITIA CO., LTD. All Rights Reserved. Encrypted ZIP クオリティア

    Mail Server Mail Server Eavesdropping Tampering Stealing Password Eavesdroppin

  73. Copyright© QUALITIA CO., LTD. All Rights Reserved. STARTTLS Eavesdroppin

  74. Copyright© QUALITIA CO., LTD. All Rights Reserved. STARTTLS クオリティア Mail

    Server Mail Server Eavesdropping Tampering Encrypt the line between mail servers Eavesdroppin

  75. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Eavesdroppin

  76. Copyright© QUALITIA CO., LTD. All Rights Reserved. Unsupported STARTTLS クオリティア

    Mail Server Mail Server2 Eavesdropping Tampering If the server or client does not support STARTTLS, the client will send emails by plain text opportunistically. Mail Server1 Eavesdroppin

  77. Copyright© QUALITIA CO., LTD. All Rights Reserved. When the network

    routing is hijacked クオリティア Mail Server Mail Server Encryption is meaningless. Mail Server ARP BGP ・・・ Eavesdroppin

  78. Copyright© QUALITIA CO., LTD. All Rights Reserved. MTA-STS Eavesdroppin

  79. Copyright© QUALITIA CO., LTD. All Rights Reserved. MTA-STS •Force to

    use STARTTLS •Force to use TLS1.2 or more •Enforce that server has a valid certification •RFC8461 (Sep. 2018) Eavesdroppin

  80. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    MTA-STS クオリティア Mail Server Mail Server Client does not send, if encryption is not supported _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt =Not Stealed Eavesdroppin Policy

  81. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! If the

    client did not send it we want to know it Eavesdroppin

  82. Copyright© QUALITIA CO., LTD. All Rights Reserved. TLS-RPT Eavesdroppin

  83. Copyright© QUALITIA CO., LTD. All Rights Reserved. When there is

    TLS-RPT クオリティア Mail Server Mail Server Send a report, if the encryption is not supported RFC8460 (Sep. 2018) _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=mailto:[email protected]" Eavesdroppin

  84. Copyright© QUALITIA CO., LTD. All Rights Reserved. Be careful! クオリティア

    Mail Server Mail Server _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=mailto:[email protected]" Server does not support TLS, so that client cannot send a report encryption Eavesdroppin

  85. Copyright© QUALITIA CO., LTD. All Rights Reserved. Report Using HTTPS

    クオリティア Mail Server Mail Server _mta-sts.qualitia.co.jp. IN TXT "v=STSv1; id=20191114123000Z;" version: STSv1 mode: enforce mx: mx1.qualitia.co.jp max_age: 1296000 https://mta-sts.qualitia.co.jp/.well-known/mta-sts.txt _smtp._tls.qualitia.co.jp. IN TXT "v=TLSRPTv1;rua=https://api.qualitia.co.jp/v1/tlsrpt" HTTPS is also available https://api.qualitia.co.jp.jp/v1/tlsrpt POST Eavesdroppin

  86. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Eavesdroppin

  87. Copyright© QUALITIA CO., LTD. All Rights Reserved. DNS Hijacking クオリティア

    Mail Server Mail Server Disable MTA-STS Mail Server DNS Eavesdroppin

  88. Copyright© QUALITIA CO., LTD. All Rights Reserved. Compromised CA クオリティア

    Mail Server Mail Server Mail Server ARP BGP ・・・ Certificate Authority (CA) 署名 qualitia.co.jp qualitia.co.jp Sign Compromised CA Everything seems fine for sender Trust Eavesdroppin

  89. Copyright© QUALITIA CO., LTD. All Rights Reserved. DANE Eavesdroppin

  90. Copyright© QUALITIA CO., LTD. All Rights Reserved. DANE •Do not

    use Certificate authority(CA) •You can use if you want •Self-signed certificate is available •Use DNSSEC •RFC7672 (Oct. 2015) Eavesdroppin

  91. Copyright© QUALITIA CO., LTD. All Rights Reserved. DANE クオリティア Mail

    Server Mail Server Use DNS Trust chain instead of CA DNSSEC Certificate Authority(CA) No Need ルートDNS DNSSEC Trust Eavesdroppin _25._tcp.mx1.qualitia.co.jp. IN TLSA 3 0 1 2B73BB905F…" mx1.qualitia.co.jp

  92. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Settings and

    Operations are not easy Eavesdroppin

  93. Copyright© QUALITIA CO., LTD. All Rights Reserved. Operation of MTA-STS,

    TLS-RPT, DANE •Operating DNSSEC is not easy •We cannot use DNSSEC easily (in Japan) •Do not want to Key-Rotate •Do not want to analyze the report Authoritative DNSSEC Service for Mail User We are now developing! 注目 Eavesdroppin

  94. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Eavesdropping

    (Summary) •Encrypted ZIP •STARTTLS •MTA-STS •TLS-RPT •DANE-TLS •DNSSEC •DANE-S/MIME Eavesdroppin

  95. Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want

    to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Spam・Malware・Phishing

  96. Copyright© QUALITIA CO., LTD. All Rights Reserved. Spam, Malware, Phishing

    Protect from Spam・Malware・Phishing

  97. Copyright© QUALITIA CO., LTD. All Rights Reserved. Protect from Spam,

    Malware Mail Server Mail Server Spoofing Spam Malware Phishing Spam・Malware・Phishing

  98. Copyright© QUALITIA CO., LTD. All Rights Reserved. Security for received

    emails •Spam Filtering •Virus Filtering Spam・Malware・Phishing

  99. Copyright© QUALITIA CO., LTD. All Rights Reserved. But! Virus file

    is also encrypted! Spam・Malware・Phishing Virus scanners cannot detect the virus!

  100. Copyright© QUALITIA CO., LTD. All Rights Reserved. Decode by Password

    to Detect Virus Decode by Password Virus Check Check in Sandbox You can download if the file is safe 注目 Spam・Malware・Phishing

  101. Copyright© QUALITIA CO., LTD. All Rights Reserved. What you want

    to protect from •Spoofing・Tampering •Hijacking・Springboard •Eavesdropping •Spam・Malware・Phishing •Leakage Leakage

  102. Copyright© QUALITIA CO., LTD. All Rights Reserved. Leakage Protect from

    Leakage

  103. Copyright© QUALITIA CO., LTD. All Rights Reserved. Mail Missending Prevention

    •Holding Email for a while •To, Cc → Bcc Transformation •Password protected ZIP Leakage

  104. Copyright© QUALITIA CO., LTD. All Rights Reserved. Web Downloading クオリティア

    Mail Server Mail Server Separate Attachment File 注目 Leakage

  105. Copyright© QUALITIA CO., LTD. All Rights Reserved. EMAILを守るための技術 •Spoofing・Tampering •Hijacking・Springboard

    •Eavesdropping •Spam・Malware・Phishing •Leakage SPF DKIM DMARC ARC BIMI POP before SMTP SMTP AUTH MFA STARTTLS MTA-STS TLS-RPT DANE DNSSEC AntiSPAM AntiVirus SandBox Active! zone Holding Passworded ZIP Web Downloading Active! gate

  106. Copyright© QUALITIA CO., LTD. All Rights Reserved. Introduced Products, Services

    •Web Mail for BIMI •DKIM signing Service •SMTP Bio Auth Product, Service •Authoritative DNSSEC + Mail Setting Service •TLS Report Analysis Service •Virus Checking for Passworded Files Product •Attachment Separation for Mail Missending Prevention βユーザ募集!

  107. Copyright© QUALITIA CO., LTD. All Rights Reserved. Thank you Thank

    you