Identity Based Encryption
What this means, we have a method to enforce encryption profiles & based on the user ( recipient ). This allows full encryption of the body of the email message and/or it's attachment(s).
What this means;
- we can control the securing of the email content
- based on sender and destination ( ip_address or email address )
- enforce enterprise strict security-policies between sender/recipient
- unlike TLS between MTAs, the message is fully encrypted in transient and at rest
- and with out his/her ( sender/recipient ) knowledgement or involvement ( we don't need any local mail encryption programs like PGP, nor have to worry about the user forgetting to encrypted his mail )
Profile > Security > IBE
These levels of encryptions, should satisfy most security policies & any requirements that your network might demand. Theses choice of encryption, should meets most enterprise & government requirements. AES is highly recommended imho and should be used at minimum.
The name of the IBE profile should be simple & fit the purpose. It should also be easy to remember. Once again this is my opinion.
Here, I'm naming this profile IBE-3des for the "triple des encryption" encipher.
After you have defined your IBE profile(s), you must set up the delivery under your access-controls.
AccessControls > Delivery
The above is a snippet of my delivery access, and the "from who", "to what" & the level of encryption. As you can see, I have a few profiles built for 3des and even aes192.
At this point; 1> you should select you encryption profile, or 2> create a new one, and install any comments within the profile ( optional).
In the below example, I'm created a encryption profile for any email from <anyuser>@socpuppets.com to <anyuser>@gmail.com & selection and selecting aes192. You can use wildcards or specific matches for either the user email_address or ip_address.
Okay now that the ordering is correct we will draft a mail message from the appliance or even any mail that was relayed thru the unit. All would under go the encryption and the profile that's attached for the sender/receiver.
I'll send a email to someone on gmail. And let's watch what happens. Here's the mail messages;
Unknown to the sender, his email will be encrypted and a link pushed to the recipient. The recipient can down load the email attachment ( the secured data ), but it would be encrypted by the cipher that we used. So good luck to anybody that intercepts our data. They would not be able to decryption the cipher.text.
A message will appear in the recipient inbox similar to the below. This message is just a <notification> for mail sent securely to the recipient.
And if he/she want to read the message, they would need to follow the link and set a password. All of the above is done via TLS and thru the redirection link give in the mail messages. The registering of the user is simple and straight forward and takes about 1-2mins depending on how fast you can type :)
After you have completed the register and crafted a new user, you can view the email.
The fortimail will monitor the user status and display information concerning the user, & under the user > ibe-user . You can display information about the user logins and when they completes the pre-register process
See how simple this setup & just how effective the IBE encryption process .
As with all email messages, you can download the message, but it would be encrypted with the cipher that you enabled under that profile. So if a man in the middle or big brother was watching, they would have only cipher.text. The only information not encrypted, would be our html formatting and other non-mail message body data.
I hope this post has been helpful. IBE is easy to craft and setup. Key points to remember;
- determine the level of encryption that you need
- determine the sender/recipient that needs encryption
- Build your profile
- attach it via the ACL for the sender/recipient pairing
- evaluate the ordering of the ACL and adjust if required
Freelance Security/Network Engineer
kfelix ----at--- hyperfeed --dot---com
= ( * * )=