For email security , we are faced with 2 common methods. I will provide a One on One comparison of some of the differences between there two.
S/MINE |
chain of trust via CA ( the trusted-body approach ) |
easier to intergrated into most mail systems ( windows for example ) |
if any part of the CA chain is compromised, the whole chain is compromised |
certicates based on x.509 |
lifetime is based on certificate expiration ( you will have to buy and renew certificates ) |
no such thing as certification distribution , it uses the CA root model ( hierachical ) |
cost money ( MTA server, certificates ,etc…..) |
secured |
supports for MIME attachment only |
RSA public-key |
cipher supported is less than Gpg |
PGP ( GNUpg ) |
not centralize to any one CA or root-authority |
not as easy to implement in most mail systems |
not an issue with PGP |
non x509 compliant |
PGP by earlier implementations, had a lifetime of forever |
public-key distribution via manual distribution, or keyservers |
with GPG is 's 100% free |
more secured due to be decentralized ( <-- my opinion ) |
does mail encryption, and much more ( e.g disk encryption ) |
supports RSA, DH,Elgamal,etc…. |
cipher support is slightly more than what s/MIME clients support |
Both methods provides the end-user with security, and closes the gap within the SSL/TLS island, as mention before in some of my earlier postings. How secure one over the other, really depends on if you believe in the CA model or web-of-trust. Since the CA models builds reputation & trust via a selected authority, it places all security risk within that authority & delegation. e.g
| |
Past history has seen problems within a central CA root authority. ( look at past incidents with google, comodo, dignotar ....for examples )
In conclusion;
Mail security show not be taken lightly. With email still being a main method for the delivery of information along with data.We should always think of security & within our daily email practices.
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( ^ ^ )=
o
/ \
| |
No comments:
Post a Comment