Short Message Service ( SMS ) and Electronic Mail ( Email ) are the most popular agencies of electronic communications today because of their easiness of usage and handiness. Their use continues with the growing of nomadic phones [ 1 ] and the ubiquitousness of the cyberspace. Unfortunately, like many electronic services, SMS and electronic mail have suffered several maltreatments, one of which is the faking of the transmitter individuality. This poses a serious menace to the dependability of these services, because the individuality of the transmitter is important in any communicating.
The electronic mail in peculiar is much more prone to this maltreatment than the SMS opposite number because of the built-in design issues. The electronic mail was built on the Simple Mail Transfer Protocol ( SMTP ) with the aims of reassigning mails faithfully and expeditiously [ 2 ] . Like many of the early cyberspace services, there were no security considerations which meant that it had no agencies of guaranting confidentiality, unity, privateness and hallmark. A typical electronic mail message consists of an Envelope, a Header and a Body.
The Envelope typically contains the HELO individuality which is the Mail Transmitting Agent ( MTA ) directing the message, the MAIL FROM individuality, the electronic mail reference responsible for directing the electronic mail and moving as the bringing reference for mistake responses. The Header contains other inside informations of the message including the Subject, Sending day of the month and other individualities. Other of import heading information include the From individuality which contains the reference of the writer of the message.
The Sender individuality is used to if the writer of the message is non the existent transmitter of the message. The To individuality serves as the reference of the intended receiver. These header individualities are non required for message bringing but for the receiver to place the writer of the message. Because the electronic mail protocol does non supply for the confirmation of the writer and transmitter information saved in the headings, they can be changed to reflect another electronic mail reference, thereby lead oning the receiver.
Besides, the messages are transmitted through many intermediate waiters in the clear which makes it easy for a malicious user to stop and pull strings these header individualities. SMS Sender Authentication Mechanism Unlike electronic mail, security was built into the Global System for Mobile Communications ( GSM ) protocol on which SMS rides from the oncoming. It was intended to supply namelessness, hallmark, and confidentiality of user informations and signalling information [ 3 ] . The hallmark ensures that it is about certain that the user is the 1 s/he claims to be.
To accomplish this, subscriber hallmark is performed at each enrollment and before any service is performed. [ 4 ] [ 5 ] . The nomadic station ( MS ) consists of the Mobile Equipment ( ME ) and the SIM ( Subscriber Identification Module ) card. The SIM is a smart card that contains a alone identifier, IMSI and a Ki, an single endorser hallmark key. The Ki is a 128-bit random figure which is the root cryptanalytic key used for bring forthing session keys and for user hallmark. It is stored in the SIM and the Authentication Centre ( AuC ) .
The hallmark procedure works though a challenge/response procedure affecting the MS, AuC, HLR ( Home Location Register ) and MSC ( Mobile Switching Centre ) /VLR ( Visitor Location Register ) . The AuC fetches the Ki from the HLR utilizing the IMSI of the MS and utilizing the A3 algorithm, Ki and a random figure, R the AuC calculates an expected signed response, SResp from the MS. Secondly, utilizing the A8 algorithm, Ki and R ; it calculates another key, Kc. The Kc, SResp and the R are so delivered to the MSC/VLR.
The MSC/VLR so sends the RAND to the MS. Since the MS has the Ki and can execute the A3 and A8 encoding algorithms, it calculates the Kc and the SResp. The MS so sends the SResp to the MSC/VLR which compares the value with the 1 it got from the AuC. If they match, the user is authenticated ; otherwise entree is denied [ 6 ] . All subsequent messages from the MS are recorded against the IMSI. This hallmark mechanism makes it really hard to forge the individuality of another endorser. Some Proposed Solutions to Email Sender Authentication
Assorted solutions have been proposed to turn to the job of the electronic mail transmitter hallmark. Some of the attacks attempt to verify the reference of the purported sending waiter while the others provide a more end-to-end hallmark mechanisms or a combination of both. Sender Policy Framework ( SPF ) and Sender ID These protocols are designed to protect against the counterfeit of email transmitter individualities either in the envelope or in the heading. They verify that the directing mail waiter provided in the envelope is really authorised to direct mails on behalf of the sphere.
In SPF [ 7 ] , the individualities HELO and MAIL FROM are authenticated by comparing the directing mail waiter ‘s IP reference to the list of authorised directing IP references as published by the transmitter sphere ‘s proprietor in a DNS record “ v=spf1 ” . Sender ID [ 8 ] proposed by Microsoft plants like the SPF except that it authenticates one of the heading addresses utilizing an algorithm Purported Responsible Address, PRA [ 9 ] . SPF and Sender ID require that every mail waiter has to print the list of IP references that are authorized to direct electronic mails on behalf of its sphere.
The chief disadvantage of this is that it will take a long clip before all mail waiters will follow these attacks. Statistics [ 10 ] show that these methods have non been widely accepted. It besides causes jobs for users who lawfully want to utilize another sphere to direct electronic mails without altering their references. S/MIME [ 11 ] plants by subscribing and optionally coding the organic structure of the message. It relies on public key certifications for the designation of transmitters, utilizing the X. 509 public key substructure ( PKI ) .
It is supported by most of the popular mail clients available. The issue with this solution is that every user has to purchase a certification from a certification authorization ( CA ) , though this is a batch cheaper than that of required for a web waiter. The signature on the mail serves as an confidence to the receiving system that the individual with the subscribing certification most likely authored the message content. PGP [ 12 ] has been adopted by the IETF as the de-facto criterion for sign language and coding text or any block of informations.
Under the name OpenPGP [ 13 ] , it is flexible for usage even with mail clients that do non hold the capableness to subscribe and code messages. OpenPGP has been adapted to PGP/MIME to multi-part MIME messages in a similar manner to S/MIME. The difference is in the direction of keys in that PGP/MIME works with a public key web of trust alternatively of trusting on a cardinal CA. This deduction here is that receiving systems can non truly verify the transmitter and merely hold to swear the key. The trust is normally established through personal contacts and public cardinal confirmation.
DomainKeys Identified Mail ( DKIM ) This means that in order for a message to be considered valid, its signature must be verified successfully and the sphere of the transmitter in the heading must besides fit that of the sign language key. DKIM provides a cryptanalytic signature of multiple Internet Message Format heading Fieldss and the organic structure of a message. A sphere that is implementing this protocol must print the populace ( sphere ) key matching to its private key in a DNS record.
The key can so be used the mail receiving systems to look into the genuineness of the message heading and organic structure with compared with the heading transmitter individuality. Though S/MIME, PGP and DKIM are more effectual than the SPF and Sender ID, they are still non as widely adopted as they should due to serviceability and other practical issues. There are issues around acquiring a certification through a CA or web of trust. Besides, many ordinary users may non make strong keys for usage which may sabotage the security.
They are besides CPU intensive and necessitate the whole message to be received before the cogency is determined and action taken. Trusted Email System Another proposal is the usage of a hardware-based cryptanalytic functionality of Trusted Platform Module ( TPM ) and the Ephemerizer construct [ 15 ] . The TPM addresses the exposures of package based keys prone to PGP and S/MIME by hive awaying the keys in a tamper-resistant hardware faculty while the Ephemerizer issues passing keys which are used to code electronic mails and expire after a period of clip. The disadvantage of this is that new TPM hardware has to be acquired to make this.
Decisions Due to the deficiency of security in the electronic mail protocol, it is really easy to forge the electronic mail transmitter. This is a batch more hard with SMS due to strong security design built into GSM. Merely end-to-end solutions such as PGP, S/MIME and DKIM can supply equal hallmark. However, due to the complexness of making certifications and serviceability, the acceptance of these protocols is still rather low. A TPM-based solution would be the ideal for work outing these jobs but it will take a piece before adequate personal computing machines have the faculty and there are cost deductions.