Page 1 of 4 123 ... LastLast
Results 1 to 10 of 40

Thread: Zimbra Encryption Services

  1. #1
    JoshuaPrismon is offline Zimlet Guru & Moderator
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    9

    Default Encryption Services for Zimbra

    One of the interesting pieces of functionality that I think Zimbra is missing is support for verified and secure communication.

    In particular there is very similar functionality needed for bugs: 9046 - S/MIME Support, 6158 - PGP Support, and 13108-Domain Key Supports and finally 17147 - OpenID. These bugs all revolve around identification/verification (in other words, signing and validation) and encryption/decryption.

    To solve all of these I have been working on "Encryption Services for Zimbra." In the best Zimbra fashion, the toolkit consists of a bit of open source magic (In particular the Bouncy Castle providers, the Cryptix libraries, and altermime) , some server glue (two server extensions to provide key server functionality) , and some javascript to allow users to encrypt/decrypt/sign/validate messages and files.

    The basic idea is that we want to allow the user to securely send email without compromising keys, and without using outside binaries. The user experience should be as simple as a "encrypt/decrypt" button and a "sign/validate" button. No other binaries should need to be installed, and a simple install script should be the only thing that needs to run.

    Administrators should be able to manage keys, and all of the usual "web of trust" functionality should be supported.

    The key server functionality is done. The server can encrypt/decrypt/sign/validate OpenPGP messages. The first part of the S/MIME functionality is done. I also did a quick proof of concept test against the domain keys implementation.


    What done so far?
    • Key creation/deletion with passphrase and arbitrary key length.
    • Key stores in armored ASCII and PKR/SKR work.
    • Key's can be signed to validate identity
    • RSA and El GAmel keys work.
    • Message encryption/decryption in armored ASCII works.
    • Binary encryption/decryption works.
    • There is a pretty good JUNIT testing framework for all of this.
    • Flatfile keystores work fine.
    • Key's can be imported from other keyservers.


    What still has to be done:
    • A lot of peer testing. This is one place where release early and release often is probably a bad idea. Obviously this code is extremely sensitive (it's encryption, duh), so I won't release code until some other java programmers take a whack at it.
    • The front ends are not done at all. The 5.0b1 release looks nigh, so I have been holding off for that.
    • The OpenID stuff hasn't been implemented yet.
    • It may make sense to hack together a quick altermime in java/zimbra aware. S/MIME support is very very primitive, and domainkeys will also need this.
    • I need help on key revocation in PGP.
    • Supporting get/post operations in the extensions would allow for easy encryption/decryption of other files.
    • At some point, supporting LDAP for public keys so we can act as a public key server would be great.


    My hope is that by the RC1 target of 5.0 this stuff will be bulletproof enough to do a 1.0 release. I can use all the help that is out there, in particular on the Javascript end of things (my JS sucks ;-) and on security review.
    Last edited by JoshuaPrismon; 06-08-2007 at 09:50 AM.

  2. #2
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Nice.

    Let us know if you need any help!

    -jh

  3. #3
    JoshuaPrismon is offline Zimlet Guru & Moderator
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    9

    Default

    Quote Originally Posted by jholder View Post
    Nice.

    Let us know if you need any help!

    -jh

    I could really use some experienced Java programmers to do a review of it. Outsidfe of that, I am working on a bug that seems to restrict the encrypted /decryption text to about 10mb.

  4. #4
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    You may just want to post it. I'm sure I can get someone on our end who understands what this "java" thing is, to look at it
    Last edited by jholder; 05-31-2007 at 09:21 PM.

  5. #5
    JoshuaPrismon is offline Zimlet Guru & Moderator
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    9

    Default

    Quote Originally Posted by jholder View Post
    You may just want to post it. I'm sure I can get someone on our end who understands what this "java" thing is, to look at it
    Sounds good. I am working on the MimeListeners right now to try and get as much of it auto encrypting/decrypting as possible (PGP works very well without it, but S/MIME really doesn't). As soon as I have that hurdle done (I hope today) I will release it publically, but with the proviso that it really isn't for production use right now.

  6. #6
    JoshuaPrismon is offline Zimlet Guru & Moderator
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    9

    Default

    I got a interesting question query today about GPG, and I wanted to mention some of the design trade offs that are in ZES versus FireGPG. Both will work with Zimbra. (or at least ZES will when I release it ;-)

    I actually started work looking at the FireGPG and GPG approach. I ended up ditching it (after writing most of it) for a few different reasons:

    • FireGPG actually requires PGP installed on the Windows/Linux client to work.I was hoping it was Javascript native, but no such luck. That being said, I am really skeptical of any approach that involves exposing the keys to the Browser. Fundamentally Browsers were meant to integrate information. Encryption is designed to hide it. Bad mix ;-)
    • FireGPG only supports OpenPGP. S/MIME is actually a more wide spread platform (Thunderbird and Outlook support it even though GPG has more users.
    • FireGPG doesn't encourage good key practices. And if your laptop goes, so goes your keys, unless you expose them over the network to copy them to a different machine, or leave them laying around.
    • The average PC can be hacked much more easily then a server. I'm decently sure it would be possible to hack a firefox extension that could snoop for your keys. Even worse, if the programmer didn't really know what he/she was doing (and I am not omniscient by any stretch of the imagination) it might even be possible to remotely expose keys over the Internet. That's a real scary situation.
    • You can't do real key management with this tool. If a employee leaves, and leaves large amount of encrypted data, a company should have a way ideally to recover the key. (That's a controversial statement, but more and more companies require/depend on encryption to do business). I am interested in how the community feels about this one.
    • At best it would only work with Firefox.
    • With a client side only implementation, you loose all of the Zimbra goodness like searching etc. I am a bit conflicted on this one, since Zimbra doesn't like the idea of mutable email messages once the message has been written to the store / sent via smtp. That means to be searchable, you have to grab it when it first comes in, and do the encryption/decryption there. Right now I have cacheable passphrases that let me do that, but a "decrypt always" policy will need to be enabled to make that preferment. Not to mention the headache of managing keys. I am sure there is a better way to do this.


    My original server side version used the PGP binaries, but it was rather brittle as well. Screen Scraping isn't a lot of fun ;-)


    All that being said, FirePGP is actually a pretty cool tool and it's one of the programs I am using for compatibility testing. I am using Thunderbird and Outlook as well to test S/MIME support.

    For you S/MIME experts out there. I understand that the Certs have to be provided on a user by user basis from a cert authority. What is the possibility of a domain running their own cert authority? Is there something like a SSL certificate that bridges between the CA and the end user so you don't have to go to the CA every time?

  7. #7
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    718
    Rep Power
    9

    Default

    This sounds like cool work, but I agree with the assertions in the RFEs to which you refer that DKIM is actually the most useful for enterprise users.

    I like FireGPG and the like for precisely the same reasons that you don't. As a security professional, I'm paranoid about the security of my GPG key, keeping it on an encrypted removable device, etc. I consider *loose* integration with the mail client to be a feature. I only sign/encrypt stuff that really needs to be signed/encrypted. I don't enter my GPG passphrase lightly. Most of the time, I disconnect from the Internet before doing so.

    But that's me. For most users, their password (or other credential(s) necessary for accessing the Zimbra system) is the weakest, and often the only, link. If you succeed in creating an easy-to-use server-based system that makes using GPG or S/MIME as easy as entering your single sign-on credentials, then it's not clear to me what you've gained. In an intranet environment secured by firewalls, SSL, VPN, etc., there is less need for end-to-end GPG or S/MIME encryption of individual emails. The threat to the less paranoid is nether interception nor repudiation, but simple in-the-clear spoofing. I believe that automatic DKIM signing is a better solution to that problem.

    The Zimbra server would need to ensure that ZWC, Outlook, and SMTP-Authed mail is all properly DKIM signed; there would need to be an admin UI to specify what domains *must* be DKIM signed (or possibly trust assertions in the DNS, but as anyone who has worked with SPF knows, many such assertions will be bogus -- even fairly major ISPs forget to update SPF records when they add servers); and the various clients would need a UI to alert users whenever unsigned mail is received.
    Last edited by Rich Graves; 06-09-2007 at 09:38 AM.

  8. #8
    jamesclark is offline Starter Member
    Join Date
    Jun 2007
    Posts
    1
    Rep Power
    7

    Default

    Thanks for working on this Joshua.

    Here are some resources you might find useful if you don't already know about them:

    PGP / GnuPG/ Open PGP Message Encryption in JavaScript

    Gmail S/MIME for Firefox

    Looking forward to PGP support in Zimbra!

    Regards,
    James Clark

  9. #9
    JoshuaPrismon is offline Zimlet Guru & Moderator
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    9

    Default

    I like FireGPG and the like for precisely the same reasons that you don't. As a security professional, I'm paranoid about the security of my GPG key, keeping it on an encrypted removable device, etc. I consider *loose* integration with the mail client to be a feature. I only sign/encrypt stuff that really needs to be signed/encrypted. I don't enter my GPG passphrase lightly. Most of the time, I disconnect from the Internet before doing so.
    Nothing wrong with that approach. I think a system where the message can be compromised instead of a key is a more valid approach, but this is a very long and contentious problem. I will look long and hard at supporting completely foreign keys, but I am not sure I can be convinced that S/MIME and FireGPG are more secure then a centralized server.

    But that's me. For most users, their password (or other credential(s) necessary for accessing the Zimbra system) is the weakest, and often the only, link. If you succeed in creating an easy-to-use server-based system that makes using GPG or S/MIME as easy as entering your single sign-on credentials, then it's not clear to me what you've gained.
    Obviously, key pass phrases will be supported.

    The difference is the deliverable. I believe that the purpose of this is to generate secure information that can be freely transfered across the internet for validation or encryption. I am thinking mostly in terms of financial data, and signatures for purchase orders and what not. The secured data is the deliverable.

    Individual users can use FireGPG now. And if you are paranoid enough to worry about your employer's PKI system, this will never be the right project for you. Security must be balanced with practicality. That means web of trust and PKI. For me PKI is also a "check" against abuse of encryption (something that I am also bothered by) as well as a convince factor for users.

    Does that mean I am not spending a lot of time thinking about how to make sure the code is as secure as I can make it? Nope. That's part of the reason I haven't done a code drop yet (the other is that I put on 5.0 code and I am working on getting auto-encrypt/decrypt to work).

    And if that these statements sent hackles up your back, don't trust the code unless you have read it all ;-)

    In an intranet environment secured by firewalls, SSL, VPN, etc., there is less need for end-to-end GPG or S/MIME encryption of individual emails. The threat to the less paranoid is nether interception nor repudiation, but simple in-the-clear spoofing. I believe that automatic DKIM signing is a better solution to that problem.
    Amusingly enough I just scanned my mail store for DKIM signed messages. Want to bet who the only people who ahve sent me DKIM messages are?
    answer: Spammers.

    I think DKIM is a good approach, although I like SPF as well, and the failure to implement that properly is a bit troubling to me.

  10. #10
    beserker's Avatar
    beserker is offline Starter Member
    Join Date
    Jun 2007
    Location
    Cincinnati, OH
    Posts
    2
    Rep Power
    7

    Default What is the status on this now?

    Any further progress on this?

Page 1 of 4 123 ... LastLast

LinkBacks (?)

  1. 12-20-2007, 11:52 PM
  2. 11-20-2007, 07:04 AM
  3. 09-17-2007, 06:39 PM
  4. 07-28-2007, 03:12 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 11:34 AM
  2. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 03:30 PM
  3. Replies: 7
    Last Post: 01-24-2007, 11:03 PM
  4. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM
  5. Replies: 1
    Last Post: 11-23-2005, 01:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •