Corporate e-mail authentication battle royal: IP-based vs. signature-based

Action-reaction. Remember to movie “Les Choristes”? in 1949 France, Clément Mathieu, an unemployed music teacher, finds a teaching position at a boarding school (more like a reform school) for children with disciplinary problems. Rachin, the school’s principal, is a strict, old-fashioned administrator whose mot d’ordre is: “Action, réaction!” He explains to Mathieu: “Dès qu’un élève commet une faute, il est puni sans pitié.” This action-reaction balance finds expression in corporate security as well. An important aspect of corporate e-mail security architecture is its method of preventive countermeasures. These defenses are charged with thwarting a variety of threats from spam and phishing to malware such as Trojans and rootkits. Noah Schiffman writes in SearchSecurity that

first-line countermeasures include message content inspection. This type of reactive system relies on signature engines and updated databases of known spam and phishing phrases. Additional prevention techniques use domain filtering which rely on blacklists and whitelists. More effective filters combine heuristic techniques with statistical analysis through Bayesian filters to analyze e-mail based on collected content. These detection methods, writes Schiffman, often fall short, relying on slow updates from limited data and resulting in unacceptable numbers of false positives. Moreover, identity spoofing and domain hopping of malicious senders has weakened the effectiveness of these countermeasures.

Now to the reaction (you mat recall our discussion from two days ago of the battle between Microsoft-backed Sender ID and the alternative, encryption-based approaches). Several types of e-mail authentication technologies have been developed and implemented with different degrees of success. The leading authentication methods employ either path-based or cryptography-based approaches.

* Path-based or IP-based authentication systems evaluate the network path traversed by e-mail. They rely on DNS records which identify trusted IP addresses for sender validation. This approach of verifying the message path from sender to recipient has been widely adopted in the enterprise because of its simple implementation. Sender ID and Sender Policy Framework (SPF) have emerged as the dominant path-based methods in use today. Both of these techniques publish DNS policy records, but they use them differently. SPF authentication compares the DNS record against the e-mail’s return-path address header (the envelope layer); Sender ID uses a Purported Responsible Address (PRA) header validation method, in addition to authenticating the SPF record.

* Cryptographic, or signature-based authentication systems rely on digitally signing messages with PKI pairing. Recipient mail servers perform signature validation with public keys retrieved from DNS records. This method is used by the DomainKeys Identified Mail (DKIM) authentication framework, recently adopted by eBay and PayPal, two companies heavily targeted by phishing attacks in recent years.

Schiffman correctly notes that both IP-based and signature-based systems rely on the DNS infrastructure, but they differ fundamentally in their focus of e-mail analysis. Path-based systems examine where the message originated; cryptographic methods look at who sent the message.

The advantages and disadvantages of each approach are highlighted by the way each has been implemented in the corporate world.

* The advantages of using a path-based approach include easy implementation and rapid deployment, without the cryptographic related impact on server performance. Path-based systems may thus be beneficial to companies looking to expedite a simple system with minimal resource constraints.

* Signature-based standards, though, have the added value of providing message integrity and greater resistance to mail forwarding limitations. Digitally signed mail is best used as a robust solution for corporate protection of e-mail containing intellectual property and other sensitive business information.

Note that these different authentication solutions can work in tandem — several IP/signature combination systems are presently being evaluated with promising results.

“A comprehensive risk analysis of data sensitivity, coupled with mail traffic metrics, is essential when determining proper requirements and resources for implementing an effective e-mail security strategy,” Schiffman writes. Since the protocols and standards for authentication will ultimately change with emerging threats, “it’s important to adopt authentication technologies with backwards compatibility and scalability,” he adds. In any event, authentication plays only one role in e-mail security, and must be combined with reputation scoring systems for establishing and updating acceptance and rejection thresholds. “Regardless of what e-mail authentication method is employed, their true effectiveness will be ultimately determined by what prevails as an accepted global standard,” Schiffman concludes.

Schiffman, based in Charleston, South Carolina, describes himself as a “reformed former black-hat hacker” who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. He currently works as an independent IT security consultant. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina.