Email authentication showdown: IP-based vs. signature-based

((Content component not found.)) In response, several types of email authentication technologies have been developed and implemented with varying results. Prevailing authentication methods categorically employ path-based or cryptography-based methods. Path-based or IP-based authentication systems evaluate the network path traversed by email. They rely on DNS records that identify trusted IP addresses for sender validation. This straightforward approach of verifying the message path from sender to recipient has been widely adopted due to its simple implementation. Sender ID and Sender Policy Framework have emerged as the dominant path-based methods in use today. While both of these techniques publish DNS policy records, they use them differently. SPF authentication compares the DNS record against the email's return-path address header (the envelope layer); while Sender ID uses a Purported Responsible Address header validation method, in addition to authenticating the SPF record.

Cryptographic, or signature-based authentication systems rely on digitally signing messages with PKI pairing. Recipient mail servers perform signature validation with public keys retrieved from DNS records. This method is utilized by the DomainKeys Identified Mail (DKIM) authentication framework, recently adopted by eBay and PayPal, the two companies most notably targeted by phishing attacks in recent years.

((Content component not found.)) While both IP-based and signature-based systems rely on the DNS infrastructure, they fundamentally differ in their focus of email analysis. Path-based systems examine where the message originated; while cryptographic methods look at who sent the message.

The corporate implementation of these two different authentication methods has revealed their situational strengths and weaknesses. The advantages of using a path-based approach include easy implementation and rapid deployment, without the cryptographic related impact on server performance. Therefore, path-based systems may be beneficial to companies looking to expedite a simple system with minimal resource constraints. However, signature-based standards have the added value of providing message integrity and greater resistance to mail forwarding limitations. Digitally-signed mail is best utilized as a robust solution for corporate protection of email containing intellectual property and other critically sensitive business information. Finally, it is important to note that these differing authentication solutions can work in tandem -- several IP/signature combination systems are presently being evaluated with promising results.

A comprehensive risk analysis of data sensitivity, coupled with mail traffic metrics, is essential when determining proper requirements and resources for implementing an effective email security strategy. Since the protocols and standards for authentication will ultimately change with emerging threats, it's important to adopt authentication technologies with backwards compatibility and scalability. It is necessary to remember that authentication plays only one role in email security, and must be combined with reputation scoring systems for establishing and updating acceptance and rejection thresholds. Regardless of what email authentication method is employed, their true effectiveness will be ultimately determined by what prevails as an accepted global standard.

About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Tech tips Code complexity analysis: How to keep it simple How to use Windows XP Mode in Windows 7 Understand role-based access control in Microsoft Exchange 2010 Avoid common Web application firewall configuration errors SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks How to automate and apply Microsoft Windows 7 AppLocker rules How to use Microsoft Windows 7 AppLocker for whitelisting applications Should you disable IE ESC, or manage it in Windows servers? Scanning with N-Stalker offers basic Web application security assessment Email and Instant Messaging Security Websense integrated security system aims to simplify security management Preventing phishing attacks: Enterprise best practices Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Understand role-based access control in Microsoft Exchange 2010 Yahoo login credentials at risk to hijacking attack Top spammer gets four years in jail for stock fraud scheme M86 buys Web security gateway vendor Finjan Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.