An Analysis of IMAP Security

CMPE 209Presented By

Divya PanchalBepsy Paul Menachery

Agenda

What is IMAP State Flow Diagram Advantages of IMAP over POP3 Analysis of IMAP Security Future of IMAP Security Conclusion

What is IMAP IMAP – Internet Message Access Protocol It is the most popular Internet Standard

Protocol to retrieve email The other protocol is POP3 It will allow a client to access and

manipulate electronic mail messages on server

IMAP4version1 assumes a reliable data stream such as that provided by TCP

When TCP is used IMAP4version 1 will listen on port 143

State Flow Diagram

Not Authenticated

Logout

Both sides close the connection

1

2

3

4

56

7

Connection Establishment

Server Greeting

Selected

Authenticated

Client

Client Command [tag] [string line]

Server Command [tag] [+] or [*] [string]

Server

Advantages of IMAP over POP3Features IMAP POP

Where is INBOX being stored? Email Server Email Server

Where are Mail Folders being stored? Email Server Mainly on User's own local

desktop

Can Mail Folders be created on Mail Server? Yes No, only on User's own local

desktop

Can Mail Folders be created on local desktop? Yes Yes

Can Mail Folders be accessed from different computers, like the PC at home, in office, or from oversea?

Yes No, only on the local desktop the mail being saved

Typical Email Clients • Netscape Messenger• Outlook Express• Outlook 2000• Outlook 98• PINE• MailDrop, etc

• Eudora• Outlook 97, etc

Analysis of IMAP Security The basic IMAP sends username and

pass word in clear To secure IMAP, the use of Kerberos was

recommended as part of SASL proposal Another method is to use SSH for

securing the IMAP messages. A perfect solution is to use SSL or SSL

wrapper to encrypt both login information and data in the messages.

Analysis of IMAP Security (contd.) The restriction of LOGIN command

usage Recommended use of STARTTLS Must used cipher suite -

TLS_RSA_WITH_RC4_128_MD5 [TLS] Recommended cipher suite -

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [TLS]

Future of IMAP Security

With the demand for universal multi-device connectivity, IMAP is best suited for accessing email from different devices simultaneously

The importance of IMAP for both back-end and front-end user interfaces are increasingly popular

IMAP for use with client devices such as PDAs, Palm OS, Win CE and cell phones are becoming popular

Use of IMAP in messaging products are an essential requirement in the market

Conclusion

IMAP when used by itself is not secure

IMAP used with secure mechanisms such as SSH, SSL or Kerberos is secure

With the demand for universal multi-device connectivity, the future of IMAP is very promising

Refrences http://tools.ietf.org/html/rfc3501 http://en.wikipedia.org/wiki/

Internet_Message_Access_Protocol http://www.ust.hk/itsc/email/tips/imap-or-

pop.html http://www.coruscant.demon.co.uk/mike/

imap/security.html http://security.fi.infn.it/tools/stunnel/index-

en.html Managing IMAP, 1st Editionby Dianna Mullet;

Kevin Mullet

Q &A