Upload
melanie-hamilton
View
216
Download
2
Embed Size (px)
Citation preview
An Analysis of IMAP Security
CMPE 209Presented By
Divya PanchalBepsy Paul Menachery
Agenda
What is IMAP State Flow Diagram Advantages of IMAP over POP3 Analysis of IMAP Security Future of IMAP Security Conclusion
What is IMAP IMAP – Internet Message Access Protocol It is the most popular Internet Standard
Protocol to retrieve email The other protocol is POP3 It will allow a client to access and
manipulate electronic mail messages on server
IMAP4version1 assumes a reliable data stream such as that provided by TCP
When TCP is used IMAP4version 1 will listen on port 143
State Flow Diagram
Not Authenticated
Logout
Both sides close the connection
1
2
3
4
56
7
Connection Establishment
Server Greeting
Selected
Authenticated
Client
Client Command [tag] [string line]
Server Command [tag] [+] or [*] [string]
Server
Advantages of IMAP over POP3Features IMAP POP
Where is INBOX being stored? Email Server Email Server
Where are Mail Folders being stored? Email Server Mainly on User's own local
desktop
Can Mail Folders be created on Mail Server? Yes No, only on User's own local
desktop
Can Mail Folders be created on local desktop? Yes Yes
Can Mail Folders be accessed from different computers, like the PC at home, in office, or from oversea?
Yes No, only on the local desktop the mail being saved
Typical Email Clients • Netscape Messenger• Outlook Express• Outlook 2000• Outlook 98• PINE• MailDrop, etc
• Eudora• Outlook 97, etc
Analysis of IMAP Security The basic IMAP sends username and
pass word in clear To secure IMAP, the use of Kerberos was
recommended as part of SASL proposal Another method is to use SSH for
securing the IMAP messages. A perfect solution is to use SSL or SSL
wrapper to encrypt both login information and data in the messages.
Analysis of IMAP Security (contd.) The restriction of LOGIN command
usage Recommended use of STARTTLS Must used cipher suite -
TLS_RSA_WITH_RC4_128_MD5 [TLS] Recommended cipher suite -
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [TLS]
Future of IMAP Security
With the demand for universal multi-device connectivity, IMAP is best suited for accessing email from different devices simultaneously
The importance of IMAP for both back-end and front-end user interfaces are increasingly popular
IMAP for use with client devices such as PDAs, Palm OS, Win CE and cell phones are becoming popular
Use of IMAP in messaging products are an essential requirement in the market
Conclusion
IMAP when used by itself is not secure
IMAP used with secure mechanisms such as SSH, SSL or Kerberos is secure
With the demand for universal multi-device connectivity, the future of IMAP is very promising
Refrences http://tools.ietf.org/html/rfc3501 http://en.wikipedia.org/wiki/
Internet_Message_Access_Protocol http://www.ust.hk/itsc/email/tips/imap-or-
pop.html http://www.coruscant.demon.co.uk/mike/
imap/security.html http://security.fi.infn.it/tools/stunnel/index-
en.html Managing IMAP, 1st Editionby Dianna Mullet;
Kevin Mullet
Q &A