Chapter 15 – Electronic Mail Security密码编码学与网络安全：原理与实践 第四版英文课件.pptVIP

RFC 4684 (Analysis of Threats Motivating DomainKeys Identified Mail) describes the problem space being addressed by DKIM in terms of the characteristics, capabilities, and location of potential attackers. It characterizes the range of attackers on a spectrum of three levels of threat: low end attackers who simply want to send email that a recipient does not want to receive, often with falsified sender addresses. At the next level are professional senders of bulk spam mail. The most sophisticated and financially motivated senders of messages are those who stand to receive substantial financial benefit, such as from an email-based fraud scheme. The RFC then lists a range of capabilities that an attacker might have in terms of where submitted, signed, volume, routing naming etc (see text). DKIM focuses primarily on attackers located outside of the administrative units of the claimed originator and the recipient. * DKIM is designed to provide an email authentication technique transparent to the end user. In essence, a users email message is signed by a private key of the administrative domain from which the email originates. The signature covers all of the content of the message and some of the RFC 5322 message headers. At the receiving end, the MDA can access the corresponding public key via a DNS and verify the signature, thus authenticating that the message comes from the claimed administrative domain. Thus, mail that originates from somewhere else but claims to come from a given domain will not pass the authentication test and can be rejected. This approach differs from that of S/MIME and PGP, which use the originators private key to sign the content of the message, for various pragmatic reasons (see text). Stallings Figure 18.10 shows a simple example of the operation of DKIM. An email message is generated by an email client program. The content of the message, plus selected RFC 5322 headers, is signed by the email provider using the providers private key. The si