Email authentication showdown: IP-based vs. signature-based

Listen to Noah's tip Download the author's email authentication advice to your PC or favorite mobile device.

In response, several types of email authentication technologies have been developed and implemented with varying results. Prevailing authentication methods categorically employ path-based or cryptography-based methods. Path-based or IP-based authentication systems evaluate the network path traversed by email. They rely on DNS records that identify trusted IP addresses for sender validation. This straightforward approach of verifying the message path from sender to recipient has been widely adopted due to its simple implementation. Sender ID and Sender Policy Framework have emerged as the dominant path-based methods in use today. While both of these techniques publish DNS policy records, they use them differently. SPF authentication compares the DNS record against the email's return-path address header (the envelope layer); while Sender ID uses a Purported Responsible Address header validation method, in addition to authenticating the SPF record.

Cryptographic, or signature-based authentication systems rely on digitally signing messages with PKI pairing. Recipient mail servers perform signature validation with public keys retrieved from DNS records. This method is utilized by the DomainKeys Identified Mail (DKIM) authentication framework, recently adopted by eBay and PayPal, the two companies most notably targeted by phishing attacks in recent years.

For more information: In this expert Q&A, security threats expert Ed Skoudis unveils why antispam filters alone cannot solve the image spam problem. Application security expert Michael Cobb discusses the pros and cons of outsourcing email security services. In this monthly Downloads column, contributing editor Scott Sidel examines Clam AntiVirus, an antivirus toolkit specializing in email scanning on mail gateways.

While both IP-based and signature-based systems rely on the DNS infrastructure, they fundamentally differ in their focus of email analysis. Path-based systems examine where the message originated; while cryptographic methods look at who sent the message.

The corporate implementation of these two different authentication methods has revealed their situational strengths and weaknesses. The advantages of using a path-based approach include easy implementation and rapid deployment, without the cryptographic related impact on server performance. Therefore, path-based systems may be beneficial to companies looking to expedite a simple system with minimal resource constraints. However, signature-based standards have the added value of providing message integrity and greater resistance to mail forwarding limitations. Digitally-signed mail is best utilized as a robust solution for corporate protection of email containing intellectual property and other critically sensitive business information. Finally, it is important to note that these differing authentication solutions can work in tandem -- several IP/signature combination systems are presently being evaluated with promising results.

A comprehensive risk analysis of data sensitivity, coupled with mail traffic metrics, is essential when determining proper requirements and resources for implementing an effective email security strategy. Since the protocols and standards for authentication will ultimately change with emerging threats, it's important to adopt authentication technologies with backwards compatibility and scalability. It is necessary to remember that authentication plays only one role in email security, and must be combined with reputation scoring systems for establishing and updating acceptance and rejection thresholds. Regardless of what email authentication method is employed, their true effectiveness will be ultimately determined by what prevails as an accepted global standard.

About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis Tracing malware's steps with RE:Trace Worst practices: Learning from bad security tips Worst practices: Encryption conniptions Stopping malware in its tracks Built-in Windows commands to determine if a system has been hacked Email Security Basics Secure messaging complications result in limited protection Podcast: Exchange security -- A quick primer Are Internet cafe users' email credentials at risk? Enigmail: Wrapping email in a digital security blanket Are challenge-response technologies the best way to stop spam? Researchers flag Symantec Mail Security flaws Serious Google Gmail flaw exposes sensitive user data Will only allowing whitelist email messages stop image spam? How is internal mail channeled through an enterprise firewall? Most antispam technologies get failing grade PKI and Digital Certificates What is the best way to administer exams to students via computer? Should computer exams be transmitted as PDF files or Word files? Should PKI systems be used for laptop encryption? VeriSign to shed businesses, return to security roots How do anonymous credentials and selective disclosure certificates affect enterprise IAM? Choosing from the top PKI products and vendors Can the symmetric encryption algorithm for S/MIME messages be changed? Securing VoIP Networks: Threats, Vulnerabilities and Countermeasures Creating a personal digital certificate What are the alternatives to RC4 and symmetric cryptography systems? PKI and Digital Certificates Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous email  (SearchSecurity.com) asymmetric cryptography  (SearchSecurity.com) challenge-response system  (SearchSecurity.com) cipher  (SearchSecurity.com) cipher block chaining  (SearchSecurity.com) plaintext  (SearchSecurity.com) steganography  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.