Unencrypted messages can be hijacked in transit and read or altered.If the mail is not digitally signed,you can't be sure where it came from.
未加密的信息可能在傳輸中被截獲、偷看或竄改。如果郵件不是數(shù)字簽名的,你就不能肯定郵件是從哪里來(lái)的。
There are many options for securing e-mail,all with a few strengths and probably more weaknesses.
確保電子郵件的安全有多種選擇,它們都有些長(zhǎng)處,但有可能存在更多弱點(diǎn)。
Let's take care of the easy decisions.Secure/Multipurpose Internet Mail Extensions(S/MIME)should be the message encryption and digital signature format because it's the accepted standard and is built into leading e-mail clients such as Microsoft Outlook 98/2000 and Lotus Notes R5.Yet a standard such as S/MIME only takes you so far.Each vendor has implemented its own interpretation of S/MIME,which makes interoperability problematic.This drawback is exacerbated by the emergence of S/MIME Version 3 in the newest e-mail clients,which again could create interoperability issues.
讓我們先關(guān)注一下容易做的決定,安全/多用途因特網(wǎng)郵件擴(kuò)展(S/MIME)應(yīng)該是信息加密和數(shù)字簽名的格式,因?yàn)樗且驯徽J(rèn)可的標(biāo)準(zhǔn),被做進(jìn)了主要的電子郵件客戶端軟件中,如微軟的Outlook 98/2000和蓮花公司的Notes R5。迄今為止,你只能用S/MIME一類(lèi)的標(biāo)準(zhǔn)。每家供應(yīng)商都有自己對(duì)S/MIME的解釋?zhuān)@就引出 了互用性問(wèn)題,最新的電子郵件客戶端軟件中S/MIME三版的出現(xiàn),加重了這個(gè)缺陷,它再次可能帶來(lái)互用性問(wèn)題。
The path of least resistance is to get an e-mail security gateway, which is analogous to a firewall for e-mail.Every message going in or out pases through the gateway,allowing security policies to be enforced (where and when messages can be sent),virus checking to be performed,and messages to be signed and encrypted. One drawback of the gateway approach is that it doesn't provide user-based security.For example,the gateway encrypts outbound messages so recipients can verify they came from your company,but recipients can't prove from whom they came.
阻力最小的道路就是采用電子郵件安全網(wǎng)關(guān),它相當(dāng)于電子郵件的防火墻。進(jìn)出的每一條信息都要經(jīng)過(guò)網(wǎng)關(guān),網(wǎng)關(guān)可以實(shí)施安全政策(信息在何 時(shí)向何地發(fā)送)、執(zhí)行病毒檢查并給信息簽名和加密。這種網(wǎng)關(guān)方法的一個(gè)缺陷就是它不 能提供基于用戶的安全性。例如,網(wǎng)關(guān)對(duì)向外發(fā)的信息進(jìn)行加密,因而接收方能驗(yàn)證它 們來(lái)自你的公司,但接收方不能證明它們來(lái)自哪個(gè)人。
Client-based methods use your private key to sign messages(proving it came from you),which is a more granular level of security,but they have weaknesses as well.They need to be configured on each desktop,which includes issuing a digital certificate to each user (for encryption and digital signature),and ensuring that a proper security profile is configured within the e-mail client.
基于客戶端的方法采用你私人密鑰來(lái)簽署信息(證明它出自于你),這是更細(xì)化的安全等級(jí),但它們也有弱點(diǎn)。它們需要配置到每個(gè)桌面系統(tǒng),包括向每個(gè)用戶發(fā)數(shù)字證書(shū)(用于加密和數(shù)字簽名),并確保在每個(gè)電子郵件客戶端都配置了合適的安全配置文件。
There are also a number of Web-based secure mail services that keep all messages within their environment at all times to ensure security.You use a secure site on the Internet to compose a message.Once you hit“Send”,the site encrypts and stores the message on its site,and sends the recipient an e-mail notification that a secure message is waiting.The recipient links to the site, provides a shared secret for authentication,and accesses the message via Secure Sockets Layer. Unfortunately,this method does not work with existing enterprise e-mail systems.
也有多種基于Web的安全郵件服務(wù),這些服務(wù)在任何時(shí)候把所有信息都保持在它們的環(huán)境中,以確保安全性。你利用因特網(wǎng)上一個(gè)安全網(wǎng)站來(lái) 編寫(xiě)信息,一旦你點(diǎn)擊了“發(fā)送”,網(wǎng)站就進(jìn)行加密和把信息保存在該網(wǎng)站中,并向接收方發(fā)一份電子郵件通知,告訴他有一份安全的信息等他去接收。接收方鏈接到該網(wǎng)站,提供用于認(rèn)證的共享秘密,通過(guò)安全入口層(SSL)訪問(wèn)該信息?上В朔椒ú荒芘c現(xiàn)有的企業(yè)電子郵件系統(tǒng)一起工作。
The stickiest issue is building a directory of digital certificates.This directory holds the certificates needed to encrypt messages to a recipient.Internally,building the directory may not be a big deal because all certificates for a company can be published in a central Lightweight Directory Access Protocol server,but externally this causes many problems.You will need to establish an agreement with a recipient's organization to ensure access to the right digital certificates.This process, however, creates more user training issues and adds complexity to e-mail communications.
最困難的問(wèn)題是建立數(shù)字證書(shū)目錄。此目錄保存著向一名接收人發(fā)的信息進(jìn)行加密所需的證書(shū)。從內(nèi)部講,建目錄可能不是件大事,因?yàn)橐患夜镜乃凶C書(shū)可以由中央簡(jiǎn)化目錄訪問(wèn)協(xié)議服務(wù)器頒發(fā),但從外部講,這會(huì)引起很多問(wèn)題。你需要與收件人所在組織達(dá)成協(xié)議,以確保訪問(wèn)正確的數(shù)字證書(shū)。然而,這個(gè)過(guò)程會(huì)造成更多的用戶培訓(xùn)問(wèn)題以及增加電子郵件通信的復(fù)雜性。
Although there is technology available for secure e-mail, widespread deployment is still problematic. However,as more companies and regular e-mail users see the need to secure their messages,the use of digital certificates will one day become a transparent part of your everyday activities.
雖然已有技術(shù)可用于安全的電子郵件,但廣泛部署仍是個(gè)問(wèn)題。然而,隨著更多的公司和普通電子郵件用戶看到了確保其信息安全的需要,終 有一天使用數(shù)字證書(shū)會(huì)變得透明,成為你日常生活的一部分。