Electronic Mail SecurityElectronic Mail Security

Pretty Good Privacy (PGP)Pretty Good Privacy (PGP) S/Mime Security ArchitectureS/Mime Security Architecture

Email SecurityEmail Security

email is one of the most widely used and email is one of the most widely used and regarded network services regarded network services

currently message contents are not secure currently message contents are not secure may be inspected either in transit may be inspected either in transit or by suitably privileged users on destination or by suitably privileged users on destination

systemsystem

Email Security EnhancementsEmail Security Enhancements

confidentialityconfidentiality protection from disclosureprotection from disclosure

authenticationauthentication of sender of messageof sender of message

message integritymessage integrity protection from modification protection from modification

non-repudiation of originnon-repudiation of origin protection from denial by senderprotection from denial by sender

Schemes of Email Security Schemes of Email Security

PGP (Pretty Good Privacy)PGP (Pretty Good Privacy)

S/MIME (Secure/Multipurpose Internet S/MIME (Secure/Multipurpose Internet mail Extension)mail Extension)

Pretty Good Privacy (PGP)Pretty Good Privacy (PGP) widely used for secure emailwidely used for secure email developed by Phil Zimmermanndeveloped by Phil Zimmermann selected best available crypto algorithm as selected best available crypto algorithm as

building blockbuilding block Integrated these algorithms into a general-Integrated these algorithms into a general-

purpose application purpose application on Unix, PC, Macintosh and other systems on Unix, PC, Macintosh and other systems provides a confidentiality and authentication provides a confidentiality and authentication

service that can be used for electronic mail service that can be used for electronic mail and file storage applications and file storage applications

PGP is an open-source freely available software package for PGP is an open-source freely available software package for e-mail security. e-mail security.

It provides authentication through the use of digital It provides authentication through the use of digital signature; confidentiality through the use of symmetric block signature; confidentiality through the use of symmetric block encryption; compression using the ZIP algorithm; e-mail encryption; compression using the ZIP algorithm; e-mail compatibility using the radix-64 encoding scheme; and compatibility using the radix-64 encoding scheme; and segmentation and reassembly to accommodate long e-segmentation and reassembly to accommodate long e-mails.mails.

PGP incorporates tools for developing a public-key trust PGP incorporates tools for developing a public-key trust model and public-key certificate management.model and public-key certificate management.

PGP has grown explosively and is now widely PGP has grown explosively and is now widely used. A number of reasons can be cited for used. A number of reasons can be cited for this growth:this growth:

Available free worldwide in versions that run Available free worldwide in versions that run on a variety of platforms, including Windows, on a variety of platforms, including Windows, UNIX, Macintosh, and many moreUNIX, Macintosh, and many more

It is based on algorithms that have survived It is based on algorithms that have survived extensive public review and are considered extensive public review and are considered extremely secure. extremely secure.

It has a wide range of applicabilityIt has a wide range of applicability It was not developed by, nor is it controlled It was not developed by, nor is it controlled

by, any governmental or standards by, any governmental or standards organization.organization.

PGP is now on an Internet standards track PGP is now on an Internet standards track (RFC 3156).(RFC 3156).

PGP OperationsPGP Operations

AuthenticationAuthentication ConfidentialityConfidentiality Confidentiality & AuthenticationConfidentiality & Authentication CompressionCompression CompatibilityCompatibility

AuthenticationAuthentication

digital signature service provided by PGP digital signature service provided by PGP • sender creates messagesender creates message• use SHA-1 to generate 160-bit hash of message use SHA-1 to generate 160-bit hash of message • signed hash with RSA using sender's private key, and signed hash with RSA using sender's private key, and

is attached to messageis attached to message• receiver uses RSA with sender's public key to decrypt receiver uses RSA with sender's public key to decrypt

and recover hash codeand recover hash code• receiver verifies received message using hash of it and receiver verifies received message using hash of it and

compares with decrypted hash codecompares with decrypted hash code• combination of SHA-1 and RSA provides an effective combination of SHA-1 and RSA provides an effective

digital signature scheme digital signature scheme

ConfidentialityConfidentiality

1.1. sender generates message and 128-bit sender generates message and 128-bit random number as session key for itrandom number as session key for it

2.2. encrypt message using CAST-128 / IDEA / encrypt message using CAST-128 / IDEA / 3DES in CBC mode with session key3DES in CBC mode with session key

3.3. session key encrypted using RSA with session key encrypted using RSA with recipient's public key, & attached to msgrecipient's public key, & attached to msg

4.4. receiver uses RSA with private key to receiver uses RSA with private key to decrypt and recover session keydecrypt and recover session key

5.5. session key is used to decrypt messagesession key is used to decrypt message

Confidentiality & Authentication Confidentiality & Authentication

can use both services on same messagecan use both services on same message create signature & attach to messagecreate signature & attach to message encrypt both message & signatureencrypt both message & signature attach RSA/ElGamal encrypted session keyattach RSA/ElGamal encrypted session key

when both services are used, the sender first when both services are used, the sender first signs the message with its own private key, signs the message with its own private key,

then encrypts the message with a session key, then encrypts the message with a session key, and then encrypts the session key with the and then encrypts the session key with the recipient's public key.recipient's public key.

CompressionCompression

by default PGP compresses message by default PGP compresses message after signing but before encryptingafter signing but before encrypting benefit of saving space both for e-mail benefit of saving space both for e-mail

transmission and for file storage transmission and for file storage & because compression is non deterministic& because compression is non deterministic

uses ZIP compression algorithmuses ZIP compression algorithm

CompatibilityCompatibility

when using PGP will have binary data to send when using PGP will have binary data to send (encrypted message etc)(encrypted message etc)

however email was designed only for texthowever email was designed only for text hence PGP must encode raw binary data into hence PGP must encode raw binary data into

printable ASCII charactersprintable ASCII characters uses radix-64 algorithmuses radix-64 algorithm

maps 3 bytes to 4 printable charsmaps 3 bytes to 4 printable chars also appends a CRCalso appends a CRC

PGP also segments messages if too bigPGP also segments messages if too big

Transmission and Reception of Transmission and Reception of PGP Messages PGP Messages

Cryptographic Keys and key ring Cryptographic Keys and key ring of PGPof PGP

PGP makes use of four types of keys: PGP makes use of four types of keys: one-time session symmetric keysone-time session symmetric keys public keyspublic keys private keysprivate keys passphrase-based symmetric keys passphrase-based symmetric keys

Three separate requirements can be identified with Three separate requirements can be identified with respect to these keys: A means of generating respect to these keys: A means of generating unpredictable session keys is needed.unpredictable session keys is needed.

We would like to allow a user to have multiple We would like to allow a user to have multiple public-key/private-key pairs. One reason is that public-key/private-key pairs. One reason is that the user may wish to change his or her key pair the user may wish to change his or her key pair from time to time. from time to time.

Each PGP entity must maintain a file of its own Each PGP entity must maintain a file of its own public/private key pairs as well as a file of public public/private key pairs as well as a file of public keys of correspondents. keys of correspondents.

PGP Session KeysPGP Session Keys

need a session key for each messageneed a session key for each message of varying sizes: 56-bit DES, 128-bit CAST or of varying sizes: 56-bit DES, 128-bit CAST or

IDEA, 168-bit Triple-DESIDEA, 168-bit Triple-DES generated using ANSI X12.17 modegenerated using ANSI X12.17 mode uses random inputs taken from previous uses random inputs taken from previous

uses and from keystroke timing of useruses and from keystroke timing of user

PGP Public & Private KeysPGP Public & Private Keys

since many public/private keys may be in use, since many public/private keys may be in use, need to identify which is actually used to encrypt need to identify which is actually used to encrypt session key in a messagesession key in a message could send full public-key with every messagecould send full public-key with every message but this is inefficientbut this is inefficient

rather use a key identifier based on keyrather use a key identifier based on key is least significant 64-bits of the keyis least significant 64-bits of the key will very likely be uniquewill very likely be unique

also use key ID in signaturesalso use key ID in signatures

PGP Message FormatPGP Message Format

PGP Key RingsPGP Key Rings

each PGP user has a pair of keyrings:each PGP user has a pair of keyrings: public-key ring contains all the public-keys of public-key ring contains all the public-keys of

other PGP users known to this user, indexed other PGP users known to this user, indexed by key IDby key ID

private-key ring contains the public/private private-key ring contains the public/private key pair(s) for this user, indexed by key ID & key pair(s) for this user, indexed by key ID & encrypted keyed from a hashed passphraseencrypted keyed from a hashed passphrase

security of private keys thus depends on security of private keys thus depends on the pass-phrase securitythe pass-phrase security

PGP Message GenerationPGP Message Generation

1. 1. Signing the messageSigning the message PGP retrieves the sender's private key from the private-key PGP retrieves the sender's private key from the private-key

ring using your_userid as an index. If your_userid was not ring using your_userid as an index. If your_userid was not provided in the command, the first private key on the ring is provided in the command, the first private key on the ring is retrieved.retrieved.

PGP prompts the user for the passphrase to recover the PGP prompts the user for the passphrase to recover the unencrypted private key.unencrypted private key.

The signature component of the message is constructed.The signature component of the message is constructed.

2. 2. Encrypting the messageEncrypting the message PGP generates a session key and encrypts the message.PGP generates a session key and encrypts the message. PGP retrieves the recipient's public key from the public-key PGP retrieves the recipient's public key from the public-key

ring using her_userid as an index.ring using her_userid as an index. The session key component of the message is constructed.The session key component of the message is constructed.

PGP Message ReceptionPGP Message Reception

1. 1. Decrypting the messageDecrypting the messagea)a) PGP retrieves the receiver's private key from the private-key ring, PGP retrieves the receiver's private key from the private-key ring,

using the Key ID field in the session key component of the using the Key ID field in the session key component of the message as an index.message as an index.

b)b) PGP prompts the user for the passphrase to recover the PGP prompts the user for the passphrase to recover the unencrypted private key.unencrypted private key.

c)c) PGP then recovers the session key and decrypts the message.PGP then recovers the session key and decrypts the message.

2. 2. Authenticating the messageAuthenticating the messagea)a) PGP retrieves the sender's public key from the public-key ring, PGP retrieves the sender's public key from the public-key ring,

using the Key ID field in the signature key component of the using the Key ID field in the signature key component of the message as an index.message as an index.

b)b) PGP recovers the transmitted message digest.PGP recovers the transmitted message digest.c)c) PGP computes the message digest for the received message and PGP computes the message digest for the received message and

compares it to the transmitted message digest to authenticate.compares it to the transmitted message digest to authenticate.

PGP Key ManagementPGP Key Management

rather than relying on certificate authoritiesrather than relying on certificate authorities in PGP every user is own CAin PGP every user is own CA

can sign keys for users they know directlycan sign keys for users they know directly

forms a “web of trust”forms a “web of trust” trust keys have signedtrust keys have signed can trust keys others have signed if have a chain of can trust keys others have signed if have a chain of

signatures to themsignatures to them

key ring includes trust indicatorskey ring includes trust indicators users can also revoke their keysusers can also revoke their keys

S/MIME (Secure/Multipurpose S/MIME (Secure/Multipurpose Internet Mail Extensions)Internet Mail Extensions)

security enhancement to MIME emailsecurity enhancement to MIME email original Internet RFC822 email was text onlyoriginal Internet RFC822 email was text only MIME provided support for varying content MIME provided support for varying content

types and multi-part messagestypes and multi-part messages with encoding of binary data to textual formwith encoding of binary data to textual form S/MIME added security enhancementsS/MIME added security enhancements

have S/MIME support in many mail agentshave S/MIME support in many mail agents eg MS Outlook, Mozilla, Mac Mail etceg MS Outlook, Mozilla, Mac Mail etc

MIME specificationMIME specification

includes the following elements:includes the following elements: Five new message header fields are defined. These Five new message header fields are defined. These

fields provide information about the body of the fields provide information about the body of the messagemessage..

• MIME-VersionMIME-Version• Content-TypeContent-Type • Content-Transfer-EncodingContent-Transfer-Encoding • Content-IDContent-ID • Content-DescriptionContent-Description

A number of content formats are defined, thus A number of content formats are defined, thus standardizing representations that support multimedia standardizing representations that support multimedia electronic mail.electronic mail.

Transfer encodings are defined that enable the Transfer encodings are defined that enable the conversion of any content format into a form that is conversion of any content format into a form that is protected from alteration by the mail systemprotected from alteration by the mail system

S/MIME FunctionalityS/MIME Functionality

S/MIME provides the following functions S/MIME provides the following functions enveloped dataenveloped data

encrypted content and associated keysencrypted content and associated keys

signed datasigned data encoded message + signed digestencoded message + signed digest

clear-signed dataclear-signed data cleartext message + encoded signed digestcleartext message + encoded signed digest

signed & enveloped datasigned & enveloped data nesting of signed & encrypted entitiesnesting of signed & encrypted entities

S/MIME Cryptographic S/MIME Cryptographic AlgorithmsAlgorithms

digital signatures: DSS & RSAdigital signatures: DSS & RSA hash functions: SHA-1 & MD5hash functions: SHA-1 & MD5 session key encryption: ElGamal & RSAsession key encryption: ElGamal & RSA message encryption: AES, Triple-DES, message encryption: AES, Triple-DES,

RC2/40 and othersRC2/40 and others MAC: HMAC with SHA-1MAC: HMAC with SHA-1 have process to decide which algs to usehave process to decide which algs to use

S/MIME MessagesS/MIME Messages

S/MIME secures S/MIME secures a MIME entity with a a MIME entity with a signature, encryption, or bothsignature, encryption, or both

forming a MIME wrapped PKCS objectforming a MIME wrapped PKCS object have a range of content-types:have a range of content-types:

enveloped dataenveloped data signed datasigned data clear-signed dataclear-signed data registration requestregistration request certificate only messagecertificate only message

S/MIME Certificate S/MIME Certificate ProcessingProcessing

S/MIME uses X.509 v3 certificatesS/MIME uses X.509 v3 certificates the responsibility is local for maintaining the the responsibility is local for maintaining the

certificates needed to verify incoming signatures certificates needed to verify incoming signatures and to encrypt outgoing messages and to encrypt outgoing messages

managed using a hybrid of a strict X.509 CA managed using a hybrid of a strict X.509 CA hierarchy & PGP’s web of trusthierarchy & PGP’s web of trust

each client has a list of trusted CA’s certseach client has a list of trusted CA’s certs and own public/private key pairs & certsand own public/private key pairs & certs certificates must be signed by trusted CA’scertificates must be signed by trusted CA’s

User Agent RolUser Agent Rol

An S/MIME user has several key-management An S/MIME user has several key-management functions to perform:functions to perform:

• Key generationKey generation• Registration Registration • Certificate storage and retrieval Certificate storage and retrieval

VeriSign Certificates VeriSign Certificates VeriSign provides three levels, or classes, of security for VeriSign provides three levels, or classes, of security for

public-key certificates public-key certificates For Class 1 Digital IDs, VeriSign confirms the user's e-For Class 1 Digital IDs, VeriSign confirms the user's e-

mail address by sending a PIN and Digital ID pick-up mail address by sending a PIN and Digital ID pick-up information to the e-mail address provided in the information to the e-mail address provided in the application.application.

For Class 2 Digital IDs, VeriSign verifies the information For Class 2 Digital IDs, VeriSign verifies the information in the application through an automated comparison with in the application through an automated comparison with a consumer database in addition to performing all of the a consumer database in addition to performing all of the checking associated with a Class 1 Digital ID. checking associated with a Class 1 Digital ID.

For Class 3 Digital IDs, VeriSign requires a higher level For Class 3 Digital IDs, VeriSign requires a higher level of identity assurance of identity assurance

Certificate AuthoritiesCertificate Authorities

have several well-known CA’shave several well-known CA’s Verisign one of most widely usedVerisign one of most widely used Verisign issues several types of Digital IDsVerisign issues several types of Digital IDs increasing levels of checks & hence trustincreasing levels of checks & hence trust

ClassClass Identity ChecksIdentity Checks UsageUsage

11 name/email checkname/email check web browsing/emailweb browsing/email

22 + enroll/addr check+ enroll/addr check email, subs, s/w email, subs, s/w validatevalidate

33 + ID documents+ ID documents e-banking/service e-banking/service accessaccess

SummarySummary

have considered:have considered: secure emailsecure email PGPPGP S/MIMES/MIME