K. U. Khimani Asst. Prof. IT Dept. VVP Engineering College E-mail Security K. U. Khimani Asst. Prof. IT Dept. VVP Engineering College

PGP Developed by Phil Zimmerman in 1995. Documentation and source code is freely available. The package is independent of operating system and processor. PGP popularity and use have grown extensively since 1995. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP PGP combines the best available cryptographic algorithms to achieve secure e-mail communication. It is assumed that all users are using public key cryptography and have generated a private/public key pair. Either RSA (with RSA digital signatures) or El Gamal can be used. All users also use a symmetric key system such as triple DES or Rijndael. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP PGP offers 5 services: 1. Authentication 2. Confidentiality 3. Compression 4. E-mail compatibility 5. Segmentation Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Authentication This is a digital signature scheme with hashing. 1. Alice has (private/public) key pair and she wants to send a digitally signed message to Bob. 2. Alice hashes the message using SHA-1 3. Alice encrypts the hash using her private key to obtain cipher text 4. Alice sends Bob the pair (message and cipher) 5. Bob receives message and cipher and decrypts using Alice's public key to obtain signature. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Authentication 6. If hash values are equal, then Bob is sure that the message is correct and that is does come from Alice. Furthermore Alice cannot later deny sending the message since only Alice has access to her private key which works in conjunction with the public key. Message is authenticated Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Confidentiality 1. Alice wishes to send Bob a confidential message m. 2. Alice generates a random session key k for a symmetric cryptosystem. 3. Alice encrypts session key using Bob’s public key and obtains k’ 4. Alice encrypts the message m with the session key k to get cipher text k 5. Alice sends Bob the values (k’,c) 6. Bob receives the values (k’,c) and decrypts k’ using his private key to obtain k. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Confidentiality 1. Bob uses the session key k to decrypt the ciphertext c and recover the message 2. Public and symmetric key cryptosystems are combined in this way to provide security for key exchange and then efficiency for encryption. The session key k is used only to encrypt message m and is not stored for any length of time. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Authentication and Confidentiality The schemes for authentication and confidentiality can be combined so that Alice can sign a confidential message which is encrypted before transmission. The steps required are as follows: Alice generates a signature c for her message m as in the Authentication scheme. Alice generates a random session key k and encrypts the message m and the signature c using a symmetric cryptosystem to obtain cipher text C.

PGP Authentication and Confidentiality She encrypts the session key k using Bob’s public key Alice sends Bob the values (k’,C) Bob receives k’ and C and decrypts k’ using his private key to obtain the session key k. Bob decrypts the ciphertext C using the session key k to obtain m and c Bob now has the message m. In order to authenticate it he uses Alice’s public key to decrypt the signature c and hashes the message m using SHA-1. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Compression PGP can also compress the message if desired. The compression algorithm is ZIP and the decompression algorithm is UNZIP. The original message m is signed as before Now the original message m is compressed Alice generates a session key k and encrypts the compressed message and the signature using the session key The session key is encrypted using Bob’s public key as before. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Compression Alice sends Bob the encrypted session key and ciphertext C. Bob decrypts the session key using his private key and then uses the session key to decrypt the ciphertext C to obtain M and c Bob decompresses the message M to obtain the original message m Now Bob has the original message m and signature c. He verifies the signature using SHA-1 and Alice’s public key as before. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Compression Note that the compression is applied after signing (due to implementation of ZIP) but before encryption (this strengthens the security of the scheme since the message has less redundancy after compression). Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Email Compatibility To provide transparency for email applications, an encrypted message may be converted to an ASCII string using radix 64 conversion at sender side. On reception, the incoming block is first converted back from radix-64 format to binary. Then, if the message is encrypted, the recipient recovers the session key and decrypts the message. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Segmentation and Reassembly E-mail facilities often are restricted to a maximum message length. Any message longer than that must be broken up into smaller segments, each of which is mailed separately. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Segmentation and Reassembly At the receiving end, PGP must strip off all e-mail headers and reassemble the entire original block. To accommodate this restriction, PGP automatically subdivides a message that is too large into segments that are small enough to send via e-mail. Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

PGP Message Format Message component – the actual data to be transmitted + a filename + a timestamp Signature component – timestamp + hash of message and timestamp + first part of message (so user can check that they are decrypting correctly) + Key ID of sender’s public key (PUa) Session Key component – session key + key ID of recipient’s public key (PUb) Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best known and most widely implemented trusted third party key distribution systems. Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 & v5.

S/MIME S/MIME (Secure/ Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security. S/MIME provides… Authentication Message Integrity Non-repudiation of origin… Using digital signature Privacy and data security… Using encryption

MIME Header Fields The five header fields defined in MIME are as follows: MIME-Version: Must have the parameter value 1.0. This field indicates that the message conforms to RFCs 2045 and 2046. Content-Type: Describes the data contained in the body with sufficient detail that the receiving user agent can pick an appropriate agent or mechanism to represent the data to the user or otherwise deal with the data in an appropriate manner.

MIME Header Fields Content-Transfer-Encoding: Indicates the type of transformation that has been used to represent the body of the message in a way that is acceptable for mail transport. Content-ID: Used to identify MIME entities uniquely in multiple contexts. Content-Description: A text description of the object with the body; this is useful when the object is not readable (e.g., audio data).

MIME Content Types Type Sub Description Text Multipart Message Plain Enriched Unformatted text (ASCII or ISO 8859). Provides greater format flexibility. Multipart Mixed   Parallel Alternative Digest The different parts are independent but are to be transmitted together. Should be presented to the receiver in their original order. Differs from mixed only in that no order is defined. The different parts are alternative versions of the same information. Similar to Mixed but the default type/subtype of each part is message/rfc822. Message rfc822   Partial External body The body is itself an encapsulated message that conforms to RFC822. Used to allow fragmentation in a transparent way to the recipient. Contains a pointer to an object exists else where.

MIME Content Types Type Subtype Description Image Video Audio Jpeg gif The image is in JPEG format. The image is in GIF format. Video Mpeg MPEG format. Audio Basic Single-channel 8-bit ISDN mu-law encoding at a sample rate of 8kHz Application Postscript Octet-stream Adobe Postscirpt. General binary data consisting of 8-bit bytes.

S/MIME Functions Enveloped data: This consists of encrypted content of any type and encrypted-content encryption keys for one or more recipients. Signed data: A digital signature is formed by taking the message digest of the content to be signed and then encrypting that with the private key of the signer. The content plus signature are then encoded using base64 encoding. A signed data message can only be viewed by a recipient with S/MIME capability.

S/MIME Functions Clear-signed data: As with signed data, a digital signature of the content is formed. However, in this case, only the digital signature is encoded using base64. As a result, recipients without S/MIME capability can view the message content, although they cannot verify the signature. Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so that encrypted data may be signed and signed data or clear-signed data may be encrypted.