Electronic mail security PGP & S/MIME

Slides:



Advertisements
Similar presentations
Security 1. is one of the most widely used and regarded network services currently message contents are not secure may be inspected either.
Advertisements

03/21/06 Hofstra University – Network Security Course, CSC290A 1 Assignment 1 Pick sun.com and one other site. Using whois and ARIN, get as much information.
Lecture 5: security: PGP Anish Arora CSE 5473 Introduction to Network Security.
Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Electronic mail security. Outline Pretty good privacy S/MIME Recommended web sites.
1 Pertemuan 12 Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
NS-H / Security. NS-H / Security is one of the most widely used and regarded network services currently message.
Electronic mail security
Electronic mail security -- Pretty Good Privacy.
Henric Johnson1 Electronic mail security Henric Johnson Blekinge Institute of Technology, Sweden
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.
Chapter 7 – Electronic Mail Security
Electronic Mail Security
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
1 Chapter 5 Electronic mail security. 2 Outline Pretty good privacy S/MIME Recommended web sites.
Prof. John A. Copeland fax Office: Klaus
16.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 16 Security at the Application Layer: PGP and.
Chap 81 Electronic mail security. Chap 82 Outline Pretty good privacy S/MIME Recommended web sites.
Electronic mail security. Outline Pretty good privacy S/MIME.
Security.  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.
Network Security Essentials Chapter 7 Fourth Edition by William Stallings (Based on Lecture slides by Lawrie Brown)
Chapter 6 Electronic Mail Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
1 Electronic mail security Ola Flygt Växjö University, Sweden
Cryptography and Network Security (CS435) Part Twelve (Electronic Mail Security)
Chapter 15: Electronic Mail Security
1 Electronic Mail Security Outline Pretty good privacy S/MIME Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
1 Chapter 5 Electronic mail security. 2 Outline Pretty good privacy S/MIME Recommended web sites.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Pretty Good Privacy (PGP) Security for Electronic .
CSCE 815 Network Security Lecture 11 Security PGP February 25, 2003.
SECURITY – Chapter 15 SECURITY – Chapter 15 ….for authentication and confidentiality PGP 1.Uses best algorithms as building blocks 2.General.
NETWORK SECURITY.
Security PGP IT352 | Network Security |Najwa AlGhamdi 1.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
ECE-8813 / CS Prof. John A. Copeland fax Office:
1 Recall from CS x34: Internet standards were published in two parts in 1982: RFC 822: STANDARD FOR THE FORMAT OF ARPA INTERNET TEXT MESSAGES by.
PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.
1 Electronic Mail Security Behzad Akbari Fall 2009 In the Name of the Most High.
Electronic Mail Security Prepared by Dr. Lamiaa Elshenawy
Security  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.
Security SMIME IT352 | Network Security |Najwa AlGhamdi 1.
By Marwan Al-Namari & Hafezah Ben Othman Author: William Stallings College of Computer Science at Al-Qunfudah Umm Al-Qura University, KSA, Makkah 1.
2013Prof. Reuven Aviv, Mail Security1 Pretty Good Privacy (PGP) Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.
Prof. Wenguo Wang Network Information Security Prof. Wenguo Wang Tel College of Computer Science QUFU NORMAL UNIVERSITY.
1 CNLab/University of Ulsan Chapter 16 Electronic Mail Security  PGP (Pretty Good Privacy)  S/MIME.
Lecture 8 (Chapter 18) Electronic Mail Security Prepared by Dr. Lamiaa M. Elshenawy 1.
第五章 电子邮件安全. Security is one of the most widely used and regarded network services currently message contents are not secure –may be inspected.
Electronic mail security. Outline Pretty good privacy S/MIME.
Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:
Electronic mail security
K. U. Khimani Asst. Prof. IT Dept. VVP Engineering College
Security is one of the most widely used and regarded network services
Chapter 15 – Electronic Mail Security
Security Pretty Good Privacy (PGP)
Selected Research Topics Electronic Mail Security
Electronic Mail Security
MAIL AND SECURITY PERTEMUAN 13
University of Houston Network Security Datacom II Lecture 8
Security at the Application Layer: PGP and S/MIME
ELECTRONIC MAIL SECURITY
ELECTRONIC MAIL SECURITY
Secure How do you do it? Need to worry about sniffing, modifying, end-user masquerading, replaying. If sender and receiver have shared secret keys,
Electronic Mail Security
Cryptography and Network Security
….for authentication and confidentiality PGP
Presentation transcript:

Electronic mail security PGP & S/MIME Chapter 5 Electronic mail security PGP & S/MIME Khushbu Shah

Electronic Mail Security Agenda: Introduction to PGP 5 PGP Services Key Management Use of Trust Demo Of PGP In Use Khushbu Shah

Pretty Good Privacy 1991 – Creation of a single person, Phil Zimmermann Provides confidentiality and authentication services for electronic mail and file storage applications Khushbu Shah

Introduction PGP is an open source freely available software package for email security Provides Authentication -use of digital signature confidentiality-use of symmetric block encryption compression –ZIP algorithm email compatibility –radix-64 encoding scheme, Segmentation and reassembly to accommodate long emails Khushbu Shah

Pretty Good Privacy Selected best available cryptographic algorithms Integrated these algorithms into a general purpose application Source code and doc freely available on the net Agreement with company (Viacrypt) for low cost commercial version Khushbu Shah

Notation KS = session key used in conventional encryption KRa = private key of user A, used in public key encryption KUa = public key of user A, used in public key encryption EP = public-key encryption DP = public-key decryption EC = conventional encryption DC = conventional decryption H = hash function || = concatenation Z = compression using ZIP algorithm R64 = conversion to radix 64 ASCII format Khushbu Shah

Summary of 5 PGP Services authentication Khushbu Shah

Recall One Way Hash Function Digital signature No key distribution Less computation since message does not have to be encrypted Khushbu Shah

Recall SHA-1 Secure Hash Function Developed by NIST in 1995 Input is processed in 512-bit blocks Produces as output a 160-bit message digest Every bit of the hash code is a function of every bit of the input Very secure – so far! Khushbu Shah

Authentication Sender creates a message Generate a hash code with SHA-1 Using sender’s private key and RSA, encrypt the hash code and prepend to the message Receiver uses sender’s public key to decrypt and recover the hash code Receiver generates a new hash code for the message and compares with the decrypted hash code. If matching, then message is authentic Khushbu Shah

PGP Cryptographic Functions Khushbu Shah

Recall Other Public Key Algorithms Digital Signature Standard (DSS) – makes use of SHA-1 and presents a new digital signature algorithm (DSA) Only used for digital signatures not encryption or key exchange Khushbu Shah

Authentication Other alternatives can be used, e.g., DSS Detached signatures are supported-stored and transmitted separate signature log of all message sent or received. Good for executables and multi-party signatures (legal contract). Khushbu Shah

Summary of 5 PGP Services authentication confidentiality Khushbu Shah

Encryption algorithm-CAST-128 1997, Entrust Technologies RFC 2144 Extensively reviewed Variable key length, 40-128 bits Used in PGP Khushbu Shah

Recall Conventional Encryption Algorithms We have choices in PGP for confidentiality! Khushbu Shah

Confidentiality Sender creates a message and random 128bit number for session key Message encrypted using CAST-128 with the session key Session key encrypted with recipient’s public key and prepended to the message Receiver uses it’s private key to decrypt and recover the session key Session key is used to decrypt the message Khushbu Shah

PGP Cryptographic Functions Khushbu Shah

Confidentiality Alternatives of RSA, Diffie-Hellman (ElGamal) can used Conventional algorithms are much faster Each message is a one time independent event with its own key PGP provides large key range (DSS key limited to 1024 bits) 768  key size  3072 Khushbu Shah

Confidentiality & Authentication Both services can be used for the same message First, signature is generated for plaintext and prepended Message is encrypted with a session key Session key(one time use only) is encrypted with recipient’s public key Khushbu Shah

PGP Cryptographic Functions Khushbu Shah

Summary of 5 PGP Services authentication confidentiality Khushbu Shah

Compression – Save Space PGP compresses (ZIP) the message after applying the signature but before encryption (default) Better to sign an uncompressed message (otherwise either compressed message for later verification or to recompress message when verification is required) PGP’s compression algorithm is non-deterministic Security is greater if message is encrypted after compression Khushbu Shah

PGP Cryptographic Functions Khushbu Shah

Summary of 5 PGP Services authentication confidentiality Khushbu Shah

E-mail Compatibility Part or all of block consists of a stream of arbitrary 8-bit octets Many email systems only allow ASCII text PGP converts raw binary stream to a stream of printable ASCII characters Radix-64 conversion – Blindly convert input stream to radix-64 format regardless of contents(if input is ASCII text even though) So if message is signed but not encrypted, conversion applied to entire block ,so output is unreadable to casual users gives certain level of confidentiality Khushbu Shah

Summary of 5 PGP Services authentication confidentiality Khushbu Shah

Segmentation Maximum message length restrictions in e- mail (example Internet impose max length of 50,000 octets) PGP automatically subdivides a large message into segments small enough to mail separately PGP reassembles entire original block at the receiving end Khushbu Shah

Summary of 5 PGP Services Authentication Confidentiality Compression E-Mail Compatibility Segmentation Khushbu Shah

PGP Cryptographic Keys One-time Session symmetric keys Conventional Keys Public Keys Private Keys Pass phrase-Based Conventional Khushbu Shah

Key Requirements A means of generating unpredictable session keys (section “session key generation”) Allow users to have multiple public/private key pairs (need some kind of identity) (section “key identifiers”) Each PGP entity must maintain a file of its and its correspondents public/private pairs (section “key rings”) Khushbu Shah

Khushbu Shah

Session Key Generation Random 128-bit numbers are generated using CAST- 128 Input is a stream of 128-bit randomized numbers based on keystroke input from the user (both keystroke timing and actual keys struck are used to generate randomize stream) Using Cipher feedback mode,CAST-128 encrypter produce two 64-bit block concatenated to form 128 bit session key. Produces a sequence of session keys that is effectively unpredictable Khushbu Shah 33 33

Key Identifiers How does receiver know which public key to use? Encrypted form of session key is used for message encryption. Session key is it self encrypted by recipient's public key. We have requirement that any given user may have multiple public/private key pairs. How does receiver know which public key to use? One solution is to transmit public keys with message but unnecessary wastage of space. Other solution is to associate an identifier with each public key that is unique within user.(combination of userID and KeyID) so only shorter KeyID would need to transmit. It raises management and overhead problem The solution adopted by PGP assigns a key ID to each public key It has a high probability of being unique within a user ID – 64-bit KeyID is of least significant 64 bit of public key(Pua mod 264 ) Khushbu Shah 34 34

What Does A Transmitted Message Look Like? Message component – actual data to be stored or transmitted plus filename and timestamp specify time of creation. Signature component – ts, E(PRa,(MD)), leading 2 octets, ID of PUa Timestamp-creation time of signature Message digest-160 bit SHA-1 digest encrypted by sender’s private key. Leading two octets of MD (checksum)-to enable recipient to determine if correct public key was used to decrypt MD for authentication Key ID of sender’s public key- Identifies public key that should be used to decrypt digest. hence, identifies private key used for encryption Both components are optional and compress by ZIP and may be encrypted by session key Session key component – Ks, ID of PUb session key plus ID of recipient’s public key used to encrypt the session key Khushbu Shah 35 35

PGP Format Khushbu Shah 36 36

Key Rings PGP provides a pair of data structures at each node – pub/priv key pairs owned by node & public keys of other users Private-Key Ring and Public-Key Ring Can view the ring as a table – each row represents one of the pub/priv key pairs Khushbu Shah 37 37

Private key ring Private key ring can be indexed by either userID or KeyID Private key is encrypted by CAST-128.The procedure is as follow 1 User selects a passphrase to be used for encrypt private keys. 2 When system generates new pub/pri key pairs using RSA, ask user for passphrase. Using SHA-1,160 bit hash code is generated from passphrase then it is discarded. 3 System encrypts private key using CAST-128 with 128 bit hash code as a key When user accesses the private key ring to retrieve private key, he must supply passphrase. PGP will retrieve encrypted private key ,generate hash code of passphrase and decrypt the encrypted private key using CAST-128 with hash code. Khushbu Shah 38

Private key stored encrypted with passphrase Private key ring (“my” key-pairs) information: Private key stored encrypted with passphrase “Private Key Ring” also contains “my” public keys <barnard@cis.uab.edu> <barnard@uab.edu> Khushbu Shah

Key Ring Structure The owner’s public key(s) appear on both key rings Khushbu Shah 40 40

PGP Message Generation & Transmission Khushbu Shah 41 41

PGP Message Generation & Transmission has following steps Signing the message Encrypting the message PGP Message receptions has following steps Decrypting the message Authenticating the message Khushbu Shah 42 42

PGP Message Reception Khushbu Shah 43 43

Public Key Management PGP contains clever, efficient, interlocking set of function and formats to provide confidentiality and authentication Approaches to public key Management A want to obtain reliable public key of B Physically get the key from B Verify a key by telephone or email Obtain B’s public key from a mutually trusted individual friend D Obtain B’s public key from a trusted certifying authority For cases 3 and 4, Alice would already have a copy of the introducer’s public key and trust that this key is valid. Ultimately, it is up to Alice to assign a degree of trust to anyone who is to act as an introducer. Khushbu Shah 44 44

Use of Trust Associated with each public key is a key legitimacy field – extent that PGP will trust that this is a valid public key (high level of trust , stronger is binding of this user ID to this key, zero or more signature collected by key ring owner) Field derived from collection of signature trust fields in entry. Signature trust field – degree to which PGP user trusts the signer to certify public keys Owner trust field – degree to which this public key is trusted to sign other public-key certificates Level of trust assigned by user. Contained in a structure referred to as a trust flag byte Khushbu Shah 45 45

PGP provides a convenient means of using trust. Use of Trust PGP provides a convenient means of using trust. Earlier, when Alice entered a new key in her public-key ring, PGP asked her to assign a level of trust to the owner of this key (if it’s her own public key, value is ultimate trust). This was entered in the Owner Trust field and will be used if Alice later receives keys signed by this person. Khushbu Shah

When Alice enters another new public key, one or more signatures may be attached (in the Signature(s) field). Alice’s PGP will search her public-key ring to see if the author of this signature is already on her key ring. If so PGP will copy her earlier assessment of this person’s trust into the Signature Trust field for this person (otherwise the value of this field will be unknown user). PGP will compute the weighted average of the Signature Trust values and assign this to the Key Legitimacy field. This field summarized the confidence that Alice can have that this public key actually belongs to the person in the UserID field. Khushbu Shah

Dealing with public key ring of user A. Describes the operation of trust processing as follows: 1) When A insert new public key on public key ring, PGP must assign value to trust flag associated with owner of this public key. If owner is A, then this public key also appears in private key ring, value of ultimate trust is automatically assigned to trust field. Otherwise PGP ask A for this assessment of trust to be assigned to the owner of this key, and A must enter the desired level. User can specify that owner is unknown ,untrusted, marginally trusted, completely trusted etc. Khushbu Shah

Contd… 2) When new public key is entered, one or more signatures may attached to it. When signature is inserted into entry, PGP searches public key ring to see if the author of signature is among known public key owner If so, OWNERTRUST value for this owner is assigned to SIGNTRUST field for this signature. If not, unknown user value assigned 3) The value of key legitimacy field is calculated on basis of signature fields present in entry. If at least one signature has signature trust value of ultimate, key legitimacy field value is set to complete, Otherwise PGP computes weighted sum of trust values. Khushbu Shah

Trust Flag Byte Contents Khushbu Shah

PGP Trust Model Example Khushbu Shah

PGP Trust Model 1 All keys whose owners are fully or partially trusted by this user have been signed by this(YOU) user except node L. Even though E’s key is already signed by trusted F, user chose to sign E’s key directly. 2 Two partially trusted signatures are sufficient to certify a key. Key for user H is deemed legitimate by PGP because it is signed by A and B, partially trusted. 3 Key may be legitimate because it is signed by one fully trusted or two partially trusted signatories. But its user may not be trusted to sign other keys. Example-N’s key is legitimate because sign by E, whom this user trusts, but N is not trusted user to sign others key because this user has not assigned trust value to N. R’s key is signed by N but PGP does not consider R’s key as legitimate. 4 Detached orphan node S with two unknown signatures. Such key may have been acquired from key server. PGP can’t assume that this key is legitimate key. User must declare key legitimate by signing it or by telling PGP to willingly trust one of key signatories. Khushbu Shah

PGP “Web of Trust” The idea behind the various trust fields in the public key ring is to establish a “Web of Trust” among a community of users. PGP “Web of Trust” The idea behind the various trust fields in the public key ring is to establish a “Web of Trust” among a community of users. If Alice trusts only Abe to sign certificates, then she won’t believe certificates from Martha or Emily are genuine. If she also trusts Bob’s judgment about signing certificates, she can trust Emily’s certificate; if she also trusts Carl, she can trust everyone’s certificate. Khushbu Shah

S/MIME Khushbu Shah

S/MIME includes a secure development of RFC 822/ MIME Secure/Multipurpose Internet Mail Extension-Secure enhancement to MIME - - Internet e-mail format standard S/MIME will probably emerge as the industry standard for commercial and organizational use. PGP use for personal e-mail security Overview of E-mail: The message is constructed under RFC 822, then passed to SMTP (RFC 821) for transmission. S/MIME includes a secure development of RFC 822/ MIME Khushbu Shah

Simple Mail Transfer Protocol (SMTP, RFC 822) MIME is extension to RFC 822 framework that is intended to address some of problem and limitation to use of SMTP SMTP Limitations - Can not transmit, or has a problem with: executable files, or other binary files (jpeg image) “national language” characters- represnted as 8 bit codes with values of 128 decimal. SMTP limited to 7-bit ASCII Reject mail messages over a certain size ASCII to EBCDIC translation problems (not consistent mapping) lines longer than a certain length (72 to 254 characters) Khushbu Shah

S/MIME MIME is compatible to existing RFC 822 implementation Specification provided in RFC 2045 through 2049 Five new message header fields are defined provides information about body of message. Number of content formats are defined Transfer encoding is defined that enables conversion to any format Khushbu Shah

■ contain readable text (ASCII) ■ are divided into lines Headers ■ contain readable text (ASCII) ■ are divided into lines ■ each line of form <keyword> : <value> Keywords To and From are required, others optional Khushbu Shah

RFC 822 states that the message can consist only of ASCII text. MIME – Multipurpose Internet Mail Extensions (RFC 1521, 1993) In the body of the message we would like to be able to include items such as: ■ messages in languages with accents ■ Messages in non-Latin alphabets (Arabic, Russian, Hebrew) ■ Messages in languages without alphabets (Chinese and Japanese) ■ Messages not containing any kind of text (audio and video) Such material may contain an arbitrary bit string. Sender must “disguise”(mask or hide) non-ASCII information as ASCII This will be reversed by the receiver, to give the bit string. Khushbu Shah

From point of view of receiver: If you receive this ASCII message how do you know what it is? Example: Content-Transfer-Encoding says “radix-64 conversion” Now you know that the message is a bit string that the sender has converted to radix-64 – you can recover the bit string, but you still don’t know what it is (image? Audio?) MIME header: Content-Type says “image/jpeg” which tells you how to process the received message. Khushbu Shah

Header fields in MIME MIME-Version: Must be value “1.0” ->conforms to RFC 2045, RFC 2046 Content-Type: More types being added by developers. Describes data contained in the body with sufficient detail Content-Transfer-Encoding: How message has been encoded (radix-64).Type of transformation used to represent data to users Content-ID: Unique identifying character string. Content Description: Needed when content is not readable text (e.g.,mpeg) Khushbu Shah

Header fields in MIME Khushbu Shah

S/MIME will add new subtypes to Application and Multipart Khushbu Shah

Khushbu Shah

S/MIME Functions Enveloped Data: Encrypted content and encrypted session keys for recipients. Signed Data: Message Digest encrypted with private key of “signer.” Clear-Signed Data: Signed but not encrypted. message ASCII only, signature with radix-64 (recipients without S/MIME can view message, but cannot verify the signature) Signed and Enveloped Data: Various orderings for encrypting and signing. Khushbu Shah

S/MIME Functionality - continued ► Enveloped data: encrypted content plus encryption keys PGP equivalent: plus radix-64 conversion Radix-64 conversion Khushbu Shah

Radix-64 conversion after compression S/MIME Functionality - continued ► Signed data: message plus digital signature (can be viewed only by recipient with S/MIME capability) PGP equivalent: plus radix-64 conversion Radix-64 conversion after compression ► Clear-signed data function: only the digital signature is converted to radix-64; the message is “in the clear” Khushbu Shah

S/MIME Functionality - continued ► Signed and enveloped data PGP equivalent: Khushbu Shah

Algorithms Used Message Digesting: SHA-1 and MDS Digital Signatures: DSS Secret-Key Encryption: Triple-DES, RC2/40 (exportable) Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie-Hellman (for session keys). Khushbu Shah

Cryptographic Algorithms Used in S/MIME Khushbu Shah

S/MIME Message Type Enveloped Data Signed Data Clear Signing Registration Request-Application or user will apply to certification authority for public-key certificate-Include certificationInfo block followed by identifier of public key Certification-Only Message-Message containing only certificate or CRL list in response to Registration request. Khushbu Shah

S/MIME Certificate Processing S/MIME uses X.509 version 3 “Hybrid between a strict X.509 hierarchy and PGP’s web of trust.” S/MIME does not set up a global system like the Domain Name System, to retrieve public-key certificates with minimal effort. Rather, each user, or user group, takes responsibility for obtaining the certificates of individuals with whom they want to correspond securely. Khushbu Shah

User Agent Role S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority Several key management Functions: Key Generation – MUST-Diffie-Hellman, DSS, and SHOULD- RSA key-pairs. Registration – user’s Public keys must be registered with X.509 CA. Certificate Storage - Local (as in browser application) for different services. On behalf of user some local administrative entity maintained the certification list. Signed and Enveloped Data - Various orderings for encrypting and signing. Khushbu Shah

Verisign Certificates Several companies provides CA (certification Authority) services Nortel provides S/MIME support Internet based CAs-Verisign, GTE, U.S. Portal Service Verisign is mostly used for CA service compatible with S/MIME and other applications. Issue certificate with product name Verisign Digital ID. DigitalID contains Owner’s public key Owner’s name or alias Expiration date of digitalID Serial no of DigitalID Name of CA that issued DigitalID And Signature of CA Also contain user supplied info Address, E-mail Address, basic Registration info Khushbu Shah

User Agent Role Example: Verisign (www.verisign.com) Class-1: Buyer’s email address confirmed by emailing vital info. Digital ID is sent as well as PIN is sent. Class-2: Automated comparison with online database Postal address is confirmed as well, and data checked against directories. DigitalID is sent to postal address. Class-3: Buyer must appear in person, or send notarized documents. Khushbu Shah

Table 7.8 Verisign Public-Key Certificate Classes Khushbu Shah

Khushbu Shah