CryptographySecurity

1
Chapter 15 Electronic Mail Security

• 15.1 Pretty Good Privacy (Personal or Academic
  institute)
• 15.2 S/MIME (Enterprise, General applications)

2
Security Problem?

• Why secure E-mail ?
• Demo Outlook Express
• Using another users e-mail address to send a
  mail.
• Starting Outlook Express
• Creating a new account (Forged E-mail address)
• Sending a mail (using the new account)

3
Internet Security Overview
IPSec
4
15.1 PGP (pretty good privacy)

• Phil Zimmermann designs (1995)
• He selects existent cryptographic algorithms as
  building blocks for PGP
• PGP provides confidentiality and authentication
  for security

5
PGP services

• Authentication -- digital signature
• DSS/SHA, RSA/SHA
• Confidentiality -- encryption
• CAST, IDEA, 3DES, RSA
• Compression -- ZIP
• Email compatibility -- radix-64-conversion
• Segmentation -- to comply the size restriction of
  an email

6
Notation

• Ks the session key for secret-key encryption
• KRa private key of user A
• KUa public key of user A
• EP public-key encryption
• DP public-key decryption
• EC conventional encryption
• DC conventional decryption
• H hash function
• concatenation
• Z compression using ZIP algorithm

7
Authentication
8
Confidentiality
How to get?
Why ? Z, then EC Or EC, then Z
9
Confidentiality and authentication
10
Key issues of PGP

• The session key is encrypted with the recipients
  public key. Therefore, only the recipient can
  decrypt to obtain the secret-key.
• PGP allows a user to have multiple public/private
  pairs.
• Each key has an identifier (key ID) so that the
  recipient can find the appropriate private to
  decrypt the message
• Therefore, the identifier of the recipients
  public key that is used by the sender, is
  transmitted with the message.

11
Key issues of PGP (cont.)

• Since the recipient need authenticate the sender,
  the senders public key ID should be sent along
  with the message to the recipient.

12
Why key ID?

• Key ID the last 64 bits of KUa and KUb.
• Reason public keys are very long, 1024 bits, it
  is wasteful to transmit them along with the
  messages. In stead, shorter key ID, 64 bits, are
  transmitted.
• Note each PGP message has two key-ID, one for
  the senders public key (authentication) and the
  other for the recipients public key (decryption)

13
Format of PGP message
14
PGP key management

• Each user has to maintain two lists, one (called
  private-key ring) for his own public-private key
  pairs and the other (called public-key ring) for
  the public keys of other users.
• Each user has to maintain a list (CRL) of his
  revocation public keys.
• Note No CA management

15
PGP key management - private-key ring
Private-Key Ring
16
PGP key management - public-key ring
Public-Key Ring
17
Operations of PGP

• Sender
• Signing the message
• Encrypting the message
• Recipient
• Decrypting the message
• Authenticating the message

18
PGP message generation (sender)
19
PGP message reception (recipient)
20
15.2 S/MIME

• Secure/Multipurpose Internet Mail Extension
• S/MIME will probably emerge as the industry
  standard.
• PGP for personal e-mail security
• Demo Outlook Express
• Tools
• Options
• Security
• Other information
• Digital ID gt Trusted CA list
• Get Digital ID
• Advanced setting

21
Simple Mail Transfer Protocol (SMTP, RFC 822)

• SMTP Limitations - Can not transmit, or has a
  problem with
• executable files, or other binary files (jpeg
  image)
• national language characters (non-ASCII)
• messages over a certain size
• ASCII to EBCDIC translation problems
• lines longer than a certain length (72 to 254
  characters)

22
Header fields in MIME

• MIME-Version Must be 1.0 -gt RFC 2045, RFC
  2046
• Content-Type More types being added by
  developers (application/word)
• Content-Transfer-Encoding How message has been
  encoded (radix-64)
• Content-ID Unique identifying character string.
• Content Description Needed when content is not
  readable text (e.g.,mpeg)

23
S/MIME Functions

• Enveloped Data Encrypted content and encrypted
  session keys for recipients.
• Signed Data Message Digest encrypted with
  private key of signer.
• Clear-Signed Data Signed but not encrypted.
• Signed and Enveloped Data Various orderings for
  encrypting and signing.

24
Algorithms Used

• Message Digesting SHA-1 and MD5
• Digital Signatures DSS
• Secret-Key Encryption Triple-DES, RC2/40
  (exportable)
• Public-Private Key Encryption RSA with key sizes
  of 512 and 1024 bits, and Diffie-Hellman (for
  session keys).

25
User Agent Role

• S/MIME uses Public-Key Certificates - X.509
  version 3 signed by Certification Authority (CA)
• Functions
• Key Generation - Diffie-Hellman, DSS, and RSA
  key-pairs.
• Registration - Public keys must be registered
  with X.509 CA.
• Certificate Storage - Local (as in browser
  application) for different services.
• Signed and Enveloped Data - Various orderings for
  encrypting and signing.

26
User Agent Role

• Example Verisign (www.verisign.com)
• Class-1 Buyers email address confirmed by
  emailing vital info.
• Class-2 Postal address is confirmed as well,
  and data checked against directories.
• Class-3 Buyer must appear in person, or send
  notarized documents.