Email Security

1
Email Security
2
Email Security

• email is one of the most widely used and regarded
  network services
• currently message contents are not secure
• may be inspected either in transit
• or by suitably privileged users on destination
  system

3
Email Security Enhancements

• confidentiality
• protection from disclosure
• authentication
• of sender of message
• message integrity
• protection from modification
• non-repudiation of origin
• protection from denial by sender

4
Pretty Good Privacy (PGP)

• widely used de facto secure email
• developed by Phil Zimmermann
• selected best available cryptography algorithms
• integrated into a single program
• available on Unix, PC, Macintosh and Amiga
  systems
• originally free, now have commercial versions
  available also

5
PGP services

• messages
• authentication
• confidentiality
• compression
• e-mail compatibility
• segmentation and reassembly
• key management
• generation, distribution, and revocation of
  public/private keys
• generation and transport of session keys and IVs

6
Message authentication

• based on digital signatures
• supported algorithms RSA/SHA and DSS/SHA

Ksnd-1
m
h
s
sender
hash
enc
m
h
s
h
compare
hash
dec
receiver
Ksnd
accept / reject
7
PGP Operation Authentication

• 1.sender creates a message
• 2. SHA-1 used to generate 160-bit hash code of
  message
• 3. hash code is encrypted with RSA using the
  sender's private key, and result is attached to
  message
• 4. receiver uses RSA with sender's public key to
  decrypt and recover hash code
• 5. receiver generates new hash code for message
  and compares with decrypted hash code, if match,
  message is accepted as authentic
• 6. From the strengths of RSA and SHA-1 the
  recipient is assured that only the possessor of
  the private key could generate the signature.

8
Message confidentiality

• symmetric key encryption in CFB mode with a
  random session key and IV
• session key and IV is encrypted with the public
  key of the receiver
• supported algorithms
• symmetric CAST, IDEA, 3DES
• asymmetric RSA, ElGamal

m
prng
Krcv
k, ivKrcv
s.enc
a.enc
sender
k, iv
mk
9
PGP Operation Confidentiality

• sender generates message and a random 128-bit
  number to be used as session key for this message
  only.
• message is encrypted, using CAST-128 / IDEA/3DES
  with session key using 64 bit CFB (cipher
  feedback mode)
• session key is encrypted using RSA with
  recipient's public key, then attached to message
• receiver uses RSA with its private key to decrypt
  and recover session key
• session key is used to decrypt message
• Option to RSA Diffie-Hellman variant E1Gamal

10
PGP Operation Confidentiality Authentication

• uses both services on same message
• create signature attach to message
• encrypt both message signature
• attach RSA encrypted session key

11
(No Transcript)
12
Notation for Figure 5.1

• Ks session key used in symmetric encryption
  scheme
• KRa private key of user A
• KUa public key of user A
• EP Encryption Public Key
• DP Decryption Public Key
• EP Symmetric Encryption
• DP Symmetric Decryption
• H hash function, concatenation
• Z compression using ZIP
• R64 conversion to radix 64 ASCII format

13
PGP Operation Compression

• by default PGP compresses message after signing
  but before encrypting
• so can store uncompressed message signature for
  later verification
• uses ZIP compression algorithm

14
PGP Operation Email Compatibility

• when using PGP will have binary data to send
  (encrypted message etc)
• however email was designed only for text
• hence PGP must encode raw binary data into
  printable ASCII characters
• uses radix-64 algorithm
• PGP also segments messages if too big

15
PGP Operation Summary
16
Summary of PGP Services
17
Format of PGP Message
18
PGP message format
key ID of Krcv
session key component
session key k
Krcv
timestamp
key ID of Ksnd
signature
leading two octets of hash
hash
Ksnd-1
filename
k
ZIP
R64
timestamp
message
data
19
Key IDs

• a user may have several public key private key
  pairs
• which private key to use to decrypt the session
  key?
• which public key to use to verify a signature?
• transmitting the whole public key would be
  wasteful
• associating a random ID to a public key would
  result in management burden
• PGP key ID least significant 64 bits of the
  public key
• unique within a user with very high probability

20
Private-key ring

• used to store the public key private key pairs
  owned by a given user
• essentially a table, where each row contains the
  following entries
• timestamp
• key ID (indexed)
• public key
• encrypted private key
• user ID (indexed)

21
Public-key ring

• used to store public keys of other users
• a table, where each row contains the following
  entries
• timestamp
• key ID (indexed)
• public key
• user ID (indexed)
• owner trust
• signature(s)
• signature trust(s)
• key legitimacy

22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
PGP Session Keys

• need a session key for each message
• of varying sizes 56-bit DES, 128-bit CAST or
  IDEA, 168-bit Triple-DES
• generated using ANSI X12.17 mode
• uses random inputs taken from previous uses and
  from keystroke timing of user

26
Random number generation

• true random numbers
• used to generate public key private key pairs
• provide the initial seed for the pseudo-random
  number generator (PRNG)
• provide additional input during pseudo-random
  number generation
• pseudo-random numbers
• used to generate session keys and IVs

27
Pseudo-random numbers

• based on the ANSI X9.17 PRNG standard

K1, K2
3DES
DTi
3DES
Vi1
3DES
Vi
Ri
28
PGP Key Management

• rather than relying on certificate authorities
• in PGP every user is own CA
• can sign keys for users they know directly
• forms a web of trust
• trust keys have signed
• can trust keys others have signed if have a chain
  of signatures to them
• key ring includes trust indicators
• users can also revoke their keys

29
(No Transcript)
30
The Use of Trust

• Key legitimacy field
• Signature trust field
• Owner trust field

31
Trust management

• owner trust
• assigned by the user
• possible values
• unknown user
• usually not trusted to sign
• usually trusted to sign
• always trusted to sign
• ultimately trusted (own key, present in private
  key ring)

32

• signature trust
• assigned by the PGP system
• if the corresponding public key is already in the
  public-key ring, then its owner trust entry is
  copied into signature trust
• otherwise, signature trust is set to unknown user

33
Trust management

• key legitimacy
• computed by the PGP system
• if at least one signature trust is ultimate, then
  the key legitimacy is 1 (complete)
• otherwise, a weighted sum of the signature trust
  values is computed
• always trusted signatures has a weight of 1/X
• usually trusted signatures has a weight of 1/Y
• X, Y are user-configurable parameters

34

• example X2, Y4
• 1 ultimately trusted, or
• 2 always trusted, or
• 1 always trusted and 2 usually trusted, or
• 4 usually trusted signatures are needed to obtain
  full legitimacy

35
(No Transcript)
36
Public-key revocation

• why to revoke a public key?
• suspected to be compromised (private key got
  known by someone)
• re-keying
• the owner issues a revocation certificate
• has a similar format to normal public-key
  certificates
• contains the public key to be revoked
• signed with the corresponding private key
• and disseminates it as widely and quickly as
  possible
• if a key is compromised
• e.g., Bob knows the private key of Alice
• Bob can issue a revocation certificate to revoke
  the public key of Alice
• even better for Alice

37
Recommended Web Sites

• PGP home page www.pgp.com
• MIT distribution site for PGP
• S/MIME Charter
• S/MIME Central RSA Inc.s Web Site