Chapter 5
This presentation is the property of its rightful owner.
Sponsored Links
1 / 49

Chapter 5 PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

Chapter 5. Electronic mail security. Outline. Pretty good privacy S/MIME Recommended web sites. Pretty Good Privacy. Philip R. Zimmerman is the creator of PGP. PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications.

Download Presentation

Chapter 5

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Chapter 5

Chapter 5

Electronic mail security


Outline

Outline

  • Pretty good privacy

  • S/MIME

  • Recommended web sites


Pretty good privacy

Pretty Good Privacy

  • Philip R. Zimmerman is the creator of PGP.

  • PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications.

    PGP source : http://www.pgp.com/developers/sourcecode/


Why is pgp popular

Why Is PGP Popular?

  • It is availiable free on a variety of platforms.

  • Based on well known algorithms.

  • Wide range of applicability

  • Not developed or controlled by governmental or standards organizations


Operational description

Operational Description

  • Consist of five services:

    • Authentication

    • Confidentiality

    • Compression

    • E-mail compatibility

    • Segmentation


Pgp operation authentication

PGP Operation – Authentication

  • sender creates message

  • use SHA-1 to generate 160-bit hash of message

  • signed hash with RSA using sender's private key, and is attached to message

  • receiver uses RSA with sender's public key to decrypt and recover hash code

  • receiver verifies received message using hash of it and compares with decrypted hash code


Pgp operation confidentiality

PGP Operation – Confidentiality

  • sender generates message and 128-bit random number as session key for it

  • encrypt message using CAST-128 / IDEA / 3DES in CBC mode with session key

  • session key encrypted using RSA with recipient's public key, & attached to msg

  • receiver uses RSA with private key to decrypt and recover session key

  • session key is used to decrypt message


Pgp operation confidentiality authentication

PGP Operation – Confidentiality & Authentication

  • can use both services on same message

    • create signature & attach to message

    • encrypt both message & signature

    • attach RSA/ElGamal encrypted session key


Pgp operation compression

PGP Operation – Compression

  • by default PGP compresses message after signing but before encrypting

    • so can store uncompressed message & signature for later verification

    • & because compression is non deterministic

  • uses ZIP compression algorithm


Pgp operation email compatibility

PGP Operation – Email Compatibility

  • when using PGP will have binary data to send (encrypted message etc)

  • however email was designed only for text

  • hence PGP must encode raw binary data into printable ASCII characters

  • uses radix-64 algorithm

    • maps 3 bytes to 4 printable chars

    • also appends a CRC

  • PGP also segments messages if too big


E mail compatibility

E-mail Compatibility

  • The scheme used is radix-64 conversion.

  • The use of radix-64 expands the message by 33%.


Pgp operation summary

PGP Operation – Summary


Segmentation and reassembly

Segmentation and Reassembly

  • Often restricted to a maximum message length of 50,000 octets.

  • Longer messages must be broken up into segments.

  • PGP automatically subdivides a message that is to large.

  • The receiver strip of all e-mail headers and reassemble the block.


Summary of pgp services

Summary of PGP Services


Pgp keys

PGP Keys

  • Make use of four type of keys:

    • One-time session symmetric key

    • Public key

    • Private key

    • Passphrase-based symmetric key


Pgp session keys

PGP Session Keys

  • need a session key for each message

    • Only for encrypting and decrypting purpose

    • of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES

  • generated using ANSI X12.17 mode

  • uses random inputs taken from previous uses and from keystroke timing of user


Pgp public private keys

PGP Public & Private Keys

  • since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message

    • could send full public-key with every message

    • but this is inefficient

  • rather use a key identifier based on key

    • is least significant 64-bits of the key

    • will very likely be unique

  • also use key ID in signatures


Format of pgp message

Format of PGP Message


Pgp key rings

PGP Key Rings

  • each PGP user has a pair of keyrings:

    • public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID

    • private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted keyed from a hashed passphrase

  • security of private keys thus depends on the pass-phrase security


Pgp key management

PGP Key Management

  • rather than relying on certificate authorities

  • in PGP every user is own CA

    • can sign keys for users they know directly

  • forms a “web of trust”

    • trust keys have signed

    • can trust keys others have signed if have a chain of signatures to them

  • key ring includes trust indicators

  • users can also revoke their keys


The use of trust

The Use of Trust

  • Key legitimacy field

  • Signature trust field

  • Owner trust field

See Table 15.2 (W. Stallings)


Revoking public keys

Revoking Public Keys

  • The owner issue a key revocation certificate.

  • Normal signature certificate with a revote indicator.

  • Corresponding private key is used to sign the certificate.


S mime

S/MIME

  • Secure/Multipurpose Internet Mail Extension

  • S/MIME will probably emerge as the industry standard.

  • PGP for personal e-mail security


Simple mail transfer protocol smtp rfc 822

Simple Mail Transfer Protocol (SMTP, RFC 822)

  • SMTP Limitations - Can not transmit, or has a problem with:

    • executable files, or other binary files (jpeg image)

    • “national language” characters (non-ASCII)

    • messages over a certain size

    • ASCII to EBCDIC translation problems

    • lines longer than a certain length (72 to 254 characters)


Header fields in mime

Header fields in MIME

  • MIME-Version: Must be “1.0” -> RFC 2045, RFC 2046

  • Content-Type: More types being added by developers (application/word)

  • Content-Transfer-Encoding: How message has been encoded (radix-64)

  • Content-ID: Unique identifying character string.

  • Content Description: Needed when content is not readable text (e.g.,mpeg)


S mime secure multipurpose internet mail extensions

S/MIME (Secure/Multipurpose Internet Mail Extensions)

  • security enhancement to MIME email

    • original Internet RFC822 email was text only

    • MIME provided support for varying content types and multi-part messages

    • with encoding of binary data to textual form

    • S/MIME added security enhancements

  • have S/MIME support in various modern mail agents: MS Outlook, Netscape etc


S mime functions

S/MIME Functions

  • Enveloped Data: Encrypted content and encrypted session keys for recipients.

  • Signed Data: Message Digest encrypted with private key of “signer.”

  • Clear-Signed Data: Signed but not encrypted.

  • Signed and Enveloped Data: Various orderings for encrypting and signing.


Algorithms used

Algorithms Used

  • Message Digesting: SHA-1 and MDS

  • Digital Signatures: DSS

  • Secret-Key Encryption: Triple-DES, RC2/40 (exportable)

  • Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie-Hellman (for session keys).


User agent role

User Agent Role

  • S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority

  • Functions:

    • Key Generation - Diffie-Hellman, DSS, and RSA key-pairs.

    • Registration - Public keys must be registered with X.509 CA.

    • Certificate Storage - Local (as in browser application) for different services.

    • Signed and Enveloped Data - Various orderings for encrypting and signing.


User agent role1

User Agent Role

  • Example: Verisign (www.verisign.com)

    • Class-1: Buyer’s email address confirmed by emailing vital info.

    • Class-2: Postal address is confirmed as well, and data checked against directories.

    • Class-3: Buyer must appear in person, or send notarized documents.


Certificate authorities

Certificate Authorities

  • Verisign issues several types of Digital IDs

  • increasing levels of checks & hence trust

    ClassIdentity ChecksUsage

    1name/email check web browsing/email

    2+ enroll/addr check email, subs, s/w validate

    3+ ID documents e-banking/service access


E mail security risks

E-mail Security Risks


E mail security risks malware

E-mail Security Risks: Malware


E mail security risks malware1

E-mail Security Risks: Malware


E mail security risks e mail spoofing

E-mail Security Risks: E-mail spoofing


E mail attachment security

E-mail Attachment Security


E mail spamming

E-mail Spamming


Protecting e mail spamming

Protecting E-mail Spamming


E mail bombing and chain letter

E-mail Bombing and Chain Letter


Defend against e mail security

Defend against E-mail security


Recommended web sites

Recommended Web Sites

  • PGP home page: www.pgp.com

  • MIT distribution site for PGP

  • S/MIME Charter

  • S/MIME Central: RSA Inc.’s Web Site


  • Login