chapter 5
Skip this Video
Download Presentation
Chapter 5

Loading in 2 Seconds...

play fullscreen
1 / 49

Chapter 5 - PowerPoint PPT Presentation

  • Uploaded on

Chapter 5. Electronic mail security. Outline. Pretty good privacy S/MIME Recommended web sites. Pretty Good Privacy. Philip R. Zimmerman is the creator of PGP. PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Chapter 5' - violet-ward

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
chapter 5

Chapter 5

Electronic mail security

  • Pretty good privacy
  • S/MIME
  • Recommended web sites
pretty good privacy
Pretty Good Privacy
  • Philip R. Zimmerman is the creator of PGP.
  • PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications.

PGP source :

why is pgp popular
Why Is PGP Popular?
  • It is availiable free on a variety of platforms.
  • Based on well known algorithms.
  • Wide range of applicability
  • Not developed or controlled by governmental or standards organizations
operational description
Operational Description
  • Consist of five services:
    • Authentication
    • Confidentiality
    • Compression
    • E-mail compatibility
    • Segmentation
pgp operation authentication
PGP Operation – Authentication
  • sender creates message
  • use SHA-1 to generate 160-bit hash of message
  • signed hash with RSA using sender\'s private key, and is attached to message
  • receiver uses RSA with sender\'s public key to decrypt and recover hash code
  • receiver verifies received message using hash of it and compares with decrypted hash code
pgp operation confidentiality
PGP Operation – Confidentiality
  • sender generates message and 128-bit random number as session key for it
  • encrypt message using CAST-128 / IDEA / 3DES in CBC mode with session key
  • session key encrypted using RSA with recipient\'s public key, & attached to msg
  • receiver uses RSA with private key to decrypt and recover session key
  • session key is used to decrypt message
pgp operation confidentiality authentication
PGP Operation – Confidentiality & Authentication
  • can use both services on same message
    • create signature & attach to message
    • encrypt both message & signature
    • attach RSA/ElGamal encrypted session key
pgp operation compression
PGP Operation – Compression
  • by default PGP compresses message after signing but before encrypting
    • so can store uncompressed message & signature for later verification
    • & because compression is non deterministic
  • uses ZIP compression algorithm
pgp operation email compatibility
PGP Operation – Email Compatibility
  • when using PGP will have binary data to send (encrypted message etc)
  • however email was designed only for text
  • hence PGP must encode raw binary data into printable ASCII characters
  • uses radix-64 algorithm
    • maps 3 bytes to 4 printable chars
    • also appends a CRC
  • PGP also segments messages if too big
e mail compatibility
E-mail Compatibility
  • The scheme used is radix-64 conversion.
  • The use of radix-64 expands the message by 33%.
segmentation and reassembly
Segmentation and Reassembly
  • Often restricted to a maximum message length of 50,000 octets.
  • Longer messages must be broken up into segments.
  • PGP automatically subdivides a message that is to large.
  • The receiver strip of all e-mail headers and reassemble the block.
pgp keys
PGP Keys
  • Make use of four type of keys:
    • One-time session symmetric key
    • Public key
    • Private key
    • Passphrase-based symmetric key
pgp session keys
PGP Session Keys
  • need a session key for each message
    • Only for encrypting and decrypting purpose
    • of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES
  • generated using ANSI X12.17 mode
  • uses random inputs taken from previous uses and from keystroke timing of user
pgp public private keys
PGP Public & Private Keys
  • since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message
    • could send full public-key with every message
    • but this is inefficient
  • rather use a key identifier based on key
    • is least significant 64-bits of the key
    • will very likely be unique
  • also use key ID in signatures
pgp key rings
PGP Key Rings
  • each PGP user has a pair of keyrings:
    • public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID
    • private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted keyed from a hashed passphrase
  • security of private keys thus depends on the pass-phrase security
pgp key management
PGP Key Management
  • rather than relying on certificate authorities
  • in PGP every user is own CA
    • can sign keys for users they know directly
  • forms a “web of trust”
    • trust keys have signed
    • can trust keys others have signed if have a chain of signatures to them
  • key ring includes trust indicators
  • users can also revoke their keys
the use of trust
The Use of Trust
  • Key legitimacy field
  • Signature trust field
  • Owner trust field

See Table 15.2 (W. Stallings)

revoking public keys
Revoking Public Keys
  • The owner issue a key revocation certificate.
  • Normal signature certificate with a revote indicator.
  • Corresponding private key is used to sign the certificate.
s mime
  • Secure/Multipurpose Internet Mail Extension
  • S/MIME will probably emerge as the industry standard.
  • PGP for personal e-mail security
simple mail transfer protocol smtp rfc 822
Simple Mail Transfer Protocol (SMTP, RFC 822)
  • SMTP Limitations - Can not transmit, or has a problem with:
    • executable files, or other binary files (jpeg image)
    • “national language” characters (non-ASCII)
    • messages over a certain size
    • ASCII to EBCDIC translation problems
    • lines longer than a certain length (72 to 254 characters)
header fields in mime
Header fields in MIME
  • MIME-Version: Must be “1.0” -> RFC 2045, RFC 2046
  • Content-Type: More types being added by developers (application/word)
  • Content-Transfer-Encoding: How message has been encoded (radix-64)
  • Content-ID: Unique identifying character string.
  • Content Description: Needed when content is not readable text (e.g.,mpeg)
s mime secure multipurpose internet mail extensions
S/MIME (Secure/Multipurpose Internet Mail Extensions)
  • security enhancement to MIME email
    • original Internet RFC822 email was text only
    • MIME provided support for varying content types and multi-part messages
    • with encoding of binary data to textual form
    • S/MIME added security enhancements
  • have S/MIME support in various modern mail agents: MS Outlook, Netscape etc
s mime functions
S/MIME Functions
  • Enveloped Data: Encrypted content and encrypted session keys for recipients.
  • Signed Data: Message Digest encrypted with private key of “signer.”
  • Clear-Signed Data: Signed but not encrypted.
  • Signed and Enveloped Data: Various orderings for encrypting and signing.
algorithms used
Algorithms Used
  • Message Digesting: SHA-1 and MDS
  • Digital Signatures: DSS
  • Secret-Key Encryption: Triple-DES, RC2/40 (exportable)
  • Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie-Hellman (for session keys).
user agent role
User Agent Role
  • S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority
  • Functions:
    • Key Generation - Diffie-Hellman, DSS, and RSA key-pairs.
    • Registration - Public keys must be registered with X.509 CA.
    • Certificate Storage - Local (as in browser application) for different services.
    • Signed and Enveloped Data - Various orderings for encrypting and signing.
user agent role1
User Agent Role
  • Example: Verisign (
    • Class-1: Buyer’s email address confirmed by emailing vital info.
    • Class-2: Postal address is confirmed as well, and data checked against directories.
    • Class-3: Buyer must appear in person, or send notarized documents.
certificate authorities
Certificate Authorities
  • Verisign issues several types of Digital IDs
  • increasing levels of checks & hence trust

Class Identity Checks Usage

1 name/email check web browsing/email

2 + enroll/addr check email, subs, s/w validate

3 + ID documents e-banking/service access

recommended web sites
Recommended Web Sites
  • PGP home page:
  • MIT distribution site for PGP
  • S/MIME Charter
  • S/MIME Central: RSA Inc.’s Web Site