Chapter 5
1 / 49

Chapter 5 - PowerPoint PPT Presentation

  • Uploaded on

Chapter 5. Electronic mail security. Outline. Pretty good privacy S/MIME Recommended web sites. Pretty Good Privacy. Philip R. Zimmerman is the creator of PGP. PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Chapter 5' - violet-ward

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chapter 5

Chapter 5

Electronic mail security


  • Pretty good privacy

  • S/MIME

  • Recommended web sites

Pretty good privacy
Pretty Good Privacy

  • Philip R. Zimmerman is the creator of PGP.

  • PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications.

    PGP source :

Why is pgp popular
Why Is PGP Popular?

  • It is availiable free on a variety of platforms.

  • Based on well known algorithms.

  • Wide range of applicability

  • Not developed or controlled by governmental or standards organizations

Operational description
Operational Description

  • Consist of five services:

    • Authentication

    • Confidentiality

    • Compression

    • E-mail compatibility

    • Segmentation

Pgp operation authentication
PGP Operation – Authentication

  • sender creates message

  • use SHA-1 to generate 160-bit hash of message

  • signed hash with RSA using sender's private key, and is attached to message

  • receiver uses RSA with sender's public key to decrypt and recover hash code

  • receiver verifies received message using hash of it and compares with decrypted hash code

Pgp operation confidentiality
PGP Operation – Confidentiality

  • sender generates message and 128-bit random number as session key for it

  • encrypt message using CAST-128 / IDEA / 3DES in CBC mode with session key

  • session key encrypted using RSA with recipient's public key, & attached to msg

  • receiver uses RSA with private key to decrypt and recover session key

  • session key is used to decrypt message

Pgp operation confidentiality authentication
PGP Operation – Confidentiality & Authentication

  • can use both services on same message

    • create signature & attach to message

    • encrypt both message & signature

    • attach RSA/ElGamal encrypted session key

Pgp operation compression
PGP Operation – Compression

  • by default PGP compresses message after signing but before encrypting

    • so can store uncompressed message & signature for later verification

    • & because compression is non deterministic

  • uses ZIP compression algorithm

Pgp operation email compatibility
PGP Operation – Email Compatibility

  • when using PGP will have binary data to send (encrypted message etc)

  • however email was designed only for text

  • hence PGP must encode raw binary data into printable ASCII characters

  • uses radix-64 algorithm

    • maps 3 bytes to 4 printable chars

    • also appends a CRC

  • PGP also segments messages if too big

E mail compatibility
E-mail Compatibility

  • The scheme used is radix-64 conversion.

  • The use of radix-64 expands the message by 33%.

Segmentation and reassembly
Segmentation and Reassembly

  • Often restricted to a maximum message length of 50,000 octets.

  • Longer messages must be broken up into segments.

  • PGP automatically subdivides a message that is to large.

  • The receiver strip of all e-mail headers and reassemble the block.

Pgp keys
PGP Keys

  • Make use of four type of keys:

    • One-time session symmetric key

    • Public key

    • Private key

    • Passphrase-based symmetric key

Pgp session keys
PGP Session Keys

  • need a session key for each message

    • Only for encrypting and decrypting purpose

    • of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES

  • generated using ANSI X12.17 mode

  • uses random inputs taken from previous uses and from keystroke timing of user

Pgp public private keys
PGP Public & Private Keys

  • since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message

    • could send full public-key with every message

    • but this is inefficient

  • rather use a key identifier based on key

    • is least significant 64-bits of the key

    • will very likely be unique

  • also use key ID in signatures

Pgp key rings
PGP Key Rings

  • each PGP user has a pair of keyrings:

    • public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID

    • private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted keyed from a hashed passphrase

  • security of private keys thus depends on the pass-phrase security

Pgp key management
PGP Key Management

  • rather than relying on certificate authorities

  • in PGP every user is own CA

    • can sign keys for users they know directly

  • forms a “web of trust”

    • trust keys have signed

    • can trust keys others have signed if have a chain of signatures to them

  • key ring includes trust indicators

  • users can also revoke their keys

The use of trust
The Use of Trust

  • Key legitimacy field

  • Signature trust field

  • Owner trust field

See Table 15.2 (W. Stallings)

Revoking public keys
Revoking Public Keys

  • The owner issue a key revocation certificate.

  • Normal signature certificate with a revote indicator.

  • Corresponding private key is used to sign the certificate.

S mime

  • Secure/Multipurpose Internet Mail Extension

  • S/MIME will probably emerge as the industry standard.

  • PGP for personal e-mail security

Simple mail transfer protocol smtp rfc 822
Simple Mail Transfer Protocol (SMTP, RFC 822)

  • SMTP Limitations - Can not transmit, or has a problem with:

    • executable files, or other binary files (jpeg image)

    • “national language” characters (non-ASCII)

    • messages over a certain size

    • ASCII to EBCDIC translation problems

    • lines longer than a certain length (72 to 254 characters)

Header fields in mime
Header fields in MIME

  • MIME-Version: Must be “1.0” -> RFC 2045, RFC 2046

  • Content-Type: More types being added by developers (application/word)

  • Content-Transfer-Encoding: How message has been encoded (radix-64)

  • Content-ID: Unique identifying character string.

  • Content Description: Needed when content is not readable text (e.g.,mpeg)

S mime secure multipurpose internet mail extensions
S/MIME (Secure/Multipurpose Internet Mail Extensions)

  • security enhancement to MIME email

    • original Internet RFC822 email was text only

    • MIME provided support for varying content types and multi-part messages

    • with encoding of binary data to textual form

    • S/MIME added security enhancements

  • have S/MIME support in various modern mail agents: MS Outlook, Netscape etc

S mime functions
S/MIME Functions

  • Enveloped Data: Encrypted content and encrypted session keys for recipients.

  • Signed Data: Message Digest encrypted with private key of “signer.”

  • Clear-Signed Data: Signed but not encrypted.

  • Signed and Enveloped Data: Various orderings for encrypting and signing.

Algorithms used
Algorithms Used

  • Message Digesting: SHA-1 and MDS

  • Digital Signatures: DSS

  • Secret-Key Encryption: Triple-DES, RC2/40 (exportable)

  • Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie-Hellman (for session keys).

User agent role
User Agent Role

  • S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority

  • Functions:

    • Key Generation - Diffie-Hellman, DSS, and RSA key-pairs.

    • Registration - Public keys must be registered with X.509 CA.

    • Certificate Storage - Local (as in browser application) for different services.

    • Signed and Enveloped Data - Various orderings for encrypting and signing.

User agent role1
User Agent Role

  • Example: Verisign (

    • Class-1: Buyer’s email address confirmed by emailing vital info.

    • Class-2: Postal address is confirmed as well, and data checked against directories.

    • Class-3: Buyer must appear in person, or send notarized documents.

Certificate authorities
Certificate Authorities

  • Verisign issues several types of Digital IDs

  • increasing levels of checks & hence trust

    Class Identity Checks Usage

    1 name/email check web browsing/email

    2 + enroll/addr check email, subs, s/w validate

    3 + ID documents e-banking/service access

Recommended web sites
Recommended Web Sites

  • PGP home page:

  • MIT distribution site for PGP

  • S/MIME Charter

  • S/MIME Central: RSA Inc.’s Web Site