Email Security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Current email services are roughly like "postcards". Anyone who wants could pick it up and have a look as its in transit or sitting in the recipients mailbox.
  • What we want is something more akin to standard mail (contents protected inside an envelope) if not registered mail (have confidence about the sender of the mail and its contents).
  • Stallings Fig 15-2.
  • Email Security

    1. 1. Email Security
    2. 2. Email Security <ul><li>email is one of the most widely used and regarded network services </li></ul><ul><li>currently message contents are not secure </li></ul><ul><ul><li>may be inspected either in transit </li></ul></ul><ul><ul><li>or by suitably privileged users on destination system </li></ul></ul>
    3. 3. Email Security Enhancements <ul><li>confidentiality </li></ul><ul><ul><li>protection from disclosure </li></ul></ul><ul><li>authentication </li></ul><ul><ul><li>of sender of message </li></ul></ul><ul><li>message integrity </li></ul><ul><ul><li>protection from modification </li></ul></ul><ul><li>non-repudiation of origin </li></ul><ul><ul><li>protection from denial by sender </li></ul></ul>
    4. 4. Pretty Good Privacy (PGP) <ul><li>widely used de facto secure email </li></ul><ul><li>developed by Phil Zimmermann </li></ul><ul><li>selected best available cryptography algorithms </li></ul><ul><li>integrated into a single program </li></ul><ul><li>available on Unix, PC, Macintosh and Amiga systems </li></ul><ul><li>originally free, now have commercial versions available also </li></ul>
    5. 5. PGP services <ul><li>messages </li></ul><ul><ul><li>authentication </li></ul></ul><ul><ul><li>confidentiality </li></ul></ul><ul><ul><li>compression </li></ul></ul><ul><ul><li>e-mail compatibility </li></ul></ul><ul><ul><li>segmentation and reassembly </li></ul></ul><ul><li>key management </li></ul><ul><ul><li>generation, distribution, and revocation of public/private keys </li></ul></ul><ul><ul><li>generation and transport of session keys and IVs </li></ul></ul>
    6. 6. Message authentication <ul><li>based on digital signatures </li></ul><ul><li>supported algorithms: RSA/SHA and DSS/SHA </li></ul>hash enc hash dec compare accept / reject m h  K snd -1 K snd m h  h sender receiver
    7. 7. PGP Operation – Authentication <ul><li>1. sender creates a message </li></ul><ul><li>2. SHA-1 used to generate 160-bit hash code of message </li></ul><ul><li>3. hash code is encrypted with RSA using the sender's private key, and result is attached to message </li></ul><ul><li>4. receiver uses RSA with sender's public key to decrypt and recover hash code </li></ul><ul><li>5. receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic </li></ul><ul><li>6. From the strengths of RSA and SHA-1 the recipient is assured that only the possessor of the private key could generate the signature. </li></ul>
    8. 8. Message confidentiality <ul><li>symmetric key encryption in CFB mode with a random session key and IV </li></ul><ul><li>session key and IV is encrypted with the public key of the receiver </li></ul><ul><li>supported algorithms: </li></ul><ul><ul><li>symmetric: CAST, IDEA, 3DES </li></ul></ul><ul><ul><li>asymmetric: RSA, ElGamal </li></ul></ul>prng s.enc m K rcv sender a.enc k, iv {m} k {k, iv} Krcv
    9. 9. PGP Operation – Confidentiality <ul><li>sender generates message and a random 128-bit number to be used as session key for this message only. </li></ul><ul><li>message is encrypted, using CAST-128 / IDEA/3DES with session key using 64 bit CFB (cipher feedback mode) </li></ul><ul><li>session key is encrypted using RSA with recipient's public key, then attached to message </li></ul><ul><li>receiver uses RSA with its private key to decrypt and recover session key </li></ul><ul><li>session key is used to decrypt message </li></ul><ul><li>Option to RSA – Diffie-Hellman variant E1Gamal </li></ul>
    10. 10. PGP Operation – Confidentiality & Authentication <ul><li>uses both services on same message </li></ul><ul><ul><li>create signature & attach to message </li></ul></ul><ul><ul><li>encrypt both message & signature </li></ul></ul><ul><ul><li>attach RSA encrypted session key </li></ul></ul>
    11. 12. Notation for Figure 5.1 <ul><li>K s session key used in symmetric encryption scheme </li></ul><ul><li>KR a = private key of user A </li></ul><ul><li>KU a = public key of user A </li></ul><ul><li>EP = Encryption Public Key </li></ul><ul><li>DP = Decryption Public Key </li></ul><ul><li>EP = Symmetric Encryption </li></ul><ul><li>DP = Symmetric Decryption </li></ul><ul><li>H hash function, || concatenation </li></ul><ul><li>Z compression using ZIP </li></ul><ul><li>R64 = conversion to radix 64 ASCII format </li></ul>
    12. 13. PGP Operation – Compression <ul><li>by default PGP compresses message after signing but before encrypting </li></ul><ul><ul><li>so can store uncompressed message & signature for later verification </li></ul></ul><ul><li>uses ZIP compression algorithm </li></ul>
    13. 14. PGP Operation – Email Compatibility <ul><li>when using PGP will have binary data to send (encrypted message etc) </li></ul><ul><li>however email was designed only for text </li></ul><ul><li>hence PGP must encode raw binary data into printable ASCII characters </li></ul><ul><li>uses radix-64 algorithm </li></ul><ul><li>PGP also segments messages if too big </li></ul>
    14. 15. PGP Operation – Summary
    15. 16. Summary of PGP Services
    16. 17. Format of PGP Message
    17. 18. PGP message format session key component signature message key ID of K rcv session key k timestamp key ID of K snd leading two octets of hash hash filename timestamp data { } Krcv { } Ksnd -1 { } k ZIP R64
    18. 19. Key IDs <ul><li>a user may have several public key – private key pairs </li></ul><ul><ul><li>which private key to use to decrypt the session key? </li></ul></ul><ul><ul><li>which public key to use to verify a signature? </li></ul></ul><ul><li>transmitting the whole public key would be wasteful </li></ul><ul><li>associating a random ID to a public key would result in management burden </li></ul><ul><li>PGP key ID: least significant 64 bits of the public key </li></ul><ul><ul><li>unique within a user with very high probability </li></ul></ul>
    19. 20. Private-key ring <ul><li>used to store the public key – private key pairs owned by a given user </li></ul><ul><li>essentially a table, where each row contains the following entries: </li></ul><ul><ul><li>timestamp </li></ul></ul><ul><ul><li>key ID (indexed) </li></ul></ul><ul><ul><li>public key </li></ul></ul><ul><ul><li>encrypted private key </li></ul></ul><ul><ul><li>user ID (indexed) </li></ul></ul>enc passphrase hash private key encrypted private key
    20. 21. Public-key ring <ul><li>used to store public keys of other users </li></ul><ul><li>a table, where each row contains the following entries: </li></ul><ul><ul><li>timestamp </li></ul></ul><ul><ul><li>key ID (indexed) </li></ul></ul><ul><ul><li>public key </li></ul></ul><ul><ul><li>user ID (indexed) </li></ul></ul><ul><ul><li>owner trust </li></ul></ul><ul><ul><li>signature(s) </li></ul></ul><ul><ul><li>signature trust(s) </li></ul></ul><ul><ul><li>key legitimacy </li></ul></ul>
    21. 25. PGP Session Keys <ul><li>need a session key for each message </li></ul><ul><ul><li>of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES </li></ul></ul><ul><li>generated using ANSI X12.17 mode </li></ul><ul><li>uses random inputs taken from previous uses and from keystroke timing of user </li></ul>
    22. 26. Random number generation <ul><li>true random numbers </li></ul><ul><ul><li>used to generate public key – private key pairs </li></ul></ul><ul><ul><li>provide the initial seed for the pseudo-random number generator (PRNG) </li></ul></ul><ul><ul><li>provide additional input during pseudo-random number generation </li></ul></ul><ul><li>pseudo-random numbers </li></ul><ul><ul><li>used to generate session keys and IVs </li></ul></ul>
    23. 27. Pseudo-random numbers <ul><li>based on the ANSI X9.17 PRNG standard </li></ul>3DES 3DES 3DES DT i V i V i +1 K 1 , K 2 R i + +
    24. 28. PGP Key Management <ul><li>rather than relying on certificate authorities </li></ul><ul><li>in PGP every user is own CA </li></ul><ul><ul><li>can sign keys for users they know directly </li></ul></ul><ul><li>forms a “web of trust” </li></ul><ul><ul><li>trust keys have signed </li></ul></ul><ul><ul><li>can trust keys others have signed if have a chain of signatures to them </li></ul></ul><ul><li>key ring includes trust indicators </li></ul><ul><li>users can also revoke their keys </li></ul>
    25. 30. The Use of Trust <ul><li>Key legitimacy field </li></ul><ul><li>Signature trust field </li></ul><ul><li>Owner trust field </li></ul>
    26. 31. Trust management <ul><li>owner trust </li></ul><ul><ul><li>assigned by the user </li></ul></ul><ul><ul><li>possible values: </li></ul></ul><ul><ul><ul><li>unknown user </li></ul></ul></ul><ul><ul><ul><li>usually not trusted to sign </li></ul></ul></ul><ul><ul><ul><li>usually trusted to sign </li></ul></ul></ul><ul><ul><ul><li>always trusted to sign </li></ul></ul></ul><ul><ul><ul><li>ultimately trusted (own key, present in private key ring) </li></ul></ul></ul>
    27. 32. <ul><li>signature trust </li></ul><ul><ul><li>assigned by the PGP system </li></ul></ul><ul><ul><li>if the corresponding public key is already in the public-key ring, then its owner trust entry is copied into signature trust </li></ul></ul><ul><ul><li>otherwise, signature trust is set to unknown user </li></ul></ul>
    28. 33. Trust management <ul><li>key legitimacy </li></ul><ul><ul><li>computed by the PGP system </li></ul></ul><ul><ul><li>if at least one signature trust is ultimate, then the key legitimacy is 1 (complete) </li></ul></ul><ul><ul><li>otherwise, a weighted sum of the signature trust values is computed </li></ul></ul><ul><ul><ul><li>always trusted signatures has a weight of 1/X </li></ul></ul></ul><ul><ul><ul><li>usually trusted signatures has a weight of 1/Y </li></ul></ul></ul><ul><ul><ul><li>X, Y are user-configurable parameters </li></ul></ul></ul>
    29. 34. <ul><ul><li>example: X=2, Y=4 </li></ul></ul><ul><ul><ul><li>1 ultimately trusted, or </li></ul></ul></ul><ul><ul><ul><li>2 always trusted, or </li></ul></ul></ul><ul><ul><ul><li>1 always trusted and 2 usually trusted, or </li></ul></ul></ul><ul><ul><ul><li>4 usually trusted signatures are needed to obtain full legitimacy </li></ul></ul></ul>
    30. 36. Public-key revocation <ul><li>why to revoke a public key? </li></ul><ul><ul><li>suspected to be compromised (private key got known by someone) </li></ul></ul><ul><ul><li>re-keying </li></ul></ul><ul><li>the owner issues a revocation certificate … </li></ul><ul><ul><li>has a similar format to normal public-key certificates </li></ul></ul><ul><ul><li>contains the public key to be revoked </li></ul></ul><ul><ul><li>signed with the corresponding private key </li></ul></ul><ul><li>and disseminates it as widely and quickly as possible </li></ul><ul><li>if a key is compromised: </li></ul><ul><ul><li>e.g., Bob knows the private key of Alice </li></ul></ul><ul><ul><li>Bob can issue a revocation certificate to revoke the public key of Alice </li></ul></ul><ul><ul><li>even better for Alice </li></ul></ul>
    31. 37. Recommended Web Sites <ul><li>PGP home page: </li></ul><ul><li>MIT distribution site for PGP </li></ul><ul><li>S/MIME Charter </li></ul><ul><li>S/MIME Central: RSA Inc.’s Web Site </li></ul>