SlideShare a Scribd company logo

Information System Security: E-mail Security and PGP

Download as PPT, PDF
S
ssuserec53e73

pgp

Education
1 of 36
Information System Security AABFS-Jordan Summer 2006 E-mail security “Pretty Good Privacy” Prepared by:Hussain Awad Supervised by: Dr. Lo’ai Tawalbeh
Why Study E-mail Security?  After web browsing, e-mail is the most widely used network-reliant application.  Mail servers, after web servers, are the most often attacked Internet hosts.  Basic e-mail offers little security, counter to public perception.  Good technical solutions are available, but not widely used.  If we understand why this is so, we might understand something about why security is ‘hard’.
Threats to E-mail  Loss of confidentiality.  E-mails are sent in clear over open networks.  E-mails stored on potentially insecure clients and mail servers.  Loss of integrity.  No integrity protection on e-mails; anybody be altered in transit or on mail server.
Threats to E-mail  Lack of data origin authentication.  Is this e-mail really from the person named in the From:field?  Lack of non-repudiation.  Can I rely and act on the content? (integrity)  If so, can the sender later deny having sent it? Who is liable if I have acted?
Threats to E-mail  Lack of notification of receipt.  Has the intended recipient received my e-mail and acted on it?  A message locally marked as ‘sent’ may not have been delivered.
E-mail security  What are the Options?  Secure the server to client connections (easy thing first) • https access to webmail • Protection against insecure wireless access  Secure the end-to-end email delivery • The PGPs of the world • Practical in an enterprise intra-network environment
E-mail security  Email based Attacks  Active content attack • Clean up at the server  Buffer over-flow attack • Fix the code  Trojan Horse Attack  Web bugs (for tracking) • Mangle the image at the mail server
E-mail security  Software for encrypting email messages has been widely available for more than 15 years, but the email-using public has failed to adopt secure messaging. This failure can be explained through a combination of:  technical,  community,  and usability factors
E-mail security  Why Don’t People Use Email Security?  I don’t because I don’t care.  I doubt any of my usual recipients would understand  the significance of the signature.  Never had the need to send these kinds of emails.  I don’t think it’s necessary to encrypt my email.  it’s just another step & something else I don’t have time
E-mail security  Secure E-mail Standards and Products  Other now defunct standards: PEM (privacy enhanced mail), X.400. S/MIME.  We focus on PGP
S/MIME (Secure/Multipurpose Internet Mail Extension)  Originated from RSA Data Security Inc. in 1995.  Further development by IETF S/MIME working group at: www.ietf.org/html.charters/smime-charter.html.  Version 3 specified in RFCs2630-2634.  Allows flexible client-client security through encryption and signatures.  Widely supported, e.g. in Microsoft Outlook, Netscape Messenger, Lotus Notes.
PGP (Pretty Good Privacy)  Freeware: Open PGP and variants:  www.openpgp.org, www.gnupg.org  Open PGP specified in RFC 2440 and defined by IETF Open PGP working group.  www.ietf.org/html.charters/openpgp- charter.html  Available as plug-in for popular e-mail clients, can also be used as stand-alone software.
PGP (Pretty Good Privacy)  “If all the personal computers in the world—260 million—were put to work on a single PGP encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message.”
PGP (Pretty Good Privacy)  PGP is an e-mail security program written by Phil Zimmermann, based on the IDEA algorithm for encryption of plaintext and uses the RSA Public Key algorithm for encryption of the private key.  PGP incorporates tools for developing a public- key trust model and public-key certificate management.
PGP (Pretty Good Privacy)  PGP is an open-source freely available software package for e-mail security. It provides authentication; confidentiality; compression; e-mail compatibility; and segmentation and reassembly.
PGP Services Digital signature DSS/SHA or RSA/SHA A hash code of a message is created using SHA-1. This message digest is encrypted using DSS or RSA with the sender's private key and included with the message. Message encryption CAST or IDEA or Three-key Triple DES with Diffie- Hellman or RSA A message is encrypted using CAST-128 or IDEA or 3DES with a one-time session key generated by the sender. The session key is encrypted using Diffie-Hellman or RSA with the recipient's public key and included with the message.
PGP (Pretty Good Privacy) Compression ZIP A message may be compressed, for storage or transmission, using ZIP. Email compatibility Radix 64 conversion To provide transparency for email applications, an encrypted message may be converted to an ASCII string using radix 64 conversion. Segmentation To accommodate maximum message size limitations, PGP performs segmentation and reassembly.
PGP (Pretty Good Privacy)  Fake PGP: Since it’s all open source, there are fake versions of the famous software floating about the net. Unless you’re sure that your copy of the program is from a trusted source, it wouldn’t be surprising to realize one day that your pass phrase was sent to an attacker via email the moment you went online! Once he has your pass phrase, he has your private key.
PGP (Pretty Good Privacy)  PGP Algorithms  Symmetric encryption: • DES, 3DES, AES and others.  Public key encryption of session keys: • RSA or ElGamal.  Hashing: • SHA-1, MD-5 and others.  Signature: • RSA, DSS, ECDSA and others.
PGP (Pretty Good Privacy)  PGP use: • public keys for encrypting session keys / verifying signatures. • private keys for decrypting session keys / creating signatures.
PGP Alice:  generates random symmetric private key, KS.  encrypts message with KS (for efficiency)  also encrypts KS with Bob’s public key.  sends both KS(m) and KB(KS) to Bob. Alice wants to send confidential e-mail, m, to Bob. KS( ) . KB( ) . + + - KS(m ) KB(KS ) + m KS KS KB + Internet KS( ) . KB( ) . - KB - KS m KS(m ) KB(KS ) +
PGP Bob:  uses his private key to decrypt and recover KS  uses KS to decrypt KS(m) to recover m  Alice wants to send confidential e-mail, m, to Bob. KS( ) . KB( ) . + + - KS(m ) KB(KS ) + m KS KS KB + Internet KS( ) . KB( ) . - KB - KS m KS(m ) KB(KS ) +
PGP • Alice wants to provide sender authentication message integrity. • Alice digitally signs message. • sends both message (in the clear) and digital signature. H( ) . KA( ) . - + - H(m ) KA(H(m)) - m KA - Internet m KA( ) . + KA + KA(H(m)) - m H( ) . H(m ) compare
PGP (Pretty Good Privacy)  PGP Key Rings  PGP supports multiple public/private keys pairs per sender/recipient.  Keys stored locally in a PGP Key Ring – essentially a database of keys.  Private keys stored in encrypted form; decryption key determined by user- entered pass-phrase.
PGP Message Generation
PGP Message Generation  The sending PGP entity performs the following steps:  Signs the message: • PGP gets sender’s private key from key ring using its user id as an index. • PGP prompts user for passphrase to decrypt private key. • PGP constructs the signature component of the message.  Encrypts the message: • PGP generates a session key and encrypts the message. • PGP retrieves the receiver public key from the key ring using its user id as an index. • PGP constructs session component of message
PGP Message Reception
PGP Message Reception  The receiving PGP entity performs the following steps:  Decrypting the message: • PGP get private key from private-key ring using Key ID field in session key component of message as an index. • PGP prompts user for passphrase to decrypt private key. • PGP recovers the session key and decrypts the message.  Authenticating the message: • PGP retrieves the sender’s public key from the public- key ring using the Key ID field in the signature key component as index. • PGP recovers the transmitted message digest. • PGP computes the message for the received message and compares it to the transmitted version for authentication.
PGP (Pretty Good Privacy)  Key Management for PGP  Public keys for encrypting session keys / verifying signatures.  Private keys for decrypting session keys / creating signatures.  Where do these keys come from and on what basis can they be trusted?
PGP (Pretty Good Privacy)  PGP adopts a trust model called the web of trust.  No centralised authority  Individuals sign one another’s public keys, these “certificates” are stored along with keys in key rings.  PGP computes a trust level for each public key in key ring.  Users interpret trust level for themselves.
PGP (Pretty Good Privacy)  Trust levels for public keys dependent on:  Number of signatures on the key;  Trust level assigned to each of those signatures.  Trust levels recomputed from time to time.
PGP (Pretty Good Privacy)  Security of PGP  There are many known attacks against PGP.  Attacks against cryptoalgorithms are not the main threat  IDEA is considered strong, and while cryptoanalysis advances, it should be strong still for some time.  RSA may or may not be strong. There are recent rumors of possible fast factorization algorithms..  The main threats are much more simple.
PGP (Pretty Good Privacy)  An attacker may socially engineer himself into a web of trust, or some trustable person may change. Then he could falsify public keys. This breaks most of the security.  PGP binaries can be corrupted when they are obtained.  The PGP binaries can be modified in the computer.  The passphrase can be obtained by a Trojan. Weak passphrases can be cracked.  On multiuser system, access to the secret key can be obtained.
Resources  http://www.pgpi.org/doc/faq/  www.gnupg.org  William Stallings,” Cryptography and Network Security Principles and Practices”, Fourth Edition ” Prentice Hall , 2005  GITA” Encryption Technologies”, Standard P800-S850 V2.0, April 5, 2004  Sieuwert van Otterloo” A security analysis of Pretty Good Privacy”, September 7, 2001  Amr el-kadi” what is computer security”2005
Questions:

Recommended

2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSADr.Florence Dayana
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Kabul Education University
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 
Ch15
Ch15Ch15
Ch15raja yasodhar
 
Kerberos
KerberosKerberos
KerberosSutanu Paul
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and SaltingRahul Singh
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithmstrilokchandra prakash
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)ArthyR3
 

Recommended

2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSADr.Florence Dayana
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Kabul Education University
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 
Ch15
Ch15Ch15
Ch15raja yasodhar
 
Kerberos
KerberosKerberos
KerberosSutanu Paul
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and SaltingRahul Singh
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithmstrilokchandra prakash
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)ArthyR3
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIMESou Jana
 
Diffie Hellman Key Exchange
Diffie Hellman Key ExchangeDiffie Hellman Key Exchange
Diffie Hellman Key ExchangeSAURABHDHAGE6
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Voice based email system for physically challenged
Voice based email system for physically challengedVoice based email system for physically challenged
Voice based email system for physically challengedIbrahim Khalil Shakik
 
Pgp
PgpPgp
Pgpprecy02
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
cryptography
cryptographycryptography
cryptographyJai Nathwani
 
Eap intro
Eap introEap intro
Eap introAditya Mehta
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing FunctionsYusuf Uzun
 
Audio Cryptography System
Audio Cryptography SystemAudio Cryptography System
Audio Cryptography SystemRaju Raj
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)SAurabh PRajapati
 
MD5 ALGORITHM.pptx
MD5 ALGORITHM.pptxMD5 ALGORITHM.pptx
MD5 ALGORITHM.pptxRajapriya82
 
offline character recognition for handwritten gujarati text
offline character recognition for handwritten gujarati textoffline character recognition for handwritten gujarati text
offline character recognition for handwritten gujarati textBhumika Patel
 
Types of telecom fraud
Types of telecom fraudTypes of telecom fraud
Types of telecom fraudOluwaseun ADEBAYO
 
Glove global vectors for word representation
Glove global vectors for word representationGlove global vectors for word representation
Glove global vectors for word representationhyunyoung Lee
 
Diffie-hellman algorithm
Diffie-hellman algorithmDiffie-hellman algorithm
Diffie-hellman algorithmComputer_ at_home
 
Advanced Encryption Standard (AES) Implementaion using Java
Advanced Encryption Standard (AES) Implementaion using JavaAdvanced Encryption Standard (AES) Implementaion using Java
Advanced Encryption Standard (AES) Implementaion using JavaSunil Kumar R
 
Cryptography
CryptographyCryptography
CryptographyIGZ Software house
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
Pgp
PgpPgp
PgpReham Maher El-Safarini
 
Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified MailMatthew Chang
 

More Related Content

What's hot

PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIMESou Jana
 
Diffie Hellman Key Exchange
Diffie Hellman Key ExchangeDiffie Hellman Key Exchange
Diffie Hellman Key ExchangeSAURABHDHAGE6
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Voice based email system for physically challenged
Voice based email system for physically challengedVoice based email system for physically challenged
Voice based email system for physically challengedIbrahim Khalil Shakik
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing FunctionsYusuf Uzun
 
Audio Cryptography System
Audio Cryptography SystemAudio Cryptography System
Audio Cryptography SystemRaju Raj
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)SAurabh PRajapati
 
MD5 ALGORITHM.pptx
MD5 ALGORITHM.pptxMD5 ALGORITHM.pptx
MD5 ALGORITHM.pptxRajapriya82
 
offline character recognition for handwritten gujarati text
offline character recognition for handwritten gujarati textoffline character recognition for handwritten gujarati text
offline character recognition for handwritten gujarati textBhumika Patel
 
Glove global vectors for word representation
Glove global vectors for word representationGlove global vectors for word representation
Glove global vectors for word representationhyunyoung Lee
 
Advanced Encryption Standard (AES) Implementaion using Java
Advanced Encryption Standard (AES) Implementaion using JavaAdvanced Encryption Standard (AES) Implementaion using Java
Advanced Encryption Standard (AES) Implementaion using JavaSunil Kumar R
 

What's hot (20)

PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIME
 
Diffie Hellman Key Exchange
Diffie Hellman Key ExchangeDiffie Hellman Key Exchange
Diffie Hellman Key Exchange
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Voice based email system for physically challenged
Voice based email system for physically challengedVoice based email system for physically challenged
Voice based email system for physically challenged
 
Pgp
PgpPgp
Pgp
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
cryptography
cryptographycryptography
cryptography
 
Eap intro
Eap introEap intro
Eap intro
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
 
Audio Cryptography System
Audio Cryptography SystemAudio Cryptography System
Audio Cryptography System
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)
 
MD5 ALGORITHM.pptx
MD5 ALGORITHM.pptxMD5 ALGORITHM.pptx
MD5 ALGORITHM.pptx
 
offline character recognition for handwritten gujarati text
offline character recognition for handwritten gujarati textoffline character recognition for handwritten gujarati text
offline character recognition for handwritten gujarati text
 
Types of telecom fraud
Types of telecom fraudTypes of telecom fraud
Types of telecom fraud
 
Glove global vectors for word representation
Glove global vectors for word representationGlove global vectors for word representation
Glove global vectors for word representation
 
Diffie-hellman algorithm
Diffie-hellman algorithmDiffie-hellman algorithm
Diffie-hellman algorithm
 
Advanced Encryption Standard (AES) Implementaion using Java
Advanced Encryption Standard (AES) Implementaion using JavaAdvanced Encryption Standard (AES) Implementaion using Java
Advanced Encryption Standard (AES) Implementaion using Java
 
Cryptography
CryptographyCryptography
Cryptography
 
Hash Function
Hash FunctionHash Function
Hash Function
 

Similar to Information System Security: E-mail Security and PGP

Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified MailMatthew Chang
 
Email security
Email securityEmail security
Email securitySultanErbo
 
module 4_7th sem_ Electronic Mail Security.pptx
module 4_7th sem_ Electronic Mail Security.pptxmodule 4_7th sem_ Electronic Mail Security.pptx
module 4_7th sem_ Electronic Mail Security.pptxprateekPallav2
 
Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Tania Agni
 
PBU-Intro_to_PGP
PBU-Intro_to_PGPPBU-Intro_to_PGP
PBU-Intro_to_PGPauremoser
 
computer netwok security Pretty Good Privacy PGP.ppt
computer netwok security Pretty Good Privacy PGP.pptcomputer netwok security Pretty Good Privacy PGP.ppt
computer netwok security Pretty Good Privacy PGP.pptjayaprasanna10
 
Using PGP for securing the e-mail
Using PGP for securing the e-mailUsing PGP for securing the e-mail
Using PGP for securing the e-maildavidepiccardi
 
CRYPT.pptx
CRYPT.pptxCRYPT.pptx
CRYPT.pptxVMahesh5
 

Similar to Information System Security: E-mail Security and PGP (20)

Pgp
PgpPgp
Pgp
 
Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified Mail
 
Email security
Email securityEmail security
Email security
 
module 4_7th sem_ Electronic Mail Security.pptx
module 4_7th sem_ Electronic Mail Security.pptxmodule 4_7th sem_ Electronic Mail Security.pptx
module 4_7th sem_ Electronic Mail Security.pptx
 
Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/
 
Ch15
Ch15Ch15
Ch15
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
 
PBU-Intro_to_PGP
PBU-Intro_to_PGPPBU-Intro_to_PGP
PBU-Intro_to_PGP
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastech
 
computer netwok security Pretty Good Privacy PGP.ppt
computer netwok security Pretty Good Privacy PGP.pptcomputer netwok security Pretty Good Privacy PGP.ppt
computer netwok security Pretty Good Privacy PGP.ppt
 
Pgp
PgpPgp
Pgp
 
Email security
Email securityEmail security
Email security
 
Email security
Email securityEmail security
Email security
 
Pgp
PgpPgp
Pgp
 
Using PGP for securing the e-mail
Using PGP for securing the e-mailUsing PGP for securing the e-mail
Using PGP for securing the e-mail
 
CRYPT.pptx
CRYPT.pptxCRYPT.pptx
CRYPT.pptx
 
Network Security CS2
Network Security CS2Network Security CS2
Network Security CS2
 
ch15 (1).ppt
ch15 (1).pptch15 (1).ppt
ch15 (1).ppt
 
ch15.ppt
ch15.pptch15.ppt
ch15.ppt
 
ch15.ppt
ch15.pptch15.ppt
ch15.ppt
 

More from ssuserec53e73

Threats in network that can be noted in security
Threats in network that can be noted in securityThreats in network that can be noted in security
Threats in network that can be noted in securityssuserec53e73
 
Lsn21_NumPy in data science using python
Lsn21_NumPy in data science using pythonLsn21_NumPy in data science using python
Lsn21_NumPy in data science using pythonssuserec53e73
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityssuserec53e73
 
Hash functions, digital signatures and hmac
Hash functions, digital signatures and hmacHash functions, digital signatures and hmac
Hash functions, digital signatures and hmacssuserec53e73
 
Asian Elephant Adaptations - Chelsea P..pptx
Asian Elephant Adaptations - Chelsea P..pptxAsian Elephant Adaptations - Chelsea P..pptx
Asian Elephant Adaptations - Chelsea P..pptxssuserec53e73
 
Module 10-Introduction to OOP.pptx
Module 10-Introduction to OOP.pptxModule 10-Introduction to OOP.pptx
Module 10-Introduction to OOP.pptxssuserec53e73
 
50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.ppt50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.pptssuserec53e73
 
IoT Reference Architecture.pptx
IoT Reference Architecture.pptxIoT Reference Architecture.pptx
IoT Reference Architecture.pptxssuserec53e73
 
Introduction to measurement.pptx
Introduction to measurement.pptxIntroduction to measurement.pptx
Introduction to measurement.pptxssuserec53e73
 
ML-DecisionTrees.ppt
ML-DecisionTrees.pptML-DecisionTrees.ppt
ML-DecisionTrees.pptssuserec53e73
 

More from ssuserec53e73 (20)

Threats in network that can be noted in security
Threats in network that can be noted in securityThreats in network that can be noted in security
Threats in network that can be noted in security
 
Lsn21_NumPy in data science using python
Lsn21_NumPy in data science using pythonLsn21_NumPy in data science using python
Lsn21_NumPy in data science using python
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
 
Hash functions, digital signatures and hmac
Hash functions, digital signatures and hmacHash functions, digital signatures and hmac
Hash functions, digital signatures and hmac
 
Asian Elephant Adaptations - Chelsea P..pptx
Asian Elephant Adaptations - Chelsea P..pptxAsian Elephant Adaptations - Chelsea P..pptx
Asian Elephant Adaptations - Chelsea P..pptx
 
Module 10-Introduction to OOP.pptx
Module 10-Introduction to OOP.pptxModule 10-Introduction to OOP.pptx
Module 10-Introduction to OOP.pptx
 
unit-1-l3.ppt
unit-1-l3.pptunit-1-l3.ppt
unit-1-l3.ppt
 
AI.ppt
AI.pptAI.ppt
AI.ppt
 
50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.ppt50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.ppt
 
Dr Jose Reena K.pdf
Dr Jose Reena K.pdfDr Jose Reena K.pdf
Dr Jose Reena K.pdf
 
Enumeration.pptx
Enumeration.pptxEnumeration.pptx
Enumeration.pptx
 
footscan.PPT
footscan.PPTfootscan.PPT
footscan.PPT
 
UNIT II.pptx
UNIT II.pptxUNIT II.pptx
UNIT II.pptx
 
Unit 1 iot.pptx
Unit 1 iot.pptxUnit 1 iot.pptx
Unit 1 iot.pptx
 
IoT Reference Architecture.pptx
IoT Reference Architecture.pptxIoT Reference Architecture.pptx
IoT Reference Architecture.pptx
 
patent ppt.pptx
patent ppt.pptxpatent ppt.pptx
patent ppt.pptx
 
Introduction to measurement.pptx
Introduction to measurement.pptxIntroduction to measurement.pptx
Introduction to measurement.pptx
 
ML-DecisionTrees.ppt
ML-DecisionTrees.pptML-DecisionTrees.ppt
ML-DecisionTrees.ppt
 
ML_Lecture_7.ppt
ML_Lecture_7.pptML_Lecture_7.ppt
ML_Lecture_7.ppt
 
070308-simmons.ppt
070308-simmons.ppt070308-simmons.ppt
070308-simmons.ppt
 

Recently uploaded

18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 

Recently uploaded (20)

18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 

Information System Security: E-mail Security and PGP

  • 1. Information System Security AABFS-Jordan Summer 2006 E-mail security “Pretty Good Privacy” Prepared by:Hussain Awad Supervised by: Dr. Lo’ai Tawalbeh
  • 2. Why Study E-mail Security?  After web browsing, e-mail is the most widely used network-reliant application.  Mail servers, after web servers, are the most often attacked Internet hosts.  Basic e-mail offers little security, counter to public perception.  Good technical solutions are available, but not widely used.  If we understand why this is so, we might understand something about why security is ‘hard’.
  • 3. Threats to E-mail  Loss of confidentiality.  E-mails are sent in clear over open networks.  E-mails stored on potentially insecure clients and mail servers.  Loss of integrity.  No integrity protection on e-mails; anybody be altered in transit or on mail server.
  • 4. Threats to E-mail  Lack of data origin authentication.  Is this e-mail really from the person named in the From:field?  Lack of non-repudiation.  Can I rely and act on the content? (integrity)  If so, can the sender later deny having sent it? Who is liable if I have acted?
  • 5. Threats to E-mail  Lack of notification of receipt.  Has the intended recipient received my e-mail and acted on it?  A message locally marked as ‘sent’ may not have been delivered.
  • 6. E-mail security  What are the Options?  Secure the server to client connections (easy thing first) • https access to webmail • Protection against insecure wireless access  Secure the end-to-end email delivery • The PGPs of the world • Practical in an enterprise intra-network environment
  • 7. E-mail security  Email based Attacks  Active content attack • Clean up at the server  Buffer over-flow attack • Fix the code  Trojan Horse Attack  Web bugs (for tracking) • Mangle the image at the mail server
  • 8. E-mail security  Software for encrypting email messages has been widely available for more than 15 years, but the email-using public has failed to adopt secure messaging. This failure can be explained through a combination of:  technical,  community,  and usability factors
  • 9. E-mail security  Why Don’t People Use Email Security?  I don’t because I don’t care.  I doubt any of my usual recipients would understand  the significance of the signature.  Never had the need to send these kinds of emails.  I don’t think it’s necessary to encrypt my email.  it’s just another step & something else I don’t have time
  • 10. E-mail security  Secure E-mail Standards and Products  Other now defunct standards: PEM (privacy enhanced mail), X.400. S/MIME.  We focus on PGP
  • 11. S/MIME (Secure/Multipurpose Internet Mail Extension)  Originated from RSA Data Security Inc. in 1995.  Further development by IETF S/MIME working group at: www.ietf.org/html.charters/smime-charter.html.  Version 3 specified in RFCs2630-2634.  Allows flexible client-client security through encryption and signatures.  Widely supported, e.g. in Microsoft Outlook, Netscape Messenger, Lotus Notes.
  • 12. PGP (Pretty Good Privacy)  Freeware: Open PGP and variants:  www.openpgp.org, www.gnupg.org  Open PGP specified in RFC 2440 and defined by IETF Open PGP working group.  www.ietf.org/html.charters/openpgp- charter.html  Available as plug-in for popular e-mail clients, can also be used as stand-alone software.
  • 13.
  • 14. PGP (Pretty Good Privacy)  “If all the personal computers in the world—260 million—were put to work on a single PGP encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message.”
  • 15. PGP (Pretty Good Privacy)  PGP is an e-mail security program written by Phil Zimmermann, based on the IDEA algorithm for encryption of plaintext and uses the RSA Public Key algorithm for encryption of the private key.  PGP incorporates tools for developing a public- key trust model and public-key certificate management.
  • 16. PGP (Pretty Good Privacy)  PGP is an open-source freely available software package for e-mail security. It provides authentication; confidentiality; compression; e-mail compatibility; and segmentation and reassembly.
  • 17. PGP Services Digital signature DSS/SHA or RSA/SHA A hash code of a message is created using SHA-1. This message digest is encrypted using DSS or RSA with the sender's private key and included with the message. Message encryption CAST or IDEA or Three-key Triple DES with Diffie- Hellman or RSA A message is encrypted using CAST-128 or IDEA or 3DES with a one-time session key generated by the sender. The session key is encrypted using Diffie-Hellman or RSA with the recipient's public key and included with the message.
  • 18. PGP (Pretty Good Privacy) Compression ZIP A message may be compressed, for storage or transmission, using ZIP. Email compatibility Radix 64 conversion To provide transparency for email applications, an encrypted message may be converted to an ASCII string using radix 64 conversion. Segmentation To accommodate maximum message size limitations, PGP performs segmentation and reassembly.
  • 19. PGP (Pretty Good Privacy)  Fake PGP: Since it’s all open source, there are fake versions of the famous software floating about the net. Unless you’re sure that your copy of the program is from a trusted source, it wouldn’t be surprising to realize one day that your pass phrase was sent to an attacker via email the moment you went online! Once he has your pass phrase, he has your private key.
  • 20. PGP (Pretty Good Privacy)  PGP Algorithms  Symmetric encryption: • DES, 3DES, AES and others.  Public key encryption of session keys: • RSA or ElGamal.  Hashing: • SHA-1, MD-5 and others.  Signature: • RSA, DSS, ECDSA and others.
  • 21. PGP (Pretty Good Privacy)  PGP use: • public keys for encrypting session keys / verifying signatures. • private keys for decrypting session keys / creating signatures.
  • 22. PGP Alice:  generates random symmetric private key, KS.  encrypts message with KS (for efficiency)  also encrypts KS with Bob’s public key.  sends both KS(m) and KB(KS) to Bob. Alice wants to send confidential e-mail, m, to Bob. KS( ) . KB( ) . + + - KS(m ) KB(KS ) + m KS KS KB + Internet KS( ) . KB( ) . - KB - KS m KS(m ) KB(KS ) +
  • 23. PGP Bob:  uses his private key to decrypt and recover KS  uses KS to decrypt KS(m) to recover m  Alice wants to send confidential e-mail, m, to Bob. KS( ) . KB( ) . + + - KS(m ) KB(KS ) + m KS KS KB + Internet KS( ) . KB( ) . - KB - KS m KS(m ) KB(KS ) +
  • 24. PGP • Alice wants to provide sender authentication message integrity. • Alice digitally signs message. • sends both message (in the clear) and digital signature. H( ) . KA( ) . - + - H(m ) KA(H(m)) - m KA - Internet m KA( ) . + KA + KA(H(m)) - m H( ) . H(m ) compare
  • 25. PGP (Pretty Good Privacy)  PGP Key Rings  PGP supports multiple public/private keys pairs per sender/recipient.  Keys stored locally in a PGP Key Ring – essentially a database of keys.  Private keys stored in encrypted form; decryption key determined by user- entered pass-phrase.
  • 27. PGP Message Generation  The sending PGP entity performs the following steps:  Signs the message: • PGP gets sender’s private key from key ring using its user id as an index. • PGP prompts user for passphrase to decrypt private key. • PGP constructs the signature component of the message.  Encrypts the message: • PGP generates a session key and encrypts the message. • PGP retrieves the receiver public key from the key ring using its user id as an index. • PGP constructs session component of message
  • 29. PGP Message Reception  The receiving PGP entity performs the following steps:  Decrypting the message: • PGP get private key from private-key ring using Key ID field in session key component of message as an index. • PGP prompts user for passphrase to decrypt private key. • PGP recovers the session key and decrypts the message.  Authenticating the message: • PGP retrieves the sender’s public key from the public- key ring using the Key ID field in the signature key component as index. • PGP recovers the transmitted message digest. • PGP computes the message for the received message and compares it to the transmitted version for authentication.
  • 30. PGP (Pretty Good Privacy)  Key Management for PGP  Public keys for encrypting session keys / verifying signatures.  Private keys for decrypting session keys / creating signatures.  Where do these keys come from and on what basis can they be trusted?
  • 31. PGP (Pretty Good Privacy)  PGP adopts a trust model called the web of trust.  No centralised authority  Individuals sign one another’s public keys, these “certificates” are stored along with keys in key rings.  PGP computes a trust level for each public key in key ring.  Users interpret trust level for themselves.
  • 32. PGP (Pretty Good Privacy)  Trust levels for public keys dependent on:  Number of signatures on the key;  Trust level assigned to each of those signatures.  Trust levels recomputed from time to time.
  • 33. PGP (Pretty Good Privacy)  Security of PGP  There are many known attacks against PGP.  Attacks against cryptoalgorithms are not the main threat  IDEA is considered strong, and while cryptoanalysis advances, it should be strong still for some time.  RSA may or may not be strong. There are recent rumors of possible fast factorization algorithms..  The main threats are much more simple.
  • 34. PGP (Pretty Good Privacy)  An attacker may socially engineer himself into a web of trust, or some trustable person may change. Then he could falsify public keys. This breaks most of the security.  PGP binaries can be corrupted when they are obtained.  The PGP binaries can be modified in the computer.  The passphrase can be obtained by a Trojan. Weak passphrases can be cracked.  On multiuser system, access to the secret key can be obtained.
  • 35. Resources  http://www.pgpi.org/doc/faq/  www.gnupg.org  William Stallings,” Cryptography and Network Security Principles and Practices”, Fourth Edition ” Prentice Hall , 2005  GITA” Encryption Technologies”, Standard P800-S850 V2.0, April 5, 2004  Sieuwert van Otterloo” A security analysis of Pretty Good Privacy”, September 7, 2001  Amr el-kadi” what is computer security”2005