Ab Crypt 11 Email

SECURITY AT
APPLICATION LAYER
EMAIL
Most widely used application on the Internet

Security of email is extremely important
RFC 822 defines a format for text email messages
Consists of contents and headers
Header lines consist of From: abc.., To: xyz.., Subject: pqrs,
Date: 17 April 2014
Message is included in contents
Simple Mail Transfer Protocol (SMTP) is used for email
communications
Email software at senders end gives email message to local
SMTP server which carries message to receiver
SMTP works in application layer of TCP/IP
EMAIL SECURIT Y
Confidentiality
oprotection from disclosure
Authentication
o for sender of message
Message integrity
oprotection from modification
Non-repudiation of origin
o protection from denial by sender
PGP and S/MIME are two popular schemes
PRETT Y GOOD PRIVACY (PGP)
Developed by Phil Zimmerman

Used for secure e-mail and file encryption
Used for sending enciphered, digitally signed
messages via email
Uses a variety of algorithms to provide
confidentiality, integrity and authentication
Uses public key to encrypt messages and verify
signatures
Uses private key to decrypt messages and
create signature
PGP FEATURES
1. Encrypts e-mail messages

2. Generates message digests
3. Generates digital signature
4. Manages personal key rings
5. Manages distributable public-key certificates
PGP WORKING
Alice with Generate Encrypt

PRA and PUB session key using PUB
encrypt Message
Message Bob with
and Message Digest Concatenate
(compressed) PRB and PUA
digitally signed with
PRA
Encrypted with shared session key
Decrypt Decrypt
message session
Generate
Decompress and digest key using
Compare digest on
message using PUB
received and decompresse
generated d message session
digest key
PGP OPERATION SUMMARY
PGP SERVICES
Authentication
Confidentiality
Compression
E-mail compatibility
segmentation
PGP SERVICES
Authentication
Confidentiality
Compression
segmentation
PGP OPERATION AUTHENTICATION
(MESSAGES ARE NOT ALTERED IN TRANSIT AND ARE
FROM THE CLAIMED SENDER)
1. sender creates message

2. uses SHA-1/MD5 to generate 160-bit hash code
3. Generate a digital signature using RSA/ElGamal
4. Encrypts digital signature with private key
5. Concatenated code is compressed and sent





PGP OPERATION CONFIDENTIALIT Y
(INTENDED RECIPIENT CAN DECIPHER THE MESSAGE)
1. Sender forms 128-bit random one time

session(symmetric) key for the given message
2. Encrypts (CAST-128/3DES/IDEA) compressed
message with session key
3. Appends session key encrypted with RSA/ ElGamal
public key
4. Session key is used to decrypt message
Ks

message with session key
public key
Ks

message with session key using 64b CFB mode
public key
Ks

public key
Ks

public key
Ks

public key
Ks
PGP SERVICES
Authentication
Confidentiality
Compression
segmentation
PGP OPERATION CONFIDENTIALITY
& AUTHENTICATION
Create signature & attach to message
encrypt both message & signature
attach RSA/ElGamal encrypted session key
Ks is session key
PGP OPERATION CONFIDENTIALITY
& AUTHENTICATION
Create signature & attach to message
encrypt both message & signature
attach RSA/ElGamal encrypted session key
Ks is session key
PGP SERVICES
Authentication
Confidentiality
Compression
segmentation
COMPRESSION ALGORITHM (ZIP)
By default PGP compresses message using

ZIP after signing and before encrypting
ZIP is Based on Lampel-Ziv algorithm
Looks for repeated strings or words
Replaces repeated sequences by short codes.
Compresses before encryption so that
intruder finds difficult to guess the message
Because it is a compressed message
PGP SERVICES
Authentication
Confidentiality
Compression
segmentation
BASE-64 (RADIX-64) ENCODING AND
SEGMENTATION
Email was designed only for text (ASCII)

Most e-mail systems use message with ASCII
characters
PGP translates non ASCII to base-64
After encryption each character is converted to
base-64 before it is sent
Base-64 have 64 printable characters
0-63 correspond to A -Z, a-z, 0-9, +, /
After base-64 coding message is segmented into
fixed size blocks
BASE-64 (RADIX-64) ENCODING
Transforms binary data/message to printable character
01010101010101000011000101011111001001
01010101 00010101 00010101 24 bit block
000110 110010 111000 111111 four 6-bit blocks
6 26 56 63 Decimal equivalent
G a 4 /
four 8-bit
10010101 01001111 11010101 00100011 blocks
01010101010101000011000101011111001001
01010101 00010101 00010101 24 bit block
000110 110010 111000 111111 four 6-bit blocks
G a 4 /
four 8-bit
10010101 01001111 11010101 00100011 blocks
01010101010101000011000101011111001001
01010101 00010101 00010101 24 bit blocks
000110 110010 111000 111111 four 6-bit blocks
G a 4 /
four 8-bit
10010101 01001111 11010101 00100011 blocks
01010101010101000011000101011111001001
01010101 00010101 00010101 24 bit blocks
000110 110010 111000 111111 four 6-bit blocks
G a 4 /
four 8-bit
10010101 01001111 11010101 00100011 blocks
01010101010101000011000101011111001001
01010101 00010101 00010101 24 bit block
000110 110010 111000 111111 four 6-bit blocks
G a 4 /
four 8-bit
10010101 01001111 11010101 00100011 blocks
01010101010101000011000101011111001001
01010101 00010101 00010101 24 bit block
000110 110010 111000 111111 four 6-bit blocks
G a 4 /
four 8-bit
10010101 01001111 11010101 00100011 blocks
If required message can be padded with os to make 6bits

To pad a complete 6-bit block, = is padded
01010101010101000011000101011111001001
01010101 00010101 00010101 24 bit block
000110 110010 111000 111111 four 6-bit blocks
Corresponding Printable
G a 4 / Character
four 8-bit
10010101 01001111 11010101 00100011 blocks
PGP KEYS
Session keys
o One time session key depending on algorithm
o 56-bit DES, 128-bit CAST or IDEA, 168-bit 3-DES
o Random numbers based on key stroke timings, mouse
movements etc are used to create the keys
Public-private key pair
o Users private key encrypted using passphrase.
o Based on private key public key is generated.
o User can have multiple pairs of private -public keys for the use
of different groups
o Receiver must know which public key is used for a sender
o Key -ID identifies the public key
Passphrase based conventional key
o Hash code of passphrase is stored securely
o Used to retrieve the private key
KEY MANAGEMENT
Key rings
PGP certificates
Introducer trust
Certificate trust
Key legitimacy
Web of trust
KEY MANAGEMENT
Key rings
PGP certificates
Introducer trust
Certificate trust
Key legitimacy
Web of trust
PGP KEY RINGS
User A may need to send messages to many

people
Key ring contains public keys of persons with
whom A needs to correspond
Allows A to use a different key pair for a group
of people (friends, colleagues)
KEY RINGS IN PGP
A wants to send a message to another person in community
Private/public ring Public ring
PGP uses a pair of data structures

One to store the users public/private key pairs - their private-key ring
And one to store the public keys of other known users, their public-key ring.
ID OF PGP KEY RINGS
Keys & key IDs are critical to the operation of PGP

keys need to be stored and organized in a
systematic way for efficient and effective use by all
parties
The private keys are kept encrypted using a block
cipher, with a key
Key is derived by hashing a pass-phrase which the
user enters whenever that key needs to be used .
As in any system based on passwords, the security
of this system depends on the security of the
password, which should be not easily guessed but
easily remembered.
ID OF PGP KEY RINGS
Key ID is assigned to each public key

Key ID = key (mod 2 64 )
Also Key ID is required to identify digital
signature of a user
Digital signature component of a message
includes the 64-bit key ID of public key
PGP KEY RINGS
052003-12:05 Full abc@sss.comFull Full
abcs
Number of sec elapsed since Jan 1, 1970

PGP KEY RINGS
052003-12:05 Full abc@sss.comFull Full
abcs
Number of sec elapsed since Jan 1, 1970

KEY MANAGEMENT
Key rings
PGP certificates
Introducer trust
Certificate trust
Key legitimacy
Web of trust
PGP CERTIFICATES
Digital certificate is required to trust the

public key of a user
Digital Certificate
User: C
A

Issued by: A
C
Digital Certificate
B User: C

Issued by: B
PGP CERTIFICATES
Digital certificate is required to trust the

public key of a user
Digital Certificate
User: C
A

Issued by: A
C
Digital Certificate
B User: C

Issued by: B
INTRODUCER TRUST
Digital Certificate
User: C
A Trust: Full

Issued by: A C
Digital Certificate
B User: C
Trust: Partial

Issued by: B
Digital Certificate Digital Certificate

User: B User: D
Trust: Partial D Trust: None

Issued by: D Issued by: C
INTRODUCER TRUST
Digital Certificate
User: C
A Trust: Full

Issued by: A C
Digital Certificate
B User: C
Trust: Partial

Issued by: B
Digital Certificate Digital Certificate

User: B User: D
Trust: Partial D Trust: None

Issued by: D Issued by: C
CERTIFICATE TRUST ANOTHER EXAMPLE
User: C, Trust: Full User: G, Trust: Partial

Public key: K1 C H Public key: K3 G
A Issued by: A Issued by: H
User: D, Trust: Partial User: I, Trust: Partial
Public Key:K2 D H Public Key:K4 I
A
Issued by: A Issued by: H
User: G, Trust: Partial User: L, Trust: None

Public Key:K3 G I Public Key:K5 L
F
Issued by: F Issued by: I
User Issuer Cert trust Pub. Key

C A Full K1
D A Full K2
E G F Partial K3
G H Partial K3
I H Partial K4
L J None K5

A

F

C A Full K1
D A Full K2
E G F Partial K3
G H Partial K3
I H Partial K4
L J None K5

A

F

C A Full K1
D A Full K2
E G F Partial K3
G H Partial K3
I H Partial K4
L J None K5

A

F

C A Full K1
D A Full K2
E G F Partial K3
G H Partial K3
I H Partial K4
L J None K5

A

F

C A Full K1
D A Full K2
E G F Partial K3
G H Partial K3
I H Partial K4
L I None K5
KEY MANAGEMENT
Key rings
PGP certificates
Introducer trust
Certificate trust
Key legitimacy
Web of trust
KEY LEGITIMACY
To trust public key of the user

User E needs to know how legitimate are the public keys
of users C, D,
Level of key legitimacy for a user is the weighted trust
level for the user
User E needs two partial or one full trust
Weight Certificate trust User Issuer Cert trust Pub. Key

C A Full K1
0 No trust (none) D A Full K2
Partial trust G F Partial K3
G H Partial K3
1 Full trust
I H Partial K4
L J None K5
User E
KEY MANAGEMENT
Key rings
PGP certificates
Introducer trust
Certificate trust
Key legitimacy
Web of trust
WEB OF TRUST
If nobody has created a certificate for user E

then several schemes are possible
User E obtains public key from user A by
contacting him
A can email public key to E
Also, A computes hash code called fingerprint
and conveys hash code to E
MESSAGE COMPONENT
The message component includes the actual

data to be stored or transmitted
Includes a filename and a timestamp that
specifies the time of creation
SIGNATURE COMPONENT
Timestamp: The time at which the signature

was made
Hash code: The 160-bit SHA-1 digest
encrypted with the senders private signature
key
Hash code is calculated over the signature
timestamp concatenated with the message
component
The inclusion of the signature timestamp in
the digest insures against replay types of
attacks
PGP MESSAGE GENERATION
PGP MESSAGE RECEPTION
MIME (MULTIPURPOSE INTERNET MAIL
EXTENSIONS)
Allows encoding of binary data to textual form for transport

over traditional RFC822 email systems
Therefore non- ASCII and non textual data (attachments) can
be e-mailed using RFC 822
MIME is a set of software functions that transforms non - ASCII
data at the sender site to NV T (Network Virtual Terminal)
ASCII data
Message at the receiver site is transformed back to the
original data
E-mail in MIME format is transmitted using Simple Mail
Transfer Protocol (SMTP)
Common types of file extensions are doc, pdf, xls, ppt, wav,
jpg,
MIME
user user
UA UA
Non- ASCII Non- ASCII
MIME MIME
7-bit ASCII 7-bit ASCII
MTA MTA
7-bit ASCII
FEATURES OF MIME
Non-text attachments such as images, videos, audios, and

other multimedia messages
Ability to send multiple objects within a single message
Supports character set other than ASCII
Write header information in non - ASCII character set
Unlimited length of text
MIME HEADERS
Can be added to the original e -mail header to define the

transformation parameters
1. MIME- version
2. Content type
3. Content transfer encoding
4. ContentID
5. Content description
MIME HEADER AND EXAMPLE
E-mail header
MIME version: 1.1
Content type: type/subtype parameter
Content transfer encoding: encoding type
ContentID: message id
Content description: description of non-text contents
Message body
E-mail header
MIME version: 1.1
Content type: --/HTML or image/jpeg or video/MPEG
Content transfer encoding: 7bit or radix 64 or binary
ContentID: message id
Content description: image or audio or video
Message body
S/MIME (SECURE/MULTIPURPOSE
INTERNET MAIL EXTENSIONS)
extension of MIME format which is an internet standard for the
format of e-mail
Secure version of MIME
In addition to MIME, S/MIME allows encryption and digital
signing of messages
Strength is its ability to validate the identities of e -mail senders
and recipients through digital signatures
Following services
Authentication
Message integrity
Non-repudiation of origin
Privacy and data security
have S/MIME support in many mail agents
MS Outlook, Mozilla, Mac Mail etc
SECURIT Y OF E-MAIL WITH S/MIME
To send an e-mail utilizing S/MIME, a digital certificate is

needed
Digital certificate allows one to sign messages
Recipient can verify if mail coming from the e -mail address is
from an authorized e -mail address.
When one sends a digitally signed message, the digital
certificate is sent along with the message
Digital signature attached to e -mail prove that
E-mail is sent by e-mail address that claims to have sent it
Mail is not tampered while in transit
Anyone who has the digital certificate can use the public key
stored in the certificate to encrypt a reply
Authorized person can read it by decrypting it using private
key installed on the machine
S/MIME MESSAGES
S/MIME secures a MIME entity with a signature, encryption, or

both
A MIME entity may be an entire message or one or more of the
subparts of the message.
The MIME entity added with security related data, such as
algorithm identifiers and certificates, are processed by S/MIME
to produce a PKCS
PKCS is a set of Public-Key Cryptography Specifications issued
by RSA Laboratories.
A PKCS object is treated as message content and wrapped in
MIME forming a MIME wrapped PKCS object
have a range of content -types:
data
enveloped data
signed data
Compressed data
S/MIME MESSAGES CONTENT T YPE
Data
contains identifier to identify MIME message content
Signed data
provides integrity of data
Enveloped data
provides data confidentiality to a message. A sender needs to
have access to a public key for each recipient to use this service
Compressed data
Applies data compression to a message to reduce the message
size
SIGNED DATA T YPE
Signature +
Digital certificate +
Hash algorithm
digest signatu
algo
re algo
:
:
Digital Signature +
Content Hash digest signatu certificate +
(any type) algo re algo algorithm
Signed Content
with (any type)
private
key
ENVELOPED DATA T YPE
Recipient
identification,
public key
Public certificate,
key encrypted session
cipher key
:
Session key :
Recipient
Public identification,
key public key
cipher certificate,
encrypted session
key
Content Symmetric Content

(any type) key cipher (any type)
S/MIME CRYPTOGRAPHIC
ALGORITHMS
digital signatures: DSS & RSA

hash functions: SHA -1 & MD5
session key encryption: ElGamal & RSA
message encryption: AES, Triple -DES, RC2/40 and others
MAC: HMAC with SHA -1
provision to decide which algorithms to use
S/MIME DIGITAL CERTIFICATES
Used to digitally sign and encrypt e -mail messages

Digital certificate is sent along with the message
When one sign an e-mail message using certificate, only the
person to whom message was sent can decrypt and read the
e-mail
Recipient can be sure that e -mail is not changed in transit
Ensures end-to-end security
S/MIME CERTIFICATE PROCESSING
S/MIME uses X.509 v3 certificates

each client has a list of trusted Certificate Authority (CA)
certificates
and own public/private key pairs & certs
certificates must be signed by trusted CAs
Apply for a certificate from CA like , Verisign, Cacert, geotrust
etc and prove that he/she owns the e -mail address
Once S/MIME certificate is installed in the e -mail client one can
send a signed e-mail to the people who need to send encrypted
message
Contacts field downloads the certificate and add to the address
book
Contacts can send encrypted mails by clicking on encrypt
button while creating a new mail.
CERTIFICATE AUTHORITIES
have several well-known CAs that provide X.509 certification

authority (CA) services
Verisign one of most widely used
Issues several types of Digital IDs, increasing levels of
checks & hence trust
CERTIFICATE AUTHORITIES
Class Identity Checks Usage

1 name/email web browsing/email
2 + enroll/address check email, subs, s/w validate
3 + ID documents e-banking/service access
Class 1 and 2 requests are processed online and generally take

a few sec to approve
For Class 3 Digital IDs a higher level of identity assurance
An individual must prove his/her identity by providing notarized
credentials or applying in person.
WEBMAIL CLIENTS
OWA, gmail, hotmail and yahoo do not support S/MIME

certificates
Microsoft Outlook, Outlook Express, Mozilla Thunderbird,
Netscape Manager, Qualcomm Eudora support S/MIME
certificates
S/MIME IN MOBILE AND WIRELESS
TECHNOLOGY
BlackBerry is a secure wireless solution developed by
Research in Motion (RIM)
S/MIME for BlackBerry is an advanced encryption pack that
allows BlackBerry user to utilize S/MIME e -mail encryption on
BlackBerry wireless handheld devices
Protects message transmission from sender to recipient for
BlackBerry users
RIM proposal to India is to allow the government access to
decrypted information for e -mails
Additionally chat services running on the background such as
Google Gmail app may also be monitored by the government
RIM is devising a plan to support legal and national security
requirements while preserving the lawful needs of citizens
and corporations

Ab Crypt 11 Email

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ab Crypt 11 Email

Загружено:

Авторское право:

Доступные форматы

SECURITY AT

Most widely used application on the Internet

Developed by Phil Zimmerman

1. Encrypts e-mail messages

Alice with Generate Encrypt

1. sender creates message

1. sender creates message

1. sender creates message

1. sender creates message

1. sender creates message

1. sender creates message

1. Sender forms 128-bit random one time

1. Sender forms 128-bit random one time

1. Sender forms 128-bit random one time

1. Sender forms 128-bit random one time

1. Sender forms 128-bit random one time

1. Sender forms 128-bit random one time

By default PGP compresses message using

Email was designed only for text (ASCII)

Transforms binary data/message to printable character

01010101 00010101 00010101 24 bit block

000110 110010 111000 111111 four 6-bit blocks

Transforms binary data/message to printable character

01010101 00010101 00010101 24 bit block

000110 110010 111000 111111 four 6-bit blocks

Transforms binary data/message to printable character

01010101 00010101 00010101 24 bit blocks

000110 110010 111000 111111 four 6-bit blocks

01010101 00010101 00010101 24 bit blocks

000110 110010 111000 111111 four 6-bit blocks

01010101 00010101 00010101 24 bit block

000110 110010 111000 111111 four 6-bit blocks

01010101 00010101 00010101 24 bit block

000110 110010 111000 111111 four 6-bit blocks

If required message can be padded with os to make 6bits

01010101 00010101 00010101 24 bit block

000110 110010 111000 111111 four 6-bit blocks

User A may need to send messages to many

A wants to send a message to another person in community

Private/public ring Public ring

PGP uses a pair of data structures

Keys & key IDs are critical to the operation of PGP

Key ID is assigned to each public key

052003-12:05 Full abc@sss.comFull Full

Number of sec elapsed since Jan 1, 1970

052003-12:05 Full abc@sss.comFull Full

Number of sec elapsed since Jan 1, 1970

Digital certificate is required to trust the

Digital certificate is required to trust the

Digital Certificate Digital Certificate

Digital Certificate Digital Certificate

User: C, Trust: Full User: G, Trust: Partial

User: G, Trust: Partial User: L, Trust: None

User Issuer Cert trust Pub. Key

User: C, Trust: Full User: G, Trust: Partial

User: G, Trust: Partial User: L, Trust: None

User Issuer Cert trust Pub. Key

User: C, Trust: Full User: G, Trust: Partial

User: G, Trust: Partial User: L, Trust: None

User Issuer Cert trust Pub. Key

User: C, Trust: Full User: G, Trust: Partial

User: G, Trust: Partial User: L, Trust: None

User Issuer Cert trust Pub. Key