Chapter 5Chapter 5Electronic mail security

PGP & S/MIME

1Khushbu Shah

Electronic Mail SecurityAgenda:

• Introduction to PGP • 5 PGP Services • Key Management• Use of Trust• Demo Of PGP In Use

2Khushbu Shah

Pretty Good Privacy

• 1991 – Creation of a single person, Phil Zimmermann

• Provides confidentiality and authentication services for electronic mail and file storage applications

3Khushbu Shah

Introduction• PGP is an open source freely available software package for

email security• Provides • Authentication -use of digital signature• confidentiality-use of symmetric block encryption• compression –ZIP algorithm• email compatibility –radix-64 encoding scheme, • Segmentation and reassembly to accommodate long emails

4Khushbu Shah

Pretty Good Privacy

• Selected best available cryptographic algorithms

• Integrated these algorithms into a general purpose application

• Source code and doc freely available on the net

• Agreement with company (Viacrypt) for low cost commercial version

5Khushbu Shah

Notation

6

KS = session key used in conventional encryptionKRa = private key of user A, used in public key encryptionKUa = public key of user A, used in public key encryptionEP = public-key encryptionDP = public-key decryptionEC = conventional encryption DC = conventional decryption H = hash function|| = concatenationZ = compression using ZIP algorithmR64 = conversion to radix 64 ASCII format

Khushbu Shah

Summary of 5 PGP Services

7

authentication

Khushbu Shah

Recall One Way Hash Function

8

Digital signature No key distribution

Less computation since message does not have to be encrypted

Khushbu Shah

Recall SHA-1 Secure Hash Function

• Developed by NIST in 1995• Input is processed in 512-bit blocks• Produces as output a 160-bit message

digest• Every bit of the hash code is a function of

every bit of the input• Very secure – so far!

9Khushbu Shah

Authentication1. Sender creates a message2. Generate a hash code with SHA-13. Using sender’s private key and RSA, encrypt the

hash code and prepend to the message4. Receiver uses sender’s public key to decrypt and

recover the hash code5. Receiver generates a new hash code for the

message and compares with the decrypted hash code. If matching, then message is authentic

10Khushbu Shah

PGP Cryptographic Functions

11Khushbu Shah

Recall Other Public Key Algorithms

• Digital Signature Standard (DSS) – makes use of SHA-1 and presents a new digital signature algorithm (DSA)

• Only used for digital signatures not encryption or key exchange

12Khushbu Shah

Authentication

• Other alternatives can be used, e.g., DSS• Detached signatures are supported-stored

and transmitted separate signature log of all message sent or received.

• Good for executables and multi-party signatures (legal contract).

13Khushbu Shah

Summary of 5 PGP Services

14

authentication

confidentiality

Khushbu Shah

Encryption algorithm-CAST-128

• 1997, Entrust Technologies• RFC 2144• Extensively reviewed• Variable key length, 40-128 bits• Used in PGP

15Khushbu Shah

Recall Conventional Encryption Algorithms

16

We have choices in PGP for confidentiality!

Khushbu Shah

Confidentiality1. Sender creates a message and random 128bit

number for session key2. Message encrypted using CAST-128 with the

session key3. Session key encrypted with recipient’s public key

and prepended to the message4. Receiver uses it’s private key to decrypt and

recover the session key5. Session key is used to decrypt the message

17Khushbu Shah

PGP Cryptographic Functions

18Khushbu Shah

Confidentiality• Alternatives of RSA, Diffie-Hellman

(ElGamal) can used• Conventional algorithms are much faster• Each message is a one time independent

event with its own key• PGP provides large key range (DSS key

limited to 1024 bits)• 768 key size 3072

19Khushbu Shah

Confidentiality & Authentication

• Both services can be used for the same message

• First, signature is generated for plaintext and prepended

• Message is encrypted with a session key• Session key(one time use only) is encrypted

with recipient’s public key

20Khushbu Shah

PGP Cryptographic Functions

21Khushbu Shah

Summary of 5 PGP Services

22

authentication

confidentiality

Khushbu Shah

Compression – Save Space• PGP compresses (ZIP) the message after applying

the signature but before encryption (default)• Better to sign an uncompressed message

(otherwise either compressed message for later verification or to recompress message when verification is required)

• PGP’s compression algorithm is non-deterministic• Security is greater if message is encrypted after

compression

23Khushbu Shah

PGP Cryptographic Functions

24Khushbu Shah

Summary of 5 PGP Services

25

authentication

confidentiality

Khushbu Shah

E-mail Compatibility• Part or all of block consists of a stream of arbitrary 8-bit

octets• Many email systems only allow ASCII text• PGP converts raw binary stream to a stream of printable

ASCII characters• Radix-64 conversion – • Blindly convert input stream to radix-64 format regardless

of contents(if input is ASCII text even though)• So if message is signed but not encrypted, conversion

applied to entire block ,so output is unreadable to casual users gives certain level of confidentiality

26Khushbu Shah

Summary of 5 PGP Services

27

authentication

confidentiality

Khushbu Shah

Segmentation• Maximum message length restrictions in e-

mail• (example Internet impose max length of

50,000 octets)• PGP automatically subdivides a large

message into segments small enough to mail separately

• PGP reassembles entire original block at the receiving end

28Khushbu Shah

Summary of 5 PGP Services

• Authentication• Confidentiality• Compression• E-Mail Compatibility• Segmentation

29Khushbu Shah

PGP Cryptographic Keys

• One-time Session symmetric keys Conventional Keys

• Public Keys• Private Keys• Pass phrase-Based Conventional

30Khushbu Shah

Key Requirements• A means of generating unpredictable

session keys (section “session key generation”)

• Allow users to have multiple public/private key pairs (need some kind of identity) (section “key identifiers”)

• Each PGP entity must maintain a file of its and its correspondents public/private pairs (section “key rings”)

31Khushbu Shah

32Khushbu Shah

33

Session Key Generation• Random 128-bit numbers are generated using CAST-

128• Input is a stream of 128-bit randomized numbers

based on keystroke input from the user• (both keystroke timing and actual keys struck are used

to generate randomize stream)• Using Cipher feedback mode,CAST-128 encrypter

produce two 64-bit block concatenated to form 128 bit session key.

• Produces a sequence of session keys that is effectively unpredictable

33Khushbu Shah

34

Key Identifiers• Encrypted form of session key is used for message encryption.

• Session key is it self encrypted by recipient's public key.

• We have requirement that any given user may have multiple public/private key pairs.

• How does receiver know which public key to use?• One solution is to transmit public keys with message but unnecessary

wastage of space.

• Other solution is to associate an identifier with each public key that is unique within user.(combination of userID and KeyID) so only shorter KeyID would need to transmit. It raises management and overhead problem

• The solution adopted by PGP assigns a key ID to each public key

• It has a high probability of being unique within a user ID – 64-bit

• KeyID is of least significant 64 bit of public key(Pua mod 264 )

34Khushbu Shah

35

What Does A Transmitted Message Look Like?

• Message component – actual data to be stored or transmitted plus filename and timestamp specify time of creation.

• Signature component – ts, E(PRa,(MD)), leading 2 octets, ID of PUa– Timestamp-creation time of signature– Message digest-160 bit SHA-1 digest encrypted by sender’s private key.– Leading two octets of MD (checksum)-to enable recipient to determine if correct

public key was used to decrypt MD for authentication– Key ID of sender’s public key- Identifies public key that should be used to

decrypt digest. hence, identifies private key used for encryption

• Both components are optional and compress by ZIP and may be encrypted by session key

• Session key component – Ks, ID of PUb– session key plus ID of recipient’s public key used to encrypt the session key

35Khushbu Shah

36

PGP Format

36Khushbu Shah

37

Key Rings• PGP provides a pair of data structures at

each node – pub/priv key pairs owned by node & public keys of other users

• Private-Key Ring and Public-Key Ring• Can view the ring as a table – each row

represents one of the pub/priv key pairs

37Khushbu Shah

Private key ring• Private key ring can be indexed by either userID or KeyID• Private key is encrypted by CAST-128.The procedure is as

follow1 User selects a passphrase to be used for encrypt private keys.2 When system generates new pub/pri key pairs using RSA, ask user for

passphrase. Using SHA-1,160 bit hash code is generated from passphrase then it is discarded.

3 System encrypts private key using CAST-128 with 128 bit hash code as a key

• When user accesses the private key ring to retrieve private key, he must supply passphrase.

• PGP will retrieve encrypted private key ,generate hash code of passphrase and decrypt the encrypted private key using CAST-128 with hash code.

3838Khushbu Shah

39

Private key ring (“my” key-pairs)

information:

Private key stored

encrypted with passphrase

<barnard@cis.uab.edu>

<barnard@uab.edu>

“Private Key Ring” also contains “my” public keys

Khushbu Shah

40

Key Ring Structure

The owner’s public key(s) appear on both key rings

40Khushbu Shah

41

PGP Message Generation & Transmission

41Khushbu Shah

42

PGP Message Generation & Transmission has following steps

• Signing the message• Encrypting the message

PGP Message receptions has following steps

Decrypting the messageAuthenticating the message

42Khushbu Shah

43

PGP Message Reception

43Khushbu Shah

44

Public Key Management• PGP contains clever, efficient, interlocking set of function

and formats to provide confidentiality and authentication• Approaches to public key Management• A want to obtain reliable public key of B

1. Physically get the key from B

2. Verify a key by telephone or email

3. Obtain B’s public key from a mutually trusted individual friend D

4. Obtain B’s public key from a trusted certifying authority

For cases 3 and 4, Alice would already have a copy of the introducer’s public key and trust that this key is valid. Ultimately, it is up to Alice to assign a degree of trust to anyone who is to act as an introducer.

44Khushbu Shah

45

Use of Trust• Associated with each public key is a • key legitimacy field – extent that PGP will trust that this is a

valid public key• (high level of trust , stronger is binding of this user ID to this

key, zero or more signature collected by key ring owner)• Field derived from collection of signature trust fields in entry.• Signature trust field – degree to which PGP user trusts the

signer to certify public keys• Owner trust field – degree to which this public key is trusted to

sign other public-key certificates– Level of trust assigned by user.– Contained in a structure referred to as a trust flag byte

45Khushbu Shah

46

Use of Trust

PGP provides a convenient means of using trust.

Earlier, when Alice entered a new key in her public-key ring, PGP asked her to assign a level of trust to the owner of this key (if it’s her own public key, value is ultimate trust). This was entered in the Owner Trust field and will be used if Alice later receives keys signed by this person.

Khushbu Shah

47

When Alice enters another new public key, one or more signatures may be attached (in the Signature(s) field). Alice’s PGP will search her public-key ring to see if the author of this signature is already on her key ring. If so PGP will copy her earlier assessment of this person’s trust into the Signature Trust field for this person (otherwise the value of this field will be unknown user).PGP will compute the weighted average of the Signature Trust values and assign this to the Key Legitimacy field. This field summarized the confidence that Alice can have that this public key actually belongs to the person in the UserID field.

Khushbu Shah

Dealing with public key ring of user A.• Describes the operation of trust processing as follows:1) When A insert new public key on public key ring, PGP

must assign value to trust flag associated with owner of this public key.

• If owner is A, then this public key also appears in private key ring, value of ultimate trust is automatically assigned to trust field.

• Otherwise PGP ask A for this assessment of trust to be assigned to the owner of this key, and A must enter the desired level.

• User can specify that owner is unknown ,untrusted, marginally trusted, completely trusted etc.

48Khushbu Shah

Contd…2) When new public key is entered, one or more signatures may

attached to it.• When signature is inserted into entry, PGP searches public key

ring to see if the author of signature is among known public key owner

• If so, OWNERTRUST value for this owner is assigned to SIGNTRUST field for this signature.

• If not, unknown user value assigned

3) The value of key legitimacy field is calculated on basis of signature fields present in entry.

• If at least one signature has signature trust value of ultimate, key legitimacy field value is set to complete,

• Otherwise PGP computes weighted sum of trust values.

49Khushbu Shah

Trust Flag Byte Contents

50Khushbu Shah

PGP Trust Model Example

51Khushbu Shah

PGP Trust Model

52

1 All keys whose owners are fully or partially trusted by this user have been signed by this(YOU) user except node L. Even though E’s key is already signed by trusted F, user chose to sign E’s key directly.

2 Two partially trusted signatures are sufficient to certify a key. Key for user H is deemed legitimate by PGP because it is signed by A and B, partially trusted.

3 Key may be legitimate because it is signed by one fully trusted or two partially trusted signatories. But its user may not be trusted to sign other keys.

Example-N’s key is legitimate because sign by E, whom this user trusts, but N is not trusted user to sign others key because this user has not assigned trust value to N. R’s key is signed by N but PGP does not consider R’s key as legitimate.

4 Detached orphan node S with two unknown signatures. Such key may have been acquired from key server.

PGP can’t assume that this key is legitimate key. User must declare key legitimate by signing it or by telling PGP to willingly trust one of key signatories.

Khushbu Shah

53

PGP “Web of Trust”

The idea behind the various trust fields in the public key ring is to establish a “Web of Trust” among a community of users.

If Alice trusts only Abe to sign certificates, then she won’t believe certificates from Martha or Emily are genuine. If she also trusts Bob’s judgment about signing certificates, she can trust Emily’s certificate; if she also trusts Carl, she can trust everyone’s certificate.

PGP “Web of Trust”

The idea behind the various trust fields in the public key ring is to establish a “Web of Trust” among a community of users.

Khushbu Shah

54

S/MIME

Khushbu Shah

S/MIMES/MIME• Secure/Multipurpose Internet Mail Extension-

Secure enhancement to MIME - - Internet e-mail format standard

• S/MIME will probably emerge as the industry standard for commercial and organizational use.

• PGP use for personal e-mail security

Overview of E-mail:

The message is constructed under RFC 822, then passed to SMTP (RFC 821) for transmission.

S/MIME includes a secure development of RFC 822/ MIME

55Khushbu Shah

Simple Mail Transfer Protocol Simple Mail Transfer Protocol (SMTP, RFC 822)(SMTP, RFC 822)

• MIME is extension to RFC 822 framework that is intended to address some of problem and limitation to use of SMTP

• SMTP Limitations - Can not transmit, or has a problem with:

– executable files, or other binary files (jpeg image)– “national language” characters- represnted as 8 bit codes

with values of 128 decimal. SMTP limited to 7-bit ASCII– Reject mail messages over a certain size– ASCII to EBCDIC translation problems

(not consistent mapping)– lines longer than a certain length (72 to 254 characters)

56Khushbu Shah

S/MIMES/MIME• MIME is compatible to existing RFC 822

implementation• Specification provided in RFC 2045 through 2049• Five new message header fields are defined– provides information about body of message.

• Number of content formats are defined• Transfer encoding is defined that enables

conversion to any format

57Khushbu Shah

Headers

■ contain readable text (ASCII)

■ are divided into lines

■ each line of form <keyword> : <value>

Keywords To and From are required, others optional58Khushbu Shah

MIME – Multipurpose Internet Mail Extensions (RFC 1521, 1993)

In the body of the message we would like to be able to include items such as:

■ messages in languages with accents

■ Messages in non-Latin alphabets (Arabic, Russian, Hebrew)

■ Messages in languages without alphabets (Chinese and Japanese)

■ Messages not containing any kind of text (audio and video)

Such material may contain an arbitrary bit string.

Sender must “disguise”(mask or hide) non-ASCII information as ASCII

This will be reversed by the receiver, to give the bit string.

RFC 822 states that the message can consist only of ASCII text.

59Khushbu Shah

If you receive this ASCII message how do you know what it is?

Now you know that the message is a bit string that the sender has converted to radix-64 – you can recover the bit string, but you still don’t know what it is (image? Audio?)

MIME header: Content-Type says “image/jpeg”

which tells you how to process the received message.

From point of view of receiver:

Example: Content-Transfer-Encoding says “radix-64 conversion”

60Khushbu Shah

Header fields in MIMEHeader fields in MIME• MIME-Version: Must be value “1.0” ->conforms to RFC

2045, RFC 2046

• Content-Type: More types being added by developers. Describes data contained in the body with sufficient detail

• Content-Transfer-Encoding: How message has been encoded (radix-64).Type of transformation used to represent data to users

• Content-ID: Unique identifying character string.

• Content Description: Needed when content is not readable text (e.g.,mpeg)

61Khushbu Shah

Header fields in MIMEHeader fields in MIME

62Khushbu Shah

S/MIME will add new subtypes to Application and Multipart63Khushbu Shah

64Khushbu Shah

S/MIME FunctionsS/MIME Functions• Enveloped Data: Encrypted content and

encrypted session keys for recipients.

• Signed Data: Message Digest encrypted with private key of “signer.”

• Clear-Signed Data: Signed but not encrypted.

– message ASCII only, signature with radix-64 (recipients without S/MIME can view message, but cannot verify the signature)

• Signed and Enveloped Data: Various orderings for encrypting and signing.

65Khushbu Shah

S/MIME Functionality - continued

► Enveloped data: encrypted content plus encryption keys

PGP equivalent: plus radix-64 conversion

Radix-64 conversion

66Khushbu Shah

S/MIME Functionality - continued

► Signed data: message plus digital signature

(can be viewed only by recipient with S/MIME capability)

PGP equivalent: plus radix-64 conversion

Radix-64 conversion after compression

► Clear-signed data function: only the digital signature is converted to radix-64; the message is “in the clear”

67Khushbu Shah

S/MIME Functionality - continued

► Signed and enveloped data

PGP equivalent:

68Khushbu Shah

Algorithms UsedAlgorithms Used

• Message Digesting: SHA-1 and MDS

• Digital Signatures: DSS

• Secret-Key Encryption: Triple-DES, RC2/40 (exportable)

• Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie-Hellman (for session keys).

69Khushbu Shah

Cryptographic Algorithms Used in S/MIME

70Khushbu Shah

S/MIME Message Type• Enveloped Data• Signed Data• Clear Signing• Registration Request-Application or user will apply to

certification authority for public-key certificate-Include certificationInfo block followed by identifier of public key

• Certification-Only Message-Message containing only certificate or CRL list in response to Registration request.

71Khushbu Shah

S/MIME Certificate ProcessingS/MIME uses X.509 version 3

“Hybrid between a strict X.509 hierarchy and PGP’s web of trust.”

S/MIME does not set up a global system like the Domain Name System, to retrieve public-key certificates with minimal effort.

Rather, each user, or user group, takes responsibility for obtaining the certificates of individuals with whom they want to correspond securely.

72Khushbu Shah

User Agent RoleUser Agent Role• S/MIME uses Public-Key Certificates - X.509 version 3

signed by Certification Authority• Several key management Functions:

– Key Generation – MUST-Diffie-Hellman, DSS, and SHOULD- RSA key-pairs.

– Registration – user’s Public keys must be registered with X.509 CA.

– Certificate Storage - Local (as in browser application) for different services. On behalf of user some local administrative entity maintained the certification list.

– Signed and Enveloped Data - Various orderings for encrypting and signing.

73Khushbu Shah

Verisign CertificatesVerisign Certificates• Several companies provides CA (certification Authority) services• Nortel provides S/MIME support• Internet based CAs-Verisign, GTE, U.S. Portal Service• Verisign is mostly used for CA service compatible with S/MIME and

other applications.• Issue certificate with product name Verisign Digital ID.• DigitalID contains

– Owner’s public key– Owner’s name or alias– Expiration date of digitalID– Serial no of DigitalID– Name of CA that issued DigitalID– And Signature of CA

• Also contain user supplied info• Address, E-mail Address, basic Registration info

74Khushbu Shah

User Agent RoleUser Agent Role• Example: Verisign (www.verisign.com)

– Class-1: Buyer’s email address confirmed by emailing vital info. Digital ID is sent as well as PIN is sent.

– Class-2: Automated comparison with online database Postal address is confirmed as well, and data checked against directories. DigitalID is sent to postal address.

– Class-3: Buyer must appear in person, or send notarized documents.

75Khushbu Shah

VeriSign Public-Key Certificate Classes

Table 7.8 Verisign Public-Key Certificate Classes

76Khushbu Shah

77Khushbu Shah