Date post: | 21-Jan-2016 |
Category: |
Documents |
Upload: | daniela-osborne |
View: | 233 times |
Download: | 0 times |
Chapter 5Chapter 5Electronic mail security
PGP & S/MIME
1Khushbu Shah
Electronic Mail SecurityAgenda:
• Introduction to PGP • 5 PGP Services • Key Management• Use of Trust• Demo Of PGP In Use
2Khushbu Shah
Pretty Good Privacy
• 1991 – Creation of a single person, Phil Zimmermann
• Provides confidentiality and authentication services for electronic mail and file storage applications
3Khushbu Shah
Introduction• PGP is an open source freely available software package for
email security• Provides • Authentication -use of digital signature• confidentiality-use of symmetric block encryption• compression –ZIP algorithm• email compatibility –radix-64 encoding scheme, • Segmentation and reassembly to accommodate long emails
4Khushbu Shah
Pretty Good Privacy
• Selected best available cryptographic algorithms
• Integrated these algorithms into a general purpose application
• Source code and doc freely available on the net
• Agreement with company (Viacrypt) for low cost commercial version
5Khushbu Shah
Notation
6
KS = session key used in conventional encryptionKRa = private key of user A, used in public key encryptionKUa = public key of user A, used in public key encryptionEP = public-key encryptionDP = public-key decryptionEC = conventional encryption DC = conventional decryption H = hash function|| = concatenationZ = compression using ZIP algorithmR64 = conversion to radix 64 ASCII format
Khushbu Shah
Summary of 5 PGP Services
7
authentication
Khushbu Shah
Recall One Way Hash Function
8
Digital signature No key distribution
Less computation since message does not have to be encrypted
Khushbu Shah
Recall SHA-1 Secure Hash Function
• Developed by NIST in 1995• Input is processed in 512-bit blocks• Produces as output a 160-bit message
digest• Every bit of the hash code is a function of
every bit of the input• Very secure – so far!
9Khushbu Shah
Authentication1. Sender creates a message2. Generate a hash code with SHA-13. Using sender’s private key and RSA, encrypt the
hash code and prepend to the message4. Receiver uses sender’s public key to decrypt and
recover the hash code5. Receiver generates a new hash code for the
message and compares with the decrypted hash code. If matching, then message is authentic
10Khushbu Shah
PGP Cryptographic Functions
11Khushbu Shah
Recall Other Public Key Algorithms
• Digital Signature Standard (DSS) – makes use of SHA-1 and presents a new digital signature algorithm (DSA)
• Only used for digital signatures not encryption or key exchange
12Khushbu Shah
Authentication
• Other alternatives can be used, e.g., DSS• Detached signatures are supported-stored
and transmitted separate signature log of all message sent or received.
• Good for executables and multi-party signatures (legal contract).
13Khushbu Shah
Summary of 5 PGP Services
14
authentication
confidentiality
Khushbu Shah
Encryption algorithm-CAST-128
• 1997, Entrust Technologies• RFC 2144• Extensively reviewed• Variable key length, 40-128 bits• Used in PGP
15Khushbu Shah
Recall Conventional Encryption Algorithms
16
We have choices in PGP for confidentiality!
Khushbu Shah
Confidentiality1. Sender creates a message and random 128bit
number for session key2. Message encrypted using CAST-128 with the
session key3. Session key encrypted with recipient’s public key
and prepended to the message4. Receiver uses it’s private key to decrypt and
recover the session key5. Session key is used to decrypt the message
17Khushbu Shah
PGP Cryptographic Functions
18Khushbu Shah
Confidentiality• Alternatives of RSA, Diffie-Hellman
(ElGamal) can used• Conventional algorithms are much faster• Each message is a one time independent
event with its own key• PGP provides large key range (DSS key
limited to 1024 bits)• 768 key size 3072
19Khushbu Shah
Confidentiality & Authentication
• Both services can be used for the same message
• First, signature is generated for plaintext and prepended
• Message is encrypted with a session key• Session key(one time use only) is encrypted
with recipient’s public key
20Khushbu Shah
PGP Cryptographic Functions
21Khushbu Shah
Summary of 5 PGP Services
22
authentication
confidentiality
Khushbu Shah
Compression – Save Space• PGP compresses (ZIP) the message after applying
the signature but before encryption (default)• Better to sign an uncompressed message
(otherwise either compressed message for later verification or to recompress message when verification is required)
• PGP’s compression algorithm is non-deterministic• Security is greater if message is encrypted after
compression
23Khushbu Shah
PGP Cryptographic Functions
24Khushbu Shah
Summary of 5 PGP Services
25
authentication
confidentiality
Khushbu Shah
E-mail Compatibility• Part or all of block consists of a stream of arbitrary 8-bit
octets• Many email systems only allow ASCII text• PGP converts raw binary stream to a stream of printable
ASCII characters• Radix-64 conversion – • Blindly convert input stream to radix-64 format regardless
of contents(if input is ASCII text even though)• So if message is signed but not encrypted, conversion
applied to entire block ,so output is unreadable to casual users gives certain level of confidentiality
26Khushbu Shah
Summary of 5 PGP Services
27
authentication
confidentiality
Khushbu Shah
Segmentation• Maximum message length restrictions in e-
mail• (example Internet impose max length of
50,000 octets)• PGP automatically subdivides a large
message into segments small enough to mail separately
• PGP reassembles entire original block at the receiving end
28Khushbu Shah
Summary of 5 PGP Services
• Authentication• Confidentiality• Compression• E-Mail Compatibility• Segmentation
29Khushbu Shah
PGP Cryptographic Keys
• One-time Session symmetric keys Conventional Keys
• Public Keys• Private Keys• Pass phrase-Based Conventional
30Khushbu Shah
Key Requirements• A means of generating unpredictable
session keys (section “session key generation”)
• Allow users to have multiple public/private key pairs (need some kind of identity) (section “key identifiers”)
• Each PGP entity must maintain a file of its and its correspondents public/private pairs (section “key rings”)
31Khushbu Shah
32Khushbu Shah
33
Session Key Generation• Random 128-bit numbers are generated using CAST-
128• Input is a stream of 128-bit randomized numbers
based on keystroke input from the user• (both keystroke timing and actual keys struck are used
to generate randomize stream)• Using Cipher feedback mode,CAST-128 encrypter
produce two 64-bit block concatenated to form 128 bit session key.
• Produces a sequence of session keys that is effectively unpredictable
33Khushbu Shah
34
Key Identifiers• Encrypted form of session key is used for message encryption.
• Session key is it self encrypted by recipient's public key.
• We have requirement that any given user may have multiple public/private key pairs.
• How does receiver know which public key to use?• One solution is to transmit public keys with message but unnecessary
wastage of space.
• Other solution is to associate an identifier with each public key that is unique within user.(combination of userID and KeyID) so only shorter KeyID would need to transmit. It raises management and overhead problem
• The solution adopted by PGP assigns a key ID to each public key
• It has a high probability of being unique within a user ID – 64-bit
• KeyID is of least significant 64 bit of public key(Pua mod 264 )
34Khushbu Shah
35
What Does A Transmitted Message Look Like?
• Message component – actual data to be stored or transmitted plus filename and timestamp specify time of creation.
• Signature component – ts, E(PRa,(MD)), leading 2 octets, ID of PUa– Timestamp-creation time of signature– Message digest-160 bit SHA-1 digest encrypted by sender’s private key.– Leading two octets of MD (checksum)-to enable recipient to determine if correct
public key was used to decrypt MD for authentication– Key ID of sender’s public key- Identifies public key that should be used to
decrypt digest. hence, identifies private key used for encryption
• Both components are optional and compress by ZIP and may be encrypted by session key
• Session key component – Ks, ID of PUb– session key plus ID of recipient’s public key used to encrypt the session key
35Khushbu Shah
36
PGP Format
36Khushbu Shah
37
Key Rings• PGP provides a pair of data structures at
each node – pub/priv key pairs owned by node & public keys of other users
• Private-Key Ring and Public-Key Ring• Can view the ring as a table – each row
represents one of the pub/priv key pairs
37Khushbu Shah
Private key ring• Private key ring can be indexed by either userID or KeyID• Private key is encrypted by CAST-128.The procedure is as
follow1 User selects a passphrase to be used for encrypt private keys.2 When system generates new pub/pri key pairs using RSA, ask user for
passphrase. Using SHA-1,160 bit hash code is generated from passphrase then it is discarded.
3 System encrypts private key using CAST-128 with 128 bit hash code as a key
• When user accesses the private key ring to retrieve private key, he must supply passphrase.
• PGP will retrieve encrypted private key ,generate hash code of passphrase and decrypt the encrypted private key using CAST-128 with hash code.
3838Khushbu Shah
39
Private key ring (“my” key-pairs)
information:
Private key stored
encrypted with passphrase
“Private Key Ring” also contains “my” public keys
Khushbu Shah
40
Key Ring Structure
The owner’s public key(s) appear on both key rings
40Khushbu Shah
41
PGP Message Generation & Transmission
41Khushbu Shah
42
PGP Message Generation & Transmission has following steps
• Signing the message• Encrypting the message
PGP Message receptions has following steps
Decrypting the messageAuthenticating the message
42Khushbu Shah
43
PGP Message Reception
43Khushbu Shah
44
Public Key Management• PGP contains clever, efficient, interlocking set of function
and formats to provide confidentiality and authentication• Approaches to public key Management• A want to obtain reliable public key of B
1. Physically get the key from B
2. Verify a key by telephone or email
3. Obtain B’s public key from a mutually trusted individual friend D
4. Obtain B’s public key from a trusted certifying authority
For cases 3 and 4, Alice would already have a copy of the introducer’s public key and trust that this key is valid. Ultimately, it is up to Alice to assign a degree of trust to anyone who is to act as an introducer.
44Khushbu Shah
45
Use of Trust• Associated with each public key is a • key legitimacy field – extent that PGP will trust that this is a
valid public key• (high level of trust , stronger is binding of this user ID to this
key, zero or more signature collected by key ring owner)• Field derived from collection of signature trust fields in entry.• Signature trust field – degree to which PGP user trusts the
signer to certify public keys• Owner trust field – degree to which this public key is trusted to
sign other public-key certificates– Level of trust assigned by user.– Contained in a structure referred to as a trust flag byte
45Khushbu Shah
46
Use of Trust
PGP provides a convenient means of using trust.
Earlier, when Alice entered a new key in her public-key ring, PGP asked her to assign a level of trust to the owner of this key (if it’s her own public key, value is ultimate trust). This was entered in the Owner Trust field and will be used if Alice later receives keys signed by this person.
Khushbu Shah
47
When Alice enters another new public key, one or more signatures may be attached (in the Signature(s) field). Alice’s PGP will search her public-key ring to see if the author of this signature is already on her key ring. If so PGP will copy her earlier assessment of this person’s trust into the Signature Trust field for this person (otherwise the value of this field will be unknown user).PGP will compute the weighted average of the Signature Trust values and assign this to the Key Legitimacy field. This field summarized the confidence that Alice can have that this public key actually belongs to the person in the UserID field.
Khushbu Shah
Dealing with public key ring of user A.• Describes the operation of trust processing as follows:1) When A insert new public key on public key ring, PGP
must assign value to trust flag associated with owner of this public key.
• If owner is A, then this public key also appears in private key ring, value of ultimate trust is automatically assigned to trust field.
• Otherwise PGP ask A for this assessment of trust to be assigned to the owner of this key, and A must enter the desired level.
• User can specify that owner is unknown ,untrusted, marginally trusted, completely trusted etc.
48Khushbu Shah
Contd…2) When new public key is entered, one or more signatures may
attached to it.• When signature is inserted into entry, PGP searches public key
ring to see if the author of signature is among known public key owner
• If so, OWNERTRUST value for this owner is assigned to SIGNTRUST field for this signature.
• If not, unknown user value assigned
3) The value of key legitimacy field is calculated on basis of signature fields present in entry.
• If at least one signature has signature trust value of ultimate, key legitimacy field value is set to complete,
• Otherwise PGP computes weighted sum of trust values.
49Khushbu Shah
Trust Flag Byte Contents
50Khushbu Shah
PGP Trust Model Example
51Khushbu Shah
PGP Trust Model
52
1 All keys whose owners are fully or partially trusted by this user have been signed by this(YOU) user except node L. Even though E’s key is already signed by trusted F, user chose to sign E’s key directly.
2 Two partially trusted signatures are sufficient to certify a key. Key for user H is deemed legitimate by PGP because it is signed by A and B, partially trusted.
3 Key may be legitimate because it is signed by one fully trusted or two partially trusted signatories. But its user may not be trusted to sign other keys.
Example-N’s key is legitimate because sign by E, whom this user trusts, but N is not trusted user to sign others key because this user has not assigned trust value to N. R’s key is signed by N but PGP does not consider R’s key as legitimate.
4 Detached orphan node S with two unknown signatures. Such key may have been acquired from key server.
PGP can’t assume that this key is legitimate key. User must declare key legitimate by signing it or by telling PGP to willingly trust one of key signatories.
Khushbu Shah
53
PGP “Web of Trust”
The idea behind the various trust fields in the public key ring is to establish a “Web of Trust” among a community of users.
If Alice trusts only Abe to sign certificates, then she won’t believe certificates from Martha or Emily are genuine. If she also trusts Bob’s judgment about signing certificates, she can trust Emily’s certificate; if she also trusts Carl, she can trust everyone’s certificate.
PGP “Web of Trust”
The idea behind the various trust fields in the public key ring is to establish a “Web of Trust” among a community of users.
Khushbu Shah
54
S/MIME
Khushbu Shah
S/MIMES/MIME• Secure/Multipurpose Internet Mail Extension-
Secure enhancement to MIME - - Internet e-mail format standard
• S/MIME will probably emerge as the industry standard for commercial and organizational use.
• PGP use for personal e-mail security
Overview of E-mail:
The message is constructed under RFC 822, then passed to SMTP (RFC 821) for transmission.
S/MIME includes a secure development of RFC 822/ MIME
55Khushbu Shah
Simple Mail Transfer Protocol Simple Mail Transfer Protocol (SMTP, RFC 822)(SMTP, RFC 822)
• MIME is extension to RFC 822 framework that is intended to address some of problem and limitation to use of SMTP
• SMTP Limitations - Can not transmit, or has a problem with:
– executable files, or other binary files (jpeg image)– “national language” characters- represnted as 8 bit codes
with values of 128 decimal. SMTP limited to 7-bit ASCII– Reject mail messages over a certain size– ASCII to EBCDIC translation problems
(not consistent mapping)– lines longer than a certain length (72 to 254 characters)
56Khushbu Shah
S/MIMES/MIME• MIME is compatible to existing RFC 822
implementation• Specification provided in RFC 2045 through 2049• Five new message header fields are defined– provides information about body of message.
• Number of content formats are defined• Transfer encoding is defined that enables
conversion to any format
57Khushbu Shah
Headers
■ contain readable text (ASCII)
■ are divided into lines
■ each line of form <keyword> : <value>
Keywords To and From are required, others optional58Khushbu Shah
MIME – Multipurpose Internet Mail Extensions (RFC 1521, 1993)
In the body of the message we would like to be able to include items such as:
■ messages in languages with accents
■ Messages in non-Latin alphabets (Arabic, Russian, Hebrew)
■ Messages in languages without alphabets (Chinese and Japanese)
■ Messages not containing any kind of text (audio and video)
Such material may contain an arbitrary bit string.
Sender must “disguise”(mask or hide) non-ASCII information as ASCII
This will be reversed by the receiver, to give the bit string.
RFC 822 states that the message can consist only of ASCII text.
59Khushbu Shah
If you receive this ASCII message how do you know what it is?
Now you know that the message is a bit string that the sender has converted to radix-64 – you can recover the bit string, but you still don’t know what it is (image? Audio?)
MIME header: Content-Type says “image/jpeg”
which tells you how to process the received message.
From point of view of receiver:
Example: Content-Transfer-Encoding says “radix-64 conversion”
60Khushbu Shah
Header fields in MIMEHeader fields in MIME• MIME-Version: Must be value “1.0” ->conforms to RFC
2045, RFC 2046
• Content-Type: More types being added by developers. Describes data contained in the body with sufficient detail
• Content-Transfer-Encoding: How message has been encoded (radix-64).Type of transformation used to represent data to users
• Content-ID: Unique identifying character string.
• Content Description: Needed when content is not readable text (e.g.,mpeg)
61Khushbu Shah
Header fields in MIMEHeader fields in MIME
62Khushbu Shah
S/MIME will add new subtypes to Application and Multipart63Khushbu Shah
64Khushbu Shah
S/MIME FunctionsS/MIME Functions• Enveloped Data: Encrypted content and
encrypted session keys for recipients.
• Signed Data: Message Digest encrypted with private key of “signer.”
• Clear-Signed Data: Signed but not encrypted.
– message ASCII only, signature with radix-64 (recipients without S/MIME can view message, but cannot verify the signature)
• Signed and Enveloped Data: Various orderings for encrypting and signing.
65Khushbu Shah
S/MIME Functionality - continued
► Enveloped data: encrypted content plus encryption keys
PGP equivalent: plus radix-64 conversion
Radix-64 conversion
66Khushbu Shah
S/MIME Functionality - continued
► Signed data: message plus digital signature
(can be viewed only by recipient with S/MIME capability)
PGP equivalent: plus radix-64 conversion
Radix-64 conversion after compression
► Clear-signed data function: only the digital signature is converted to radix-64; the message is “in the clear”
67Khushbu Shah
S/MIME Functionality - continued
► Signed and enveloped data
PGP equivalent:
68Khushbu Shah
Algorithms UsedAlgorithms Used
• Message Digesting: SHA-1 and MDS
• Digital Signatures: DSS
• Secret-Key Encryption: Triple-DES, RC2/40 (exportable)
• Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie-Hellman (for session keys).
69Khushbu Shah
Cryptographic Algorithms Used in S/MIME
70Khushbu Shah
S/MIME Message Type• Enveloped Data• Signed Data• Clear Signing• Registration Request-Application or user will apply to
certification authority for public-key certificate-Include certificationInfo block followed by identifier of public key
• Certification-Only Message-Message containing only certificate or CRL list in response to Registration request.
71Khushbu Shah
S/MIME Certificate ProcessingS/MIME uses X.509 version 3
“Hybrid between a strict X.509 hierarchy and PGP’s web of trust.”
S/MIME does not set up a global system like the Domain Name System, to retrieve public-key certificates with minimal effort.
Rather, each user, or user group, takes responsibility for obtaining the certificates of individuals with whom they want to correspond securely.
72Khushbu Shah
User Agent RoleUser Agent Role• S/MIME uses Public-Key Certificates - X.509 version 3
signed by Certification Authority• Several key management Functions:
– Key Generation – MUST-Diffie-Hellman, DSS, and SHOULD- RSA key-pairs.
– Registration – user’s Public keys must be registered with X.509 CA.
– Certificate Storage - Local (as in browser application) for different services. On behalf of user some local administrative entity maintained the certification list.
– Signed and Enveloped Data - Various orderings for encrypting and signing.
73Khushbu Shah
Verisign CertificatesVerisign Certificates• Several companies provides CA (certification Authority) services• Nortel provides S/MIME support• Internet based CAs-Verisign, GTE, U.S. Portal Service• Verisign is mostly used for CA service compatible with S/MIME and
other applications.• Issue certificate with product name Verisign Digital ID.• DigitalID contains
– Owner’s public key– Owner’s name or alias– Expiration date of digitalID– Serial no of DigitalID– Name of CA that issued DigitalID– And Signature of CA
• Also contain user supplied info• Address, E-mail Address, basic Registration info
74Khushbu Shah
User Agent RoleUser Agent Role• Example: Verisign (www.verisign.com)
– Class-1: Buyer’s email address confirmed by emailing vital info. Digital ID is sent as well as PIN is sent.
– Class-2: Automated comparison with online database Postal address is confirmed as well, and data checked against directories. DigitalID is sent to postal address.
– Class-3: Buyer must appear in person, or send notarized documents.
75Khushbu Shah
VeriSign Public-Key Certificate Classes
Table 7.8 Verisign Public-Key Certificate Classes
76Khushbu Shah
77Khushbu Shah