COMPSCI 316 (Network Security)
Email Security Cont
Manoranjan Mohanty
9/25/2019 1
https://commons.wikimedia.org/wiki/File:Email_Shiny_Icon.svg
Some slides are taken from http://cse.unl.edu/~ylu
S/MIME (Secure MIME)
9/25/2019 2
Security enhancement to MIME Security services provided by S/MIME Authentication (digital signature – RSA/SHA-256)Message Integrity (digital signature) Privacy and confidentiality (encryption - AES)
S/MIME also providesCompression (format not specified)Email compatibility (base-64)
New content types to MIME for providing security extension
S/MIME Message Communication
9/25/2019 3
Before an email sender sends S/MIME emails, she has two jobs.
1) Must determine if the receiver is capable of decrypting using a given encryption algorithm
2) If the receiver is capable of a week encryption algorithm, the sender must decide if it is acceptable to send the message using a week algorithm
To enforce this, the following rules is followed 1) If the sender knows the preferred decrypting capabilities of
the receiver, sender SHOULD use the highest preference capability
S/MIME Message Communication
9/25/2019 4
To enforce this, the following rules is followed 2) If the preference list is not available but sender has
previously received a message from the receiver, sender SHOULD use the encryption algorithm that was used in the last received message
3) If sender has no clue about receiver’s capability, but sender is willing to risk that the receiver may not be able to decrypt the message, sender SHOULD use triple DES
4) If sender has no clue about receiver’s capability, but sender is not willing to risk that the receiver may not be able to decrypt the message, sender MUST use RC2/40
S/MIME Message
9/25/2019 5
For S/MIME, new content types are added to MIME New content types use designation PKCS (Public Key
Cryptography Specifications) PKCS are a group of public-key cryptography standards devised
and published by RSA Security LLC
S/MIME Message Preparation
9/25/2019 6
MIME entity (full message or part of multipart message)
MIME entity + Security related data (e.g., algorithm, certificates)
PKCS object as the message content and wrapped in MIME
PKCS object
S/MIME Content Type
9/25/2019 7
EnvelopedData – Encrypted Data SignedData – Digitally Signed Data ComprssedData An application/pkcs7-mime subtype determines the
specific content type
S/MIME EnvolpedData
9/25/2019 8
Cryptography and Network Security Forouzan
For each MIME entity, generate a content encryption key (symmetric key) For each receiver, encrypt
above key using receiver’s public RSA key For each receiver, prepare a
block known as RecipientInfothat contains the receiver's certificate, used symmetric encryption scheme, and the symmetric encryption key
c
c
S/MIME EnvolpedData
9/25/2019 9
Cryptography and Network Security Forouzan
envelopedData = Encrypted content + RecipientInfo The envelopedData is then
base-64 encoded
S/MIME SignedData
9/25/2019 10
Cryptography and Network Security Forouzan
A single message can be signed with multiple signers using their private key Each signer prepares a
SignerInfo that contains signer’s public-key certificate, message digest algorithm, and the signature signedData = content +
SignerInfo
cc
S/MIME Certificate Management
9/25/2019 11
S/MIME uses public key cryptosystem (RSA) in digital signature and also in encryption
PKI is used for key management PKI uses chain-of-trust
User
Root CA
CA1 CA2 CAn
CA1.2 CAn.1
S/MIME Enhanced Security Services
9/25/2019 12
Signed Receipt Email sender may ask for a signed receipt (for proof of
email delivery) from the receiver of the email This typically implemented by the receiver signing the
received email and email signature (sender’s), and sending it back to the sender
Security Labels A set of security information regarding the sensitivity of
the email content Can provide priority (secret, restricted, etc.)
PGP (Pretty Good Privacy)
9/25/2019 13
Essentially same functionality as S/MIME
Initially, PGP was proprietary, but later was made free by resulting to OpenPGP (which is popular now a days)
OpenPGP vs S/MIME
9/25/2019 14
S/MIME and OpenPGP differ in the way they handle key certification and distribution
S/MIME uses X.509 certificates issued by Certificate Authorities (CA) Certificates are trusted is there is a valid “Chain of Trust”
In OpenPGP, users generate their own public/private key pairs, and then collect signatures for their key from people/organization who holds OpenPGP certificate In OpenPGP, certificates are trusted if it is signed by
someone trusted to the receiver (Web-of-Trust)
Chain-of-Trust vs Web-of-Trust
9/25/2019 15
https://0x00sec.org/t/pgp-the-web-of-trust/1404
https://users.ece.cmu.edu/~adrian/630-f04/PGP-intro.html
Chain-of-Trust Web-of-Trust
PGP vs S/MIME
9/25/2019 16
Certificate Distribution: Unlike S/MIME, OpenPGPdoes not include public key with each message. The receiver most receive the public key from the sender separately (e.g., via emails, from sender websites, OpenPGP public servers)
DNS and DNSSEC
9/25/2019 17
DNS (Domain Name System)
9/25/2019 18
Sender writes receiver’s address: [email protected]
Internet understands IP address (not auckland.ac.nz)
Asks DNS about IP addresses of auckland.ac.nz
DNS Cont.
9/25/2019 19
A directory lookup service that provides a mapping between the name of a host on the Internet to its numeric IP address
auckland.ac.nz 172.217.9.229
Similar to “Phone Book”
Alice +64 20 12****
DNS
Phone Book
DNS Cont.
9/25/2019 20
auckland.ac.nz 172.217.9.229
Basically, a database that contains multiple records (known as resource records) those contain IP addresses and other information A record: Name to IPv4 address mapping AAAA record: Name to IPv6 address mapping MX record: Mail exchange server information (required
by email) TXT: Arbitrary text. Can be used for various purposes
including providing security information.
DNS
Use of DNS in Email
9/25/2019 21
Finding mail exchange server Receiver’s domain (e.g., [email protected]) can host both
web servers and the mail servers It is essential to find IP addresses of the mail servers
The MX (mail exchange record) record in DNS specifies the mail servers (and their priorities) responsible for accepting email messages on behalf of a domain name The IP addresses of the mail servers are returned as DNS
A-recordMultiple servers used for load balancing or back-up
Use of DNS in Email
9/25/2019 22https://workaround.org/ispmail/jessie/dns-mx-records
Use of DNS in Email
9/25/201923
MX Record A Record
Ob
tained
usin
g http
s://mxto
olb
ox.co
m/
DNS Overview
9/25/2019 24
DNS has to deal with a large number of domain names
How to provide efficient lookup? A central database similar to a phone book?
A distributed, scalable, and reliable database, known as the DNS database
DNS Overview
9/25/2019 25
Has four main components Domain name space DNS database Name server Resolver
Domain Name Space
9/25/2019 26
A tree structure that arranges (for efficiency and effectiveness) the resources related to the DNS
third-level node
second-level node second-level node
top-level node
third-level node third-level node
second-level node
top-level node
second-level node second-level node
top-level node
The root node
""nz
ac
auckland aut
All DNS information related to “ac”
“ ”
TO BE CONTINUED
• See the next lecture
Acknowledgement
https://www.ripe.net/support/training/material/dnssec-training-course/dnssec-slides.pdf
https://www.huque.com/talks/2012-05-DNS-DNSSEC-Tutorial-huque.pdf
https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
cse.unl.edu/~ylu/csce855/notes/DNS.ppt
Network Security Essentials: Applications and Standards, Global Edition
Google Images
9/25/2019 28