COMPSCI 316 (Network Security)

Email Security Cont

Manoranjan Mohanty

m.mohanty@auckland.ac.nz

9/25/2019 1

https://commons.wikimedia.org/wiki/File:Email_Shiny_Icon.svg

Some slides are taken from http://cse.unl.edu/~ylu

S/MIME (Secure MIME)

9/25/2019 2

Security enhancement to MIME Security services provided by S/MIME Authentication (digital signature – RSA/SHA-256)Message Integrity (digital signature) Privacy and confidentiality (encryption - AES)

S/MIME also providesCompression (format not specified)Email compatibility (base-64)

New content types to MIME for providing security extension

S/MIME Message Communication

9/25/2019 3

Before an email sender sends S/MIME emails, she has two jobs.

1) Must determine if the receiver is capable of decrypting using a given encryption algorithm

2) If the receiver is capable of a week encryption algorithm, the sender must decide if it is acceptable to send the message using a week algorithm

To enforce this, the following rules is followed 1) If the sender knows the preferred decrypting capabilities of

the receiver, sender SHOULD use the highest preference capability

S/MIME Message Communication

9/25/2019 4

To enforce this, the following rules is followed 2) If the preference list is not available but sender has

previously received a message from the receiver, sender SHOULD use the encryption algorithm that was used in the last received message

3) If sender has no clue about receiver’s capability, but sender is willing to risk that the receiver may not be able to decrypt the message, sender SHOULD use triple DES

4) If sender has no clue about receiver’s capability, but sender is not willing to risk that the receiver may not be able to decrypt the message, sender MUST use RC2/40

S/MIME Message

9/25/2019 5

For S/MIME, new content types are added to MIME New content types use designation PKCS (Public Key

Cryptography Specifications) PKCS are a group of public-key cryptography standards devised

and published by RSA Security LLC

S/MIME Message Preparation

9/25/2019 6

MIME entity (full message or part of multipart message)

MIME entity + Security related data (e.g., algorithm, certificates)

PKCS object as the message content and wrapped in MIME

PKCS object

S/MIME Content Type

9/25/2019 7

EnvelopedData – Encrypted Data SignedData – Digitally Signed Data ComprssedData An application/pkcs7-mime subtype determines the

specific content type

S/MIME EnvolpedData

9/25/2019 8

Cryptography and Network Security Forouzan

For each MIME entity, generate a content encryption key (symmetric key) For each receiver, encrypt

above key using receiver’s public RSA key For each receiver, prepare a

block known as RecipientInfothat contains the receiver's certificate, used symmetric encryption scheme, and the symmetric encryption key

c

c

S/MIME EnvolpedData

9/25/2019 9

Cryptography and Network Security Forouzan

envelopedData = Encrypted content + RecipientInfo The envelopedData is then

base-64 encoded

S/MIME SignedData

9/25/2019 10

Cryptography and Network Security Forouzan

A single message can be signed with multiple signers using their private key Each signer prepares a

SignerInfo that contains signer’s public-key certificate, message digest algorithm, and the signature signedData = content +

SignerInfo

cc

S/MIME Certificate Management

9/25/2019 11

S/MIME uses public key cryptosystem (RSA) in digital signature and also in encryption

PKI is used for key management PKI uses chain-of-trust

User

Root CA

CA1 CA2 CAn

CA1.2 CAn.1

S/MIME Enhanced Security Services

9/25/2019 12

Signed Receipt Email sender may ask for a signed receipt (for proof of

email delivery) from the receiver of the email This typically implemented by the receiver signing the

received email and email signature (sender’s), and sending it back to the sender

Security Labels A set of security information regarding the sensitivity of

the email content Can provide priority (secret, restricted, etc.)

PGP (Pretty Good Privacy)

9/25/2019 13

Essentially same functionality as S/MIME

Initially, PGP was proprietary, but later was made free by resulting to OpenPGP (which is popular now a days)

OpenPGP vs S/MIME

9/25/2019 14

S/MIME and OpenPGP differ in the way they handle key certification and distribution

S/MIME uses X.509 certificates issued by Certificate Authorities (CA) Certificates are trusted is there is a valid “Chain of Trust”

In OpenPGP, users generate their own public/private key pairs, and then collect signatures for their key from people/organization who holds OpenPGP certificate In OpenPGP, certificates are trusted if it is signed by

someone trusted to the receiver (Web-of-Trust)

Chain-of-Trust vs Web-of-Trust

9/25/2019 15

https://0x00sec.org/t/pgp-the-web-of-trust/1404

https://users.ece.cmu.edu/~adrian/630-f04/PGP-intro.html

Chain-of-Trust Web-of-Trust

PGP vs S/MIME

9/25/2019 16

Certificate Distribution: Unlike S/MIME, OpenPGPdoes not include public key with each message. The receiver most receive the public key from the sender separately (e.g., via emails, from sender websites, OpenPGP public servers)

DNS and DNSSEC

9/25/2019 17

DNS (Domain Name System)

9/25/2019 18

Sender writes receiver’s address: abc@auckland.ac.nz

Internet understands IP address (not auckland.ac.nz)

Asks DNS about IP addresses of auckland.ac.nz

DNS Cont.

9/25/2019 19

A directory lookup service that provides a mapping between the name of a host on the Internet to its numeric IP address

auckland.ac.nz 172.217.9.229

Similar to “Phone Book”

Alice +64 20 12****

DNS

Phone Book

DNS Cont.

9/25/2019 20

auckland.ac.nz 172.217.9.229

Basically, a database that contains multiple records (known as resource records) those contain IP addresses and other information A record: Name to IPv4 address mapping AAAA record: Name to IPv6 address mapping MX record: Mail exchange server information (required

by email) TXT: Arbitrary text. Can be used for various purposes

including providing security information.

DNS

Use of DNS in Email

9/25/2019 21

Finding mail exchange server Receiver’s domain (e.g., auckland@ac.nz) can host both

web servers and the mail servers It is essential to find IP addresses of the mail servers

The MX (mail exchange record) record in DNS specifies the mail servers (and their priorities) responsible for accepting email messages on behalf of a domain name The IP addresses of the mail servers are returned as DNS

A-recordMultiple servers used for load balancing or back-up

Use of DNS in Email

9/25/2019 22https://workaround.org/ispmail/jessie/dns-mx-records

Use of DNS in Email

9/25/201923

MX Record A Record

Ob

tained

usin

g http

s://mxto

olb

ox.co

m/

DNS Overview

9/25/2019 24

DNS has to deal with a large number of domain names

How to provide efficient lookup? A central database similar to a phone book?

A distributed, scalable, and reliable database, known as the DNS database

DNS Overview

9/25/2019 25

Has four main components Domain name space DNS database Name server Resolver

Domain Name Space

9/25/2019 26

A tree structure that arranges (for efficiency and effectiveness) the resources related to the DNS

third-level node

second-level node second-level node

top-level node

third-level node third-level node

second-level node

top-level node

second-level node second-level node

top-level node

The root node

""nz

ac

auckland aut

All DNS information related to “ac”

“ ”

TO BE CONTINUED

• See the next lecture

Acknowledgement

https://www.ripe.net/support/training/material/dnssec-training-course/dnssec-slides.pdf

https://www.huque.com/talks/2012-05-DNS-DNSSEC-Tutorial-huque.pdf

https://www.cloudflare.com/dns/dnssec/how-dnssec-works/

cse.unl.edu/~ylu/csce855/notes/DNS.ppt

Network Security Essentials: Applications and Standards, Global Edition

Google Images

9/25/2019 28