ITA, 3.11.2011, 7-SecureEmail.pptx 1
Internet Security 1 (IntSi1)
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
7 Secure Email
ITA, 3.11.2011, 7-SecureEmail.pptx 2
Security Protocols for the OSI Stack
Application layer ssh, S/MIME, PGP, Kerberos, WSS
Transport layer SSL, TLS
Network layer IPsec
Data Link layer [PPTP, L2TP], IEEE 802.1X,IEEE 802.1AE, IEEE 802.11i (WPA2)Physical layer Quantum Cryptography
Communication layers
Security protocols
ITA, 3.11.2011, 7-SecureEmail.pptx 3
Internet Security 1 (IntSi1)
7.1 S/MIME
ITA, 3.11.2011, 7-SecureEmail.pptx 4
MIME – Multipurpose Internet Mail ExtensionRFC 1521 / RFC 1522
--boundary1 Content–Type: text/plain; charset=us-ascii
Dear Neo, please study the attached Word document.
--boundary1 Content–Type: application/msword; name="Matrix.doc"Content–Transfer–Encoding: base64
ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfH 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbTrfv=
--boundary1--
From: [email protected]: [email protected]–Version: 1.0Content–Type: multipart/mixed; boundary=boundary1
ITA, 3.11.2011, 7-SecureEmail.pptx 5
S/MIME – Signed Message Format IRFC 1847 / RFC 2311 / PKCS #7
Content–Type: multipart/signed; protocol="application/pkcs7–signature"; micalg=sha1; boundary=boundary1
--boundary1 Content–Type: text/plain
This is a clear-signed message.
--boundary1 Content–Type: application/pkcs7–signature; name=smime.p7sContent–Transfer-Encoding: base64Content–Disposition: attachment; filename=smime.p7s
ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfH 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbTrfv=
--boundary1--
MIME entity to be signed
ITA, 3.11.2011, 7-SecureEmail.pptx 6
S/MIME – Signed Message comprisingMultiple Attachments
Content–Type: multipart/signed; protocol="application/pkcs7–signature"; micalg=sha1; boundary=boundary1
--boundary1 Content–Type: multipart/mixed; boundary=boundary2
... multipart message with various MIME-types ...
--boundary1 Content–Type: application/pkcs7–signature; name=smime.p7sContent–Transfer-Encoding: base64Content–Disposition: attachment; filename=smime.p7s
ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfH 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbTrfv=
--boundary1--
ITA, 3.11.2011, 7-SecureEmail.pptx 7
PKCS #7 – Public Key Cryptography StandardCryptographic Message Syntax Standard
versiondigestAlgorithmscontentInfocertificates (OPTIONAL)crls (OPTIONAL)signerInfos (SET OF)
• ASN.1 structure for the SignedData content type
• ASN.1 structure for the SignerInfo typeversionissuerAndSerialNumberdigestAlgorithmauthenticatedAttributesdigestEncryptionAlgorithmencryptedDigestunauthenticatedAttributes
several signers possible
empty field (content carried inseparate MIME entity)
signature
ITA, 3.11.2011, 7-SecureEmail.pptx 8
Signed Message with Multiple Signatures
MIME Entity (single-part or multi-part)
DigestAlgorithm
#1
Signature#1
Private Key#1
DigestAlgorithm
#2
Signature #2
Private Key#2
DigestAlgorithm
#n
Signature#n
Private Key#n
ITA, 3.11.2011, 7-SecureEmail.pptx 9
Signed Email MessageMicrosoft Outlook 2007
ITA, 3.11.2011, 7-SecureEmail.pptx 10
S/MIME – Signed Message Format IIRFC 2311 / PKCS #7
Content–Type: application/pkcs7–mime; smime–type=signed–data; name=smime.p7mContent–Transfer-Encoding: base64Content–Disposition: attachment; filename=smime.p7m
ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfH 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbTrfv=
• MIME content carried within PKCS#7 Signed Data Object• This alternative signing format is optionally used by MS
Outlook• Pro: MIME content is not prone to changes of the transfer
encoding enforced by intermediate mail transfer agents.• Contra: In order to read the emedded MIME message, the
receiver‘s mail client must support S/MIME.
ITA, 3.11.2011, 7-SecureEmail.pptx 11
S/MIME – Configuration OptionsMicrosoft Outlook 2007
ITA, 3.11.2011, 7-SecureEmail.pptx 12
S/MIME – Encrypted Message FormatRFC 2311 / PKCS #7
Content–Type: application/pkcs7–mime; smime–type=enveloped–data; name=smime.p7mContent–Transfer-Encoding: base64Content–Disposition: attachment; filename=smime.p7m
ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfH 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbTrfv=
versionrecipientInfosencryptedContentInfo
• ASN.1 structure for the EnvelopedData content typeseveral recipients possible(encrypted symmetric key)
contentTypecontentEncryptionAlgorithmencryptedContent
encrypted MIME entity(single-part or multi-part)
ITA, 3.11.2011, 7-SecureEmail.pptx 13
Encrypted Message with Multiple RecipientsEnvelope using Symmetric Encryption
MIME Entity (single-part or multi-part)
RandomKey Symmetric Encryption Algorithm
Encrypted MIME Entity
EncryptedKey #n
Public Key#n
EncryptedKey #2
Public Key#2
EncryptedKey #1
Public Key#1
ITA, 3.11.2011, 7-SecureEmail.pptx 14
Encrypted Email MessageMicrosoft Outlook 2007
ITA, 3.11.2011, 7-SecureEmail.pptx 15
Signed and Encrypted Email MessagesMozilla Thunderbird
ITA, 3.11.2011, 7-SecureEmail.pptx 16
S/MIME – Signed and Encrypted Messages ISigning before Encryption
MIME entity to be encrypted
• Signature(s) not visible before decryption (Anonymity)
Content–Type: application/pkcs7–mime;
smime–type=signed–data; ...signedData SignedData ::= { ... contentInfo}
MIME entity to be signed
Content–Type: application/pkcs7–mime; smime–type=enveloped–data; ...
envelopedData EnvelopedData ::= { ... encryptedContentInfo}
encrypted MIME entity
ITA, 3.11.2011, 7-SecureEmail.pptx 17
S/MIME – Signed and Encrypted Messages IIEncryption before Signing
MIME entity to be signed
• Signature(s) can be checked before decryption (Trust)
Content–Type: application/pkcs7–mime;
smime–type=signed–data; ...signedData SignedData ::= { ... contentInfo}
Content–Type: application/pkcs7–mime; smime–type=enveloped–data; ...envelopedData EnvelopedData ::= { ... encryptedContentInfo}
encrypted MIME entity
MIME entity to be signed
ITA, 3.11.2011, 7-SecureEmail.pptx 18
Signing before EncryptionMicrosoft Outlook 2007
ITA, 3.11.2011, 7-SecureEmail.pptx 19
S/MIME – Managing CertificatesMozilla Thunderbird
ITA, 3.11.2011, 7-SecureEmail.pptx 20
S/MIME – Certificates (own and other people‘s)Mozilla Thunderbird
ITA, 3.11.2011, 7-SecureEmail.pptx 21
S/MIME – Certification AuthoritiesMozilla Thunderbird
ITA, 3.11.2011, 7-SecureEmail.pptx 22
S/MIME – Account SettingsMozilla Thunderbird
ITA, 3.11.2011, 7-SecureEmail.pptx 23
S/MIME Summary
Antje
Kool CA
#2
Antje Bodo
• SignDear Bodo,…Antje
Sign withprivate key
Verify with public key
Verify with public key
Kool CA
Kool CA
#0
Antje Bodo
• Encrypt
Antje
Kool CA
#2
Dear Antje,…Bodo
Decrypt withprivate key Encrypt with
public key
Bob
Kool CA
#3