Date post: | 04-Apr-2018 |
Category: |
Documents |
Upload: | sana-saiyed |
View: | 216 times |
Download: | 0 times |
of 43
7/30/2019 PGP E-mail Security
1/43
E-mail security
Pretty Good Privacy
7/30/2019 PGP E-mail Security
2/43
Why Study E-mail Security?
After web browsing, e-mail is the mostwidely used network-reliant application.
Mail servers, after web servers, are the
most often attacked Internet hosts. Basic e-mail offers little security, counter
to public perception.
Good technical solutions are available, but
not widely used. If we understand why this is so, we might
understand something about whysecurity is hard.
7/30/2019 PGP E-mail Security
3/43
Threats to E-mail
Loss of confidentiality.
E-mails are sent in clear over open
networks. E-mails stored on potentially
insecure clients and mail servers.
Loss of integrity.
No integrity protection on e-mails;anybody be altered in transit or onmail server.
7/30/2019 PGP E-mail Security
4/43
Threats to E-mail
Lack of data origin authentication.
Is this e-mail really from the person
named in theFrom:field? Lack of non-repudiation.
Can I rely and act on the content?
(integrity) If so, can the sender later deny having
sent it? Who is liable if I have acted?
7/30/2019 PGP E-mail Security
5/43
Threats to E-mail
Lack of notification of receipt.
Has the intended recipient receivedmy e-mail and acted on it?
A message locally marked as sent
may not have been delivered.
7/30/2019 PGP E-mail Security
6/43
E-mail security
Secure E-mail Standards and
Products
Other now defunct standards: PEM(privacy enhanced mail), X.400.
S/MIME.
We focus on PGP
7/30/2019 PGP E-mail Security
7/43
S/MIME
(Secure/Multipurpose Internet Mail Extension)
Originated from RSA Data Security Inc. in
1995.
Further development by IETF S/MIME
working group at:
www.ietf.org/html.charters/smime-charter.html.
Version 3 specified in RFCs2630-2634.
Allows flexible client-client security throughencryption and signatures.
Widely supported, e.g. in Microsoft Outlook,
Netscape Messenger, Lotus Notes.
7/30/2019 PGP E-mail Security
8/43
PGP
(Pretty Good Privacy)
Freeware: Open PGP and variants:
www.openpgp.org, www.gnupg.org
Open PGP specified in RFC 2440 and definedby IETF Open PGP working group.
www.ietf.org/html.charters/openpgp-charter.html
Available as plug-in for popular e-mail clients,can also be used as stand-alone software.
7/30/2019 PGP E-mail Security
9/43
7/30/2019 PGP E-mail Security
10/43
PGP
(Pretty Good Privacy)
If all the personal computers in the
world260 millionwere put to work
on a single PGP encrypted message,it would still take an estimated 12million times the age of the universe,on average, to break a single
message.
7/30/2019 PGP E-mail Security
11/43
PGP
(Pretty Good Privacy)
PGP is an e-mail security program written by
Phil Zimmermann, based on the IDEA algorithm
for encryption of plaintext and uses the RSA
Public Key algorithm for encryption of theprivate key.
PGP incorporates tools for developing a public-
key trust model and public-key certificate
management.
7/30/2019 PGP E-mail Security
12/43
PGP
(Pretty Good Privacy)
PGP is an open-source freely available
software package for e-mail security. It
provides authentication;
confidentiality;
compression;
e-mail compatibility; and
segmentation and reassembly.
7/30/2019 PGP E-mail Security
13/43
PGP Services
Digital
signature
DSS/SHA or
RSA/SHA
A hash code of a message is
created using SHA-1. This
message digest is encrypted
using DSS or RSA with the
sender's private key andincluded with the message.
Message
encryption
CAST or IDEA or
Three-key Triple
DES with Diffie-
Hellman or RSA
A message is encrypted using
CAST-128 or IDEA or 3DES
with a one-time session key
generated by the sender. The
session key is encrypted using
Diffie-Hellman or RSA with the
recipient's public key and
included with the message.
7/30/2019 PGP E-mail Security
14/43
PGP
(Pretty Good Privacy)Compression ZIP A message may be
compressed, for storage or
transmission, using ZIP.
Emailcompatibility Radix 64conversion To provide transparency foremail applications, an
encrypted message may be
converted to an ASCII string
using radix 64 conversion.Segmentation To accommodate maximum
message size limitations,
PGP performs segmentation
and reassembly.
7/30/2019 PGP E-mail Security
15/43
PGP
(Pretty Good Privacy)
PGP Algorithms
Symmetric encryption: DES, 3DES, AES and others.
Public key encryption of sessionkeys: RSA or ElGamal.
Hashing: SHA-1, MD-5 and others.
Signature: RSA, DSS, ECDSA and others.
7/30/2019 PGP E-mail Security
16/43
PGP
(Pretty Good Privacy)
PGP use:
public keys for encrypting session
keys / verifying signatures. private keys for decrypting session
keys / creating signatures.
7/30/2019 PGP E-mail Security
17/43
17
PGP Operation Summary
7/30/2019 PGP E-mail Security
18/43
PGP
Alice: generates random symmetricprivate key, KS. encrypts message with KS (for efficiency) also encrypts KSwith Bobs public key. sends both K
S(m) and K
B(K
S) to Bob.
Alice wants to send confidential e-mail, m, to Bob.
KS( ).
KB( ).+
+ -
KS(m )
KB(KS )+
m
KS
KS
KB+
Internet
KS( ).
KB( ).-
KB-
KS
mKS(m )
KB(KS )+
7/30/2019 PGP E-mail Security
19/43
PGP
Bob: uses his private key to decrypt and recover KS uses KS to decrypt KS(m) to recover m
Alice wants to send confidential e-mail, m, to Bob.
KS( ).
KB( ).+
+ -
KS(m )
KB(KS )+
m
KS
KS
KB+
Internet
KS( ).
KB( ).-
KB-
KS
mKS(m )
KB(KS )+
7/30/2019 PGP E-mail Security
20/43
PGP
Alice wants to provide sender authentication messageintegrity.
Alice digitally signs message. sends both message (in the clear) and digital signature.
H( ). KA( ).-
+ -
H(m )KA(H(m))
-
m
KA-
Internet
m
KA( ).+
KA+
KA(H(m))
-
m
H( ). H(m )
compare
7/30/2019 PGP E-mail Security
21/43
PGP
(Pretty Good Privacy)
PGP Key Rings
PGP supports multiple public/private
keys pairsper sender/recipient. Keys stored locally in a PGP Key Ring essentially a database of keys.
Private keys stored in encrypted form;
decryption key determined by user-entered pass-phrase.
7/30/2019 PGP E-mail Security
22/43
PGP Message Generation
7/30/2019 PGP E-mail Security
23/43
PGP Message Generation
The sending PGP entity performs the following steps:
Signs the message:
PGP gets senders private key from key ring using
its user id as an index. PGP prompts user for passphrase to decrypt
private key.
PGP constructs the signature component of the
message.
Encrypts the message: PGP generates a session key and encrypts the
message.
PGP retrieves the receiver public key from the key
ring using its user id as an index.
PGP constructs session component of message
7/30/2019 PGP E-mail Security
24/43
PGP Message Reception
7/30/2019 PGP E-mail Security
25/43
PGP Message Reception
The receiving PGP entity performs the following steps:
Decrypting the message:
PGP get private key from private-key ring using Key IDfield in session key component of message as an index.
PGP prompts user for passphrase to decrypt privatekey.
PGP recovers the session key and decrypts themessage.
Authenticating the message:
PGP retrieves the senders public key from the public-
key ring using the Key ID field in the signature keycomponent as index.
PGP recovers the transmitted message digest.
PGP computes the message for the received messageand compares it to the transmitted version forauthentication.
7/30/2019 PGP E-mail Security
26/43
PGP
(Pretty Good Privacy)
Key Management for PGP
Public keys for encrypting session keys /
verifying signatures.
Private keys for decrypting session keys /
creating signatures.
Where do these keys come from and on what
basis can they be trusted?
7/30/2019 PGP E-mail Security
27/43
PGP
(Pretty Good Privacy)
PGP adopts a trust model called the web oftrust.
No centralised authority
Individuals sign one anothers public keys,
these certificates are stored along with
keys in key rings.
PGP computes a trust levelfor each publickey in key ring.
Users interpret trust level for themselves.
7/30/2019 PGP E-mail Security
28/43
28
PGP Compression
PGP can also compress themessage if desired. Thecompression algorithm is ZIP andthe decompression algorithm isUNZIP.
1. The original message mis signedusing private key Adto obtain
c=pk.encryptAd(SHA(m))
7/30/2019 PGP E-mail Security
29/43
29
2. Now the original message miscompressed to obtain
M=ZIP(m)
3. Alice generates a session key k and
encrypts the compressed message andthe signature using the session key
C=sk.encryptk(M,c)
4. The session key is encrypted using Bobspublic key as before.
7/30/2019 PGP E-mail Security
30/43
30
5. Alice sends Bob the encrypted sessionkey and ciphertext C.
6. Bob decrypts the session key using hisprivate key and then uses the sessionkey to decrypt the ciphertext Cto obtainMand c
(M,c) = sk.decryptk(C)
7. Bob decompresses the message Mtoobtain the original message m
m=UNZIP(M)
7/30/2019 PGP E-mail Security
31/43
31
8. Now Bob has the original message mand signature c. He verifies the signature
using SHA-1 and Alices public key asbefore.
Note that the compression is appliedafter signing (due to implementation ofZIP) but before encryption (this
strengthens the security of the schemesince the message has less redundancyafter compression)
7/30/2019 PGP E-mail Security
32/43
32
PGP E-Mail Compatibility
Many electronic mail systems can
only transmit blocks ofASCII text.
This can cause a problem whensending encrypted data since
ciphertext blocks might not
correspond to ASCII characters which
can be transmitted.
PGP overcomes this problem by using
radix-64 conversion.
7/30/2019 PGP E-mail Security
33/43
33
Radix-64 conversion
Suppose the text to be encrypted has
been converted into binary using
ASCII coding and encrypted to give aciphertext stream of binary.
Radix-64 conversion maps arbitrary
binary into printable characters as
follows:
7/30/2019 PGP E-mail Security
34/43
34
Radix-64 conversion
1. The binary input is split into blocksof 24 bits (3 bytes).
2. Each 24 block is then split into foursets each of 6-bits.
3. Each 6-bit set will then have a valuebetween 0 and 26-1 (=63).
4. This value is encoded into aprintable character.
7/30/2019 PGP E-mail Security
35/43
35
6 bit
value
Character
encoding
6 bit
value
Character
encoding
6 bit
value
Character
encoding
6 bit
value
Character
encoding
0
1
23
4
5
6
7
8
9
10
11
12
1314
15
A
B
CD
E
F
G
H
I
J
K
L
M
NO
P
16
17
1819
20
21
22
23
24
25
26
27
28
2930
31
Q
R
ST
U
V
W
X
Y
Z
a
b
c
de
f
32
33
3435
36
37
38
39
40
41
42
43
44
4546
47
g
h
ij
k
l
m
n
o
p
q
r
s
tu
v
48
49
5051
52
53
54
55
56
57
58
59
60
6162
63
(pad)
w
x
yz
0
1
2
3
4
5
6
7
8
9+
/
=
7/30/2019 PGP E-mail Security
36/43
36
PGP Segmentation
Another constraint of e-mail is that
there is usually a maximum message
length.PGP automatically blocks an
encrypted message into segments of
an appropriate length.
On receipt, the segments must be re-
assembled before the decryption
process.
7/30/2019 PGP E-mail Security
37/43
37
Key Issues
1. Key Generation
Recall that a new session key is
required each time a message isencrypted. How are these keys
generated?
PGP uses the timing of key strokes
and key patterns to generate
random numbers.
7/30/2019 PGP E-mail Security
38/43
38
2. Key Identifiers
PGP allows users to have more
than one public/private key pair
To increase security To ease the key changeover period
So how does Bob know which set
of keys he should be using?
7/30/2019 PGP E-mail Security
39/43
39
In the case of encryption, (Alice usesBobs public key) Alice can send Bob the
public key with the message since this isnot secret (in fact Alice only sends the 64least significant bits so that Bob canidentify the key).
In the case of digital signatures Alice usesher private key and Bob uses Alicescorresponding public key. Alice cannotsend Bob her private key, but she can lookup the corresponding public key and sendthe 64 least significant bits of that.
7/30/2019 PGP E-mail Security
40/43
40
So a PGP message might consist
of:
Message component the actual datato be transmitted + a filename + atimestamp;
Signature component timestamp +hash of message and timestamp +first part of message (so user can
check that they are decryptingcorrectly) + Key ID of senders publickey
Session Key component session
key + key ID of recipients public key
7/30/2019 PGP E-mail Security
41/43
PGP
(Pretty Good Privacy)
Security of PGP There are many known attacks against
PGP.
Attacks against cryptoalgorithms are not themain threat
IDEA is considered strong, and whilecryptoanalysis advances, it should be
strong still for some time. RSA may or may not be strong. There are
recent rumors of possible fast factorizationalgorithms..
The main threats are much more simple.
7/30/2019 PGP E-mail Security
42/43
PGP
(Pretty Good Privacy)
An attacker may socially engineer himselfinto a web of trust, or some trustable personmay change. Then he could falsify public
keys. This breaks most of the security. PGP binaries can be corrupted when they
are obtained.
The PGP binaries can be modified in the
computer. The passphrase can be obtained by a
Trojan. Weak passphrases can be cracked.
On multiuser system, access to the secret
key can be obtained.
7/30/2019 PGP E-mail Security
43/43
Questions: