CSCE 815 Network Security CSCE 815 Network Security Lecture 11 Lecture 11CSCE 815 Network Security CSCE 815 Network Security Lecture 11 Lecture 11
Email SecurityEmail Security
PGPPGP
February 25, 2003
– 2 – CSCE 815 Sp 03
Email SecurityEmail Security
email is one of the most widely used and regarded email is one of the most widely used and regarded network services network services
currently message contents are not secure currently message contents are not secure may be inspected either in transit or by suitably privileged users on destination system
– 3 – CSCE 815 Sp 03
Email OverviewEmail Overview
SMTP – Simple Mail Transfer ProtocolSMTP – Simple Mail Transfer Protocol
– 4 – CSCE 815 Sp 03
Email OverviewEmail Overview
SMTP – runs on top of TCP/IP Port 25SMTP – runs on top of TCP/IP Port 25
SMTP CommandsSMTP Commands
1.1. HELO – identifies the client machineHELO – identifies the client machine
2.2. MAIL – identifies the originator of the messageMAIL – identifies the originator of the message
3.3. RCPT – identifies the recipientRCPT – identifies the recipient
4.4. DATA – the messageDATA – the message
5.5. QUITQUIT
6.6. RSET – abortRSET – abort
7.7. VRFY - to verify a recipients address VRFY - to verify a recipients address
8.8. EXPN - expands a mailing list EXPN - expands a mailing list
9.9. TURN – client plays serverTURN – client plays server
Parts of email message: envelope, headers, bodyParts of email message: envelope, headers, body
– 5 – CSCE 815 Sp 03
Email OverviewEmail Overview
SMTP Session SMTP Session
1.1. HELO erdos.cse.sc.edu HELO erdos.cse.sc.edu
2.2. MAIL From:MAIL From:[email protected]@erdos.cse.sc.edu
3.3. RCPT To: [email protected] To: [email protected]
4.4. DATA – the message (max 1000 bytes DATA – the message (max 1000 bytes segmenttation) segmenttation)
5.5. QUITQUIT
Each message 4 byte command, operand, terminates with \r\nEach message 4 byte command, operand, terminates with \r\n
Each message is acknowledged with 3 digit reply-codeEach message is acknowledged with 3 digit reply-code
Email SpoofingEmail Spoofing telnet to a machine with port 25 type in “SMTP” packets changing From Does not change IP address so there is a good trail
http://raddist.rad.com/networks/1998/smtp/smtp.htmhttp://raddist.rad.com/networks/1998/smtp/smtp.htm (SMTP tutor.) (SMTP tutor.)
– 6 – CSCE 815 Sp 03
Email Security EnhancementsEmail Security Enhancements
confidentialityconfidentiality protection from disclosure
authenticationauthentication of sender of message
message integritymessage integrity protection from modification
non-repudiation of originnon-repudiation of origin protection from denial by sender
– 7 – CSCE 815 Sp 03
Pretty Good Privacy (PGP)Pretty Good Privacy (PGP)
widely used de facto secure emailwidely used de facto secure email
developed by Phil Zimmermanndeveloped by Phil Zimmermann
selected best available cryptography algorithms selected best available cryptography algorithms
integrated into a single programintegrated into a single program
available on Unix, PC, Macintosh and Amiga systems available on Unix, PC, Macintosh and Amiga systems
originally free, now have commercial versions available originally free, now have commercial versions available alsoalso
– 8 – CSCE 815 Sp 03
PGP Operation – AuthenticationPGP Operation – Authentication
1.1. sender creates a messagesender creates a message
2.2. SHA-1 used to generate 160-bit hash code of SHA-1 used to generate 160-bit hash code of messagemessage
3.3. hash code is encrypted with RSA using the sender's hash code is encrypted with RSA using the sender's private key, and result is attached to messageprivate key, and result is attached to message
4.4. receiver uses RSA or DSS with sender's public key receiver uses RSA or DSS with sender's public key to decrypt and recover hash codeto decrypt and recover hash code
5.5. receiver generates new hash code for message and receiver generates new hash code for message and compares with decrypted hash code, if match, compares with decrypted hash code, if match, message is accepted as authenticmessage is accepted as authentic
From the strengths of RSA and SHA-1 the recipient is From the strengths of RSA and SHA-1 the recipient is assured that only the possessor of the private key assured that only the possessor of the private key could generate the signature.could generate the signature.
– 9 – CSCE 815 Sp 03
PGP Operation – ConfidentialityPGP Operation – Confidentiality
1.1. sender generates message and random 128-bit sender generates message and random 128-bit number to be used as session key for this message number to be used as session key for this message only.only.
2.2. message is encrypted, using CAST-128 / IDEA/3DES message is encrypted, using CAST-128 / IDEA/3DES with session key using 64 bit CFB(cipher feedback)with session key using 64 bit CFB(cipher feedback)
3.3. session key is encrypted using RSA with recipient's session key is encrypted using RSA with recipient's public key, then attached to messagepublic key, then attached to message
4.4. receiver uses RSA with its private key to decrypt receiver uses RSA with its private key to decrypt and recover session keyand recover session key
5.5. session key is used to decrypt messagesession key is used to decrypt message
Option to RSA – Diffie-Hellman variant E1GamalOption to RSA – Diffie-Hellman variant E1Gamal
– 10 – CSCE 815 Sp 03
PGP Operation – Confidentiality & Authentication PGP Operation – Confidentiality & Authentication
uses both services on same messageuses both services on same messagecreate signature & attach to messageencrypt both message & signatureattach RSA encrypted session key
– 11 – CSCE 815 Sp 03
– 12 – CSCE 815 Sp 03
Notation for Figure 5.1Notation for Figure 5.1
KKss session key used in symmetric encryption scheme session key used in symmetric encryption scheme
KRKRaa = private key of user A = private key of user A
KUKUaa = public key of user A = public key of user A
EP = Encryption Public KeyEP = Encryption Public Key
DP = Decryption Public KeyDP = Decryption Public Key
EP = Symmetric Encryption EP = Symmetric Encryption
DP = Symmetric DecryptionDP = Symmetric Decryption
H hash function, || concatenationH hash function, || concatenation
Z compression using ZIPZ compression using ZIP
R64 = conversion to radix 64 ASCII formatR64 = conversion to radix 64 ASCII format
– 13 – CSCE 815 Sp 03
PGP Operation – CompressionPGP Operation – Compression
by default PGP compresses message after signing but by default PGP compresses message after signing but before encryptingbefore encrypting so can store uncompressed message & signature for later
verification & because compression is non deterministic (tradeoffs
speed vs compression ratio)
uses ZIP compression algorithmuses ZIP compression algorithm
– 14 – CSCE 815 Sp 03
PGP Operation – Email CompatibilityPGP Operation – Email Compatibility
when using PGP will have binary data to send when using PGP will have binary data to send (encrypted message etc)(encrypted message etc)
however email was designed only for texthowever email was designed only for text
hence PGP must encode raw binary data into printable hence PGP must encode raw binary data into printable ASCII charactersASCII characters
uses radix-64 algorithmuses radix-64 algorithm maps 3 bytes to 4 printable chars also appends a CRC
PGP also segments messages if too bigPGP also segments messages if too big
– 15 – CSCE 815 Sp 03
PGP Operation – SummaryPGP Operation – Summary
– 16 – CSCE 815 Sp 03
Summary of PGP Services Summary of PGP Services
Function Algorithm Used Digital Signature DSS/ SHA or
RSA/ SHA Message Encryption
CAST or I DEA or three-key triple DES with Diffi e-Hellman or RSA
Compression ZI P E-mail Compatibility
Radix-64 conversion
Segmentation -
– 17 – CSCE 815 Sp 03
E-mail CompatibilityE-mail Compatibility
The scheme used is radix-64 conversion (see appendix The scheme used is radix-64 conversion (see appendix 5B).5B).
The use of radix-64 expands the message by 33%.The use of radix-64 expands the message by 33%.
– 18 – CSCE 815 Sp 03
Segmentation and ReassemblySegmentation and Reassembly
Often restricted to a maximum message length of Often restricted to a maximum message length of 50,000 octets.50,000 octets.
Longer messages must be broken up into segments.Longer messages must be broken up into segments.
PGP automatically subdivides a message that is to PGP automatically subdivides a message that is to large.large.
The receiver strip of all e-mail headers and reassemble The receiver strip of all e-mail headers and reassemble the block.the block.
– 19 – CSCE 815 Sp 03
Format of PGP MessageFormat of PGP Message
– 20 – CSCE 815 Sp 03
– 21 – CSCE 815 Sp 03
– 22 – CSCE 815 Sp 03
– 23 – CSCE 815 Sp 03
PGP Session KeysPGP Session Keys
need a session key for each messageneed a session key for each message of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit
Triple-DES
generated using ANSI X12.17 modegenerated using ANSI X12.17 mode
uses random inputs taken from previous uses and from uses random inputs taken from previous uses and from keystroke timing of userkeystroke timing of user
– 24 – CSCE 815 Sp 03
PGP Public & Private KeysPGP Public & Private Keys
since many public/private keys may be in use, need to since many public/private keys may be in use, need to identify which is actually used to encrypt session key identify which is actually used to encrypt session key in a messagein a message could send full public-key with every message but this is inefficient
rather use a key identifier based on keyrather use a key identifier based on key is least significant 64-bits of the key will very likely be unique
also use key ID in signaturesalso use key ID in signatures
– 25 – CSCE 815 Sp 03
PGP Key RingsPGP Key Rings
each PGP user has a pair of keyrings:each PGP user has a pair of keyrings: public-key ring contains all the public-keys of other PGP
users known to this user, indexed by key ID private-key ring contains the public/private key pair(s) for
this user, indexed by key ID & encrypted keyed from a hashed passphrase
– 26 – CSCE 815 Sp 03
PGP Key ManagementPGP Key Management
rather than relying on certificate authoritiesrather than relying on certificate authorities
in PGP every user is own CAin PGP every user is own CA can sign keys for users they know directly
forms a “web of trust”forms a “web of trust” trust keys have signed can trust keys others have signed if have a chain of
signatures to them
key ring includes trust indicatorskey ring includes trust indicators
users can also revoke their keysusers can also revoke their keys
– 27 – CSCE 815 Sp 03
The Use of TrustThe Use of Trust
Key legitimacy fieldKey legitimacy field
Signature trust fieldSignature trust field
Owner trust fieldOwner trust field
See Table 5.2 See Table 5.2 (W. Stallings)(W. Stallings)
– 28 – CSCE 815 Sp 03
– 29 – CSCE 815 Sp 03
Revoking Public KeysRevoking Public Keys
The owner issue a key revocation certificate.The owner issue a key revocation certificate.
Normal signature certificate with a revote indicator.Normal signature certificate with a revote indicator.
Corresponding private key is used to sign the Corresponding private key is used to sign the certificate.certificate.
– 30 – CSCE 815 Sp 03
Recommended Web SitesRecommended Web Sites
PGP home page: www.pgp.comPGP home page: www.pgp.com
MIT distribution site for PGPMIT distribution site for PGP
S/MIME CharterS/MIME Charter
S/MIME Central: RSA Inc.’s Web SiteS/MIME Central: RSA Inc.’s Web Site