Lecture 07 PGP and S/MIME

Supakorn Kungpisdan, Ph.D.supakorn@mut.ac.th

1ITEC4621 Network Security

ITEC4621 Network Security 2

Overview of Emails Email Services and Security PGP (Pretty Good Privacy) S/MIME

Roadmap

ITEC4621 Network Security 3

Overview of Electronic MailThree major components: user agents (UAs) mail servers simple mail transfer protocol: SMTP

Mail Transfer Agents (MTAs)

User Agent Known as “mail reader” composing, editing, reading mail messages e.g., Eudora, MS Outlook, Outlook

Express, Netscape Messenger outgoing, incoming messages stored on

server

user mailbox

outgoing message queue

mailserver

useragent

useragent

useragent

mailserver

useragent

useragent

mailserver

useragent

SMTP

SMTP

SMTP

ITEC4621 Network Security 4

Mail Servers mailbox contains incoming messages

for user message queue of outgoing (to be

sent) mail messages

SMTP protocol Deliver emails from user agent

to user’s mail server Deliver emails between mail

servers

mailserver

useragent

useragent

useragent

mailserver

useragent

useragent

mailserver

useragent

SMTP

SMTP

SMTP

Electronic Mail (cont.)

ITEC4621 Network Security 5

SMTP Protocol Uses TCP to reliably transfer email message from

client to server, port 25 Direct transfer: sending server to receiving server via

many Mail Transfer Agents (MTAs)

useragent

mailserver

mailserver user

agent

1

2 3 4 56

ITEC4621 Network Security 6

Mail Access Protocols

SMTP: delivery/storage to receiver’s server Mail access protocol: retrieval from server

POP: Post Office Protocol [RFC 1939] authorization (agent <--> server) and download

IMAP: Internet Mail Access Protocol [RFC 1730] more features (more complex) manipulation of stored messages on server

HTTP (web-based email): Hotmail , Yahoo! Mail, etc.

useragent

sender’s mail server

useragent

SMTP SMTP accessProtocol

POP3, IMAP, or HTTP

receiver’s mail server

ITEC4621 Network Security 7

POP3 (more) and IMAPMore about POP3 2 modes of operations: “download

and delete” and “download and keep”

Previous example uses “download and delete” mode.

Bob cannot re-read e-mail if he changes client machine

“Download-and-keep”: copies of messages on different clients

POP3 is stateless across sessions

IMAP Keep all messages in one

place: the server Allows user to organize

messages in folders: inbox, sent items, draft

IMAP keeps user state across sessions: names of folders and

mappings between message IDs and folder name

ITEC4621 Network Security 8

Overview of Email Email Services and Security PGP (Pretty Good Privacy) S/MIME

Roadmap

ITEC4621 Network Security 9

Email Security

email is one of the most widely used and regarded network services

currently message contents are not secure may be inspected either in transit or by suitably privileged users on destination system

ITEC4621 Network Security 10

Email Security Enhancements

confidentiality protection from disclosure

authentication of sender of message

message integrity protection from modification

non-repudiation of origin protection from denial by sender

ITEC4621 Network Security 11

Overview of Email Email Services and Security PGP S/MIME

Roadmap

ITEC4621 Network Security 12

Pretty Good Privacy (PGP)

developed by Phil Zimmermann widely used de facto secure email provides confidentiality and authentication services for

email and file storage applications. selected best available crypto algs to use integrated into a single program on Unix, PC, Macintosh and other systems originally free, now also have commercial versions

available

ITEC4621 Network Security 13

Summary of PGP Services

ITEC4621 Network Security 14

Authentication

Use SHA-1/RSA or SHA-1/DSS Signature can be detached from the message

To log signature To use when more than one party must sign the document e.g. contract

signing

compression decompression

ITEC4621 Network Security 15

Confidentiality

Use symmetric-key encryption e.g. CAST-128, IDEA, or 3DES Sender generates a 128-bit key (used only one time) and encrypts

with receiver’s public key Use RSA or encryption using DH (called “Elgamal”) for encryption

Symmetric key

Symmetric encryption

Public-key encryption

ITEC4621 Network Security 16

Confidentiality and Authentication

Append signature to the message and encrypt using a session key The session key then is encrypted with receiver’s public key

ITEC4621 Network Security 17

Compression

PGP compresses a message after signing but before encryption Use ZIP as compression algorithm Signature is generated before compression

Can store uncompressed message and signature for future verification Different versions of compression algos provide different quality and

formats Applying hash function and signature after compression would constrain PGP

implementation

Encryption after compression strengthens cryptographic security Less redundancy, more difficult to cryptanalysis

ITEC4621 Network Security 18

Email Compatibility

when using PGP will have binary data to send (encrypted message etc)

however email was designed only for text hence PGP must encode raw binary data into printable ASCII

characters uses radix-64 algorithm

maps 3 bytes to 4 printable chars also appends a CRC

PGP also segments messages if too big

ITEC4621 Network Security 19

Segmentation and Reassembly

Email normally has max length of 50,000 characters PGP provides segmentation of email messages after radix-

64 conversion Session-key component and signature appear only once at the

beginning of the first segment At receiving end, PGP removes headers and reassemble

segments

ITEC4621 Network Security 20

PGP Operation – Summary

ITEC4621 Network Security 21

Cryptographic Keys and Key Rings

Four types of keys used: One-time session symmetric keys Public keys Private keys Passphrase-based symmetric keys

ITEC4621 Network Security 22

Session Key Generation

Each session key is used only once to encrypt and decrypt a message.

Different algos use different lengths of keys: 128 bits for CAST-128 and IDEA 168 bits or 3DES

uses random inputs taken from previous uses and from keystroke timing of user

ITEC4621 Network Security 23

PGP Key Rings

each PGP user has a pair of keyrings: public-key ring contains all the public-keys of other PGP users

known to this user, indexed by key ID private-key ring contains the public/private key pair(s) for this

user, indexed by key ID & encrypted keyed from a hashed passphrase

security of private keys thus depends on the pass-phrase security

ITEC4621 Network Security 24

PGP Message Generation

ITEC4621 Network Security 25

PGP Message Reception

ITEC4621 Network Security 26

PGP Key Management

rather than relying on certificate authorities in PGP every user is own CA

can sign keys for users they know directly forms a “web of trust”

trust keys have signed can trust keys others have signed if have a chain of signatures

to them key ring includes trust indicators users can also revoke their keys

ITEC4621 Network Security 27

Overview of Email Email Services and Security PGP (Pretty Good Privacy) S/MIME

Roadmap

ITEC4621 Network Security 28

S/MIME

Secure Multi-purpose Internet Mail Extension security enhancement to MIME email

original Internet RFC822 email was text only MIME provided support for varying content types and multi-

part messages with encoding of binary data to textual form S/MIME added security enhancements

have S/MIME support in many mail agents eg MS Outlook, Mozilla, Mac Mail etc

ITEC4621 Network Security 29

Mail Message FormatRFC 822: standard for text

message format: header lines, e.g.,

To: From: Subject:

body the “message”, 7-bit ASCII

characters only

header

body

blankline

ITEC4621 Network Security 30

Enable sending multimedia messages or attachments with non-ASCII format

Additional lines in msg header declare MIME content type

From: alice@crepes.fr To: bob@hamburger.edu Subject: Picture of yummy crepe. MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Type: image/jpeg

base64 encoded data ..... ......................... ......base64 encoded data

multimedia datatype, subtype,

parameter declaration

method usedto encode data

MIME version

encoded data

MIME

ITEC4621 Network Security 31

The Received Message

Received: from crepes.fr by hamburger.edu; 12 Oct 98 15:27:39 GMT

From: alice@crepe.fr

To: bob@hamburger.edu

Subject: Picture of yummy crepe.

MIME-Version: 1.0

Content-Transfer-Encoding: base64

Content-Type: image/jpeg

base64 encoded data . . . . .

. . . .. . . . .. . . . .

. . . . Base64 encoded data

ITEC4621 Network Security 32

MIME Content Types

text/plain

image/jpeg

ITEC4621 Network Security 33

MIME Transfer Encodings

ITEC4621 Network Security 34

S/MIME Functionality

Getting a digital ID for emails Enveloped data

Consist of encrypted content and encrypted encryption key Signed data

Hash then sign with private key of signer then encode with base64 Can be viewed only by a S/MIME supported recipient

Clear-signed data Only signature is encoded with base64 Non-S/MIME user can view, but not verify it

ITEC4621 Network Security 35

S/MIME Cryptographic Algorithms

digital signatures: DSS & RSA hash functions: SHA-1 & MD5 session key encryption: ElGamal & RSA message encryption: AES, Triple-DES, RC2/40 and others MAC: HMAC with SHA-1 have process to decide which algs to use

ITEC4621 Network Security 36

Rules of Sending Agents

1. If sending agent (SA) has a list of preferred decrypting algos from receiver, SA SHOULD choose the first on the list.

2. IF SA has no such list but received encrypted msgs, SA SHOULD use the same encryption algo that was used on the last message received.

3. If SA has no knowledge and want to take the risk, SA uses 3DES

ITEC4621 Network Security 37

S/MIME Content Types

Special types based on public-key cryptography.

ITEC4621 Network Security 38

Securing a MIME Entity

Use signature, encryption, or both MIME entity plus some security-related data e.g. algo identifiers and

certificates are processed by S/MIME to produce a “PKCS” object The PKCS object is then wrapped in MIME. It is converted into 7-bit ASCII by base64 Types

EnvelopedData SignedData Clear Signing etc.

ITEC4621 Network Security 39

EnvelopedData Application/pkcs7-mime is used Each resulting entity (an object) is represented in a form of Basic Encoding Rules (BER)

(e.g. binary format). BER is then converted to ASCII by base64

Process1. Generate a pseudorandom session key2. Encrypt the session key with recipient’s public key3. Prepare a block of RecipientInfo

contains ID of recipient’s cert, ID of encryption algos, and encrypted session key4. Encrypt the message with the session key

RecipientInfo + encrypted content = envelopedData envelopedData is then encoded into base64

ITEC4621 Network Security 40

EnvelopedData (cont.)

Content-Type: application/pkcs7-mime;

smime-type=enveloped-data; name-smime.p7m

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename=smime.p7m

Fdskfjhglasfhgksd4nkdfngiewksa4dnfk76sdgklsdnfksldfjbvfsldkfvlskdnfvlks4dnf2lkvs3ndflkvsdnvskdfvnksldnfvklsdnvks9ldnvlksnkadlnslkn3dlsknfskldnflksdnflvsdnlklkdsnvlksdnlskdnkdfslfnvsfq

Recipient converts back to binary and decrypts the session key using his/her private key, and decrypts the message using the session key

ITEC4621 Network Security 41

SignedData

signedData can be used with one or more signers.Process1. Select a hash algo (SHA or MD5)2. Computer hash value of the content3. Sign the hash value using signer’s private key4. Prepare block of SignerInfo that contains

Signer’s cert including a set of necessary certs to trace root CA ID of hash algo, ID of encryption algo, encrypted hash value

5. signedData = hash ID, the message, SignerInfo6. signedData is then converted into base64

ITEC4621 Network Security 42

SignedData (cont.)

Content-Type: application/pkcs7-mime;

smime-type=signed-data; name-smime.p7m

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename=smime.p7m

Sdflgnsnbdsflkdvlsmvldsldsn4ssdlfkmvldsfmvfadmfvsmfaadnva/vlsadnvfkadnvskjdnfvlsfdvmqaanfsd4kjdnvsdfnvskdjnfv534ksdjnfdsnfdkdjfsjh5sdhklsjhgskjghiwuerhwjenfkjnfkjshdfjksdgvjksdvjskdfvnsjdkf5

To verify signature, convert back to binary, use the signer’s public key to decrypt the hash value. Then compare the hash values

ITEC4621 Network Security 43

Clear Signing

The message is sent in clear for non-S/MIME user. A multipart/signed message has two parts

MIME: if not in 7-bit ASCII, converted into ASCII Signed MIME: processed in the same manner as signedData

ITEC4621 Network Security 44

Clear Signing (cont’d)Content-Type: multipart/signed;

protocol=“application/pkcs7-signature”;

micalg=sha1; boundary=boundary42

--boundary42

Content-Type: text/plain

This is a clear-signed message.

--boundary42

Content-Type: application/pkcs7-signature;

name=smime.p7s

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename=smime.p7s

Sdflgnsnbdsflkdvlsmvldsldsn4ssdlfkmvldsfmvfadmfvsmfaadnva/vlsadnvfkadnvskjdnfvlsfdvmqaanfsd4kjdnvsdfnvskdjnfv534ksdjnfdsnfdkdjfsjh5sdhklsjhgskjghiwuerhwjenfkjn

--boundary42--

This email has many parts

ITEC4621 Network Security 45

Questions?

Quiz

1. เพราะเหตุ�ใดเราจึ�งทำ�าการ zip หลั�งจึากการทำ�า Digital Signature แลัะก�อนการเข้�ารห�ส

2. การเชื่��อมตุ�อก�นเพ��อส�งข้�อม�ลัระหว่�างคอมพ!ว่เตุอร" 2 เคร��องอย่�างปลัอดภั�ย่น�&นตุ�องม'ค�ณสมบั�ตุ!แบับั End-to-end authentication แลัะ Encryption จึงให�เข้'ย่นร�ป frame format ข้อง IPSec packet ทำ'�ม'ค�ณสมบั�ตุ!ด�งตุ�อไปน'&:1) Transport adjacency ทำ'�ม'การทำ�า authentication ก�อน encryption2) Transport SA ทำ'�ถู�ก bundle ภัาย่ใน Tunnel SA ม'การทำ�า encryption ก�อน authentication3) Tunnel SA ทำ'�ถู�ก bundle ภัาย่ใน Tunnel SA ม'การทำ�า authentication ก�อน encryption

ITEC4621 Network Security 46

Quiz (cont.)

47ITEC4621 Network Security