IEEE Final Year Projects 2011-2012 :: Elysium Technologies Pvt Ltd::Networksecurity
Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... ·...
Transcript of Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... ·...
![Page 1: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/1.jpg)
Cryptography and Network Security
Lectured by
Nguyễn Đức Thái
Electronic Mail SecurityChapter 6
![Page 2: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/2.jpg)
2
Outline
Pretty Good Privacy
S/MIME
![Page 3: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/3.jpg)
3
Electronic Mail Security
In virtually all distributed environments, electronic mail is the most heavily used network-based application.
Users expect to be able to, and do, send e-mail to others who are connected directly or indirectly to the Internet, regardless of host operating system or communications suite
With the explosively growing reliance on e-mail, there grows a demand for authentication and confidentiality services
Two schemes in use: Pretty Good Privacy (PGP) and S/MIME
![Page 4: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/4.jpg)
4
Electronic Mail Security
Currently message contents are not secure
• may be inspected either in transit
• or by suitably privileged users on destination system
PGP provides a confidentiality and authenticationservice that can be used for electronic mail and file storage applications
![Page 5: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/5.jpg)
5
Email Security Enhancements
Confidentiality
• protection from disclosure
Authentication
• of sender of message
Message integrity
• protection from modification
Non-repudiation of origin
• protection from denial by sender
![Page 6: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/6.jpg)
6
Pretty Good Privacy (PGP)
widely used de facto secure email
developed by Phil Zimmermann
selected best available crypto algorithm to use
integrated into a single program
on Unix, PC, Macintosh and other systems
originally free, now also have commercial versions available
![Page 7: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/7.jpg)
7
PGP Operation - Authentication
1. sender creates message
2. make SHA-1160-bit hash of message
3. attached RSA signed hash to message
4. receiver decrypts & recovers hash code
5. receiver verifies received message hash
![Page 8: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/8.jpg)
8
PGP Operation - Confidentiality
1. sender forms 128-bit random session key
2. encrypts message with session key
3. attaches session key encrypted with RSA
4. receiver decrypts & recovers session key
5. session key is used to decrypt message
![Page 9: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/9.jpg)
9
PGP – Authentication & Confidentiality
Can use both services on same message
create signature & attach to message
encrypt both message & signature
attach RSA/ElGamal encrypted session key
![Page 10: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/10.jpg)
10
PGP Operation - Compression
by default PGP compresses message after signing but before encrypting
• so can store uncompressed message & signature for later verification
• & because compression is non deterministic
uses ZIP compression algorithm
![Page 11: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/11.jpg)
11
PGP Operation – Email Compatibility
When PGP is used, at least part of the block to be transmitted is encrypted
However email was designed only for text
Hence PGP must encode raw binary data into printable ASCII characters
Uses radix-64 algorithm
• maps 3 bytes to 4 printable chars
• also appends a CRC
PGP also segments messages if too big
![Page 12: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/12.jpg)
12
PGP Operation – Summary
![Page 13: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/13.jpg)
13
S/MIME
Secure/Multipurpose Internet Mail Extensions
security enhancement to MIME email
• original Internet RFC822 email was text only
• MIME provided support for varying content types and multi-part messages
• with encoding of binary data to textual form
• S/MIME added security enhancements
have S/MIME support in many mail agents
• eg MS Outlook, Mozilla, Mac Mail etc
![Page 14: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/14.jpg)
14
S/MIME Functions
enveloped data
• encrypted content and associated keys
signed data
• encoded message + signed digest
clear-signed data
• cleartext message + encoded signed digest
signed & enveloped data
• nesting of signed & encrypted entities
![Page 15: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/15.jpg)
15
S/MIME Cryptographic Algorithms
Digital signatures: DSS & RSA
Hash functions: SHA-1 & MD5
Session key encryption: ElGamal & RSA
Message encryption: AES, Triple-DES, RC2/40 and others
MAC: HMAC with SHA-1
Have process to decide which algorithms to use
![Page 16: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/16.jpg)
16
S/MIME Messages
S/MIME secures a MIME entity with a signature, encryption, or both
Forming a MIME wrapped PKCS object
Have a range of content-types:
• enveloped data
• signed data
• clear-signed data
• registration request
• certificate only message
![Page 17: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/17.jpg)
17
S/MIME Certificate Processing
S/MIME uses X.509 v3 certificates
managed using a hybrid of a strict X.509 CA hierarchy & PGP’s web of trust
each client has a list of trusted CA’s certificates
and own public/private key pairs & certificates
certificates must be signed by trusted CA’s
![Page 18: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/18.jpg)
18
Certificate Authorities
have several well-known CA’s
Verisign one of most widely used
Verisign issues several types of Digital IDs
increasing levels of checks & hence trust
Class Identity Checks Usage
1 name/email check web browsing/email
2 + enroll/addr check email, subs, s/w validate
3 + ID documents e-banking/service access
![Page 19: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/19.jpg)
19
S/MIME Enhanced Security Services
3 proposed enhanced security services:
• signed receipts
• security labels
• secure mailing lists
![Page 20: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/20.jpg)
20
Domain Keys Identified Mails
a specification for cryptographically signing email messages
so signing domain claims responsibility
recipients / agents can verify signature
proposed Internet Standard RFC 4871
has been widely adopted
![Page 21: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/21.jpg)
21
Internet Mail Architecture
![Page 22: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/22.jpg)
22
Email Threats
see RFC 4684- Analysis of Threats Motivating
DomainKeys Identified Mail
describes the problem space in terms of:
• range: low end, spammers, fraudsters
• capabilities in terms of where submitted,
signed, volume, routing naming etc
• outside located attackers
![Page 23: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/23.jpg)
23
Summary
We have discussed:
Pretty Good Privacy
S/MIME
![Page 24: Chapter 6 Electronic Mail Security - University of Technologythai/networksecurity/Chapter 06... · 2016-11-08 · S/MIME Certificate Processing S/MIME uses X.509 v3 certificates managed](https://reader033.fdocuments.us/reader033/viewer/2022050214/5f609a4707ac8247b74bd68c/html5/thumbnails/24.jpg)
24
References
1. Cryptography and Network Security, Principles
and Practice, William Stallings, Prentice Hall,
Sixth Edition, 2013