http://www.csc.gatech.edu/copeland/jac/6612/

Prof. John A. Copelandjohn.copeland@ece.gatech.edu

404 894-5177fax 404 894-0035

Office: Klaus 3362email or call for office visit

Chapter 5b - Secure/Multipurpose Internet Mail ExtensionsS/MIME

2/5/14

Simple Mail Transfer Protocol (SMTP, RFC 822) SMTP Limitations - Can not transmit, or has a problem with:

• executable files, or other binary files (jpeg image).• “national language” characters (non-ASCII)• messages over a certain size• ASCII to EBCDIC translation problems• lines longer than a certain length (72 to 254 characters)

MIME Defined Five New Headers• MIME-Version. Must be “1.0” -> RFC 2045, RFC 2046• Content-Type. More types being added by developers

(application/word)• Content-Transfer-Encoding. How message has been encoded (radix-

64)• Content-ID. Unique identifying character string.• Content Description. Needed when content is not readable text.

Carnonical Form: Standard format for use between systems ( not a “native” format – e.g., JPG).

2

S/MIME - User Agent Role

S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority

Functions:

• Key Generation - Diffie-Hellman, DSS, and RSA key-pairs.

• Registration - Public keys must be registered with X.509 CA.

(Thawte (sub. of VeriSign), CAcert, ...) offer free registration)

• Certificate Storage - Local (as in browser application) for different services.

• Signed and Enveloped Data: Various orderings for encrypting and signing.

Example: Verisign (www.verisign.com)

• Class-1 Buyer’s email address confirmed by emailing vital info.

• Class-2 Postal address is confirmed as well, and data checked against diectories.

• Class-3 Buyer must appear in person, or send notarized documents.3

S/MIME History

S/MIME was originally developed by RSA Data Security Inc. The original specification used the recently developed IETF MIME specification with the de facto industry standard PKCS #7 secure message format.

Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax, an IETF specificationsimilar to PKCS #7

from Wikipedia 2/16/13 4

Today, S/MIME adds the use of S/MIME to PGP.PGP is a standard, GnuPG are open programs that implement PGP

S/MIME Certificates

Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA such as one of those listed below.

Encryption requires having the destination party's certificate on store (which is typically automatic upon receiving a message from the party with a valid signing certificate).

While it is technically possible to send a message encrypted (using the destination party certificate) without having one's own certificate to digitally sign, in practice, the S/MIME clients will require you install your own certificate before they allow encrypting to others.

from Wikipedia 2/16/09 5

General Email Problems

SMTP Headers

• Can be used to check email routing, but not reliable (spoofing, NAT, ...)

• Can reveal your IP address, mail server to recipients

Content Poisons:

• Attachments that are executable files (viruses, Worms, Back Doors, ...)

• HTML encoded mail has all the threats of an untrusted Web site

Links can execute code

FTP links can give away your email address, if used as password

Hidden keys can identify the address of the message, ID of recipient

Spammers use unwitting mail servers for exploding and relaying email, hiding their identity

• This requires “Relaying Prohibited,” makes sending email harder from the road

6

MS = Mail Server (e.g., mail.gatech.edu) *Unless user authenticates through TLS.7

IP on earthlink.com gatech.edu aol.com

MSMS orsender

MS

receiver

Email Relaying (should be prohibited*)

IP on earthlink.com gatech.edu aol.com

MS

sender

MS

receiver

Allowed Email Forwarding

receiver

senderMS

Bob logs on to the Internet from home, and is assigned an IP address in the Earthlink domain. Bob then sends mail to smtp.gatech.edu for alice.aol.com

>> YOU TYPE THIS. [COMMENTS]<< WAIT FOR THIS REPLY FROM THE SMTP SERVER

>> HELO c-66-53-58-172.hsd1.ga.comcast.net [must be actual DNS name of host being used]<< 220 mail.ece.gatech.edu ESMTP Sendmail 8.12.10/8.13.4; Wed, 28 Sep 2005 17:34:44 -0400 (EDT)<< 250 mail.ece.gatech.edu Hello ecevpn-021.ece-int.gatech.edu [192.168.66.21], pleased to meet you>> MAIL FROM: copeland@ece.gatech.edu [must be an actual user on this server]<< 250 2.1.0 copeland@ece.gatech.edu... Sender ok>> RCPT TO: jacopeland3@comcast.net [must not violate any anti-relay rule]<< 250 2.1.5 jacopeland3@comcast.net... Recipient ok [this would be relaying, except for VPN]>> DATA<< 354 Enter mail, end with "." on a line by itself>> 'hw1/hw1. graded on * * Sep 28, 2005 16:49,’ >> 'Name on HW return: smith,_john' >> 'Date & Time submitted: Wed, 28 Sep 2005 03:45:36 -0400 (EDT)' >> '-Email: gte014w@prism.gatech.edu (at line 2) : Break the following ciphertext:' >> ' #1' >> '1 ok2 /N=N/ : [n] - Which cipher character' >> '2 ok2 /THIS_CODE_IS_W=THIS_CODE_IS_W/ : [this_code_is_w] - type in the' >> 'No. Graded = 10, Average Grade = 92' >> . [single period ends message text]<< 250 2.0.0 j8SLYiLA000789 Message accepted for delivery >> QUIT

Email sent with: > telnet mail.ece.gatech.edu 25

8Today, all mail servers at GT require TLS authentication.