Http:// Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 Office:...
-
Upload
clement-oconnor -
Category
Documents
-
view
212 -
download
0
Transcript of Http:// Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 Office:...
http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. [email protected]
404 894-5177fax 404 894-0035
Office: Klaus 3362email or call for office visit
Chapter 5b - Secure/Multipurpose Internet Mail ExtensionsS/MIME
2/5/14
Simple Mail Transfer Protocol (SMTP, RFC 822) SMTP Limitations - Can not transmit, or has a problem with:
• executable files, or other binary files (jpeg image).• “national language” characters (non-ASCII)• messages over a certain size• ASCII to EBCDIC translation problems• lines longer than a certain length (72 to 254 characters)
MIME Defined Five New Headers• MIME-Version. Must be “1.0” -> RFC 2045, RFC 2046• Content-Type. More types being added by developers
(application/word)• Content-Transfer-Encoding. How message has been encoded (radix-
64)• Content-ID. Unique identifying character string.• Content Description. Needed when content is not readable text.
Carnonical Form: Standard format for use between systems ( not a “native” format – e.g., JPG).
2
S/MIME - User Agent Role
S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority
Functions:
• Key Generation - Diffie-Hellman, DSS, and RSA key-pairs.
• Registration - Public keys must be registered with X.509 CA.
(Thawte (sub. of VeriSign), CAcert, ...) offer free registration)
• Certificate Storage - Local (as in browser application) for different services.
• Signed and Enveloped Data: Various orderings for encrypting and signing.
Example: Verisign (www.verisign.com)
• Class-1 Buyer’s email address confirmed by emailing vital info.
• Class-2 Postal address is confirmed as well, and data checked against diectories.
• Class-3 Buyer must appear in person, or send notarized documents.3
S/MIME History
S/MIME was originally developed by RSA Data Security Inc. The original specification used the recently developed IETF MIME specification with the de facto industry standard PKCS #7 secure message format.
Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax, an IETF specificationsimilar to PKCS #7
from Wikipedia 2/16/13 4
Today, S/MIME adds the use of S/MIME to PGP.PGP is a standard, GnuPG are open programs that implement PGP
S/MIME Certificates
Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA such as one of those listed below.
Encryption requires having the destination party's certificate on store (which is typically automatic upon receiving a message from the party with a valid signing certificate).
While it is technically possible to send a message encrypted (using the destination party certificate) without having one's own certificate to digitally sign, in practice, the S/MIME clients will require you install your own certificate before they allow encrypting to others.
from Wikipedia 2/16/09 5
General Email Problems
SMTP Headers
• Can be used to check email routing, but not reliable (spoofing, NAT, ...)
• Can reveal your IP address, mail server to recipients
Content Poisons:
• Attachments that are executable files (viruses, Worms, Back Doors, ...)
• HTML encoded mail has all the threats of an untrusted Web site
Links can execute code
FTP links can give away your email address, if used as password
Hidden keys can identify the address of the message, ID of recipient
Spammers use unwitting mail servers for exploding and relaying email, hiding their identity
• This requires “Relaying Prohibited,” makes sending email harder from the road
6
MS = Mail Server (e.g., mail.gatech.edu) *Unless user authenticates through TLS.7
IP on earthlink.com gatech.edu aol.com
MSMS orsender
MS
receiver
Email Relaying (should be prohibited*)
IP on earthlink.com gatech.edu aol.com
MS
sender
MS
receiver
Allowed Email Forwarding
receiver
senderMS
Bob logs on to the Internet from home, and is assigned an IP address in the Earthlink domain. Bob then sends mail to smtp.gatech.edu for alice.aol.com
>> YOU TYPE THIS. [COMMENTS]<< WAIT FOR THIS REPLY FROM THE SMTP SERVER
>> HELO c-66-53-58-172.hsd1.ga.comcast.net [must be actual DNS name of host being used]<< 220 mail.ece.gatech.edu ESMTP Sendmail 8.12.10/8.13.4; Wed, 28 Sep 2005 17:34:44 -0400 (EDT)<< 250 mail.ece.gatech.edu Hello ecevpn-021.ece-int.gatech.edu [192.168.66.21], pleased to meet you>> MAIL FROM: [email protected] [must be an actual user on this server]<< 250 2.1.0 [email protected]... Sender ok>> RCPT TO: [email protected] [must not violate any anti-relay rule]<< 250 2.1.5 [email protected]... Recipient ok [this would be relaying, except for VPN]>> DATA<< 354 Enter mail, end with "." on a line by itself>> 'hw1/hw1. graded on * * Sep 28, 2005 16:49,’ >> 'Name on HW return: smith,_john' >> 'Date & Time submitted: Wed, 28 Sep 2005 03:45:36 -0400 (EDT)' >> '-Email: [email protected] (at line 2) : Break the following ciphertext:' >> ' #1' >> '1 ok2 /N=N/ : [n] - Which cipher character' >> '2 ok2 /THIS_CODE_IS_W=THIS_CODE_IS_W/ : [this_code_is_w] - type in the' >> 'No. Graded = 10, Average Grade = 92' >> . [single period ends message text]<< 250 2.0.0 j8SLYiLA000789 Message accepted for delivery >> QUIT
Email sent with: > telnet mail.ece.gatech.edu 25
8Today, all mail servers at GT require TLS authentication.