Beruflich Dokumente
Kultur Dokumente
BKM/SIT
E-mail Architecture
BKM/SIT
E-mail Security
Cryptographic Algorithms Note In e-mail security, the sender of the message needs to include the name or identifiers of the algorithms used in the message.
Certificates It is obvious that some public-key algorithms must be used for e-mail security.
BKM/SIT
Cryptographic Secrets
Note In e-mail security, the encryption/decryption is done using a symmetric-key algorithm, but the secret key to decrypt the message is encrypted with the public key of the receiver and is sent with the message.
BKM/SIT
PGP
Pretty Good Privacy (PGP) can be used to create a secure e-mail message or to store a file securely for future retrieval. Invented by Phil Zimmermann.
BKM/SIT
Message Integrity
An authenticated message
BKM/SIT
BKM/SIT
Continued
Code Conversion Another service provided by PGP is code conversion. PGP uses Radix-64 conversion for non-ASCII data.
Segmentation PGP allows segmentation to get uniform size unit of the message after applying Radix-64 .
BKM/SIT
BKM/SIT
BKM/SIT
PGP Algorithms
BKM/SIT
Continued
BKM/SIT
Continued
BKM/SIT
Continued
BKM/SIT
BKM/SIT
BKM/SIT
Used ID is usually the email-id of the user Key ID is the first(LSB) 64 bits of the public key. Public Key column lists the public key belonging to a particular private key/public key pair. Encrypted private key column keeps the private keys of the key ring in encrypted form. Timestamp holds the date and time of the key pair creation.
Used ID Here also the user-id is usually the e-mail id of the entity. Key ID Here also the key id is first 64 bits of the public key. Public Key This the public key of the entity. Producer Trust defines the trust level of the producer: full, partial or none. Certificate(s) It holds the certificates signed by other entities for this entity. Certificate Trust(s) It represents the certificate trust value of an entity, which is taken from Producer Trust value after receiving a certificate from another entity. Key Legitimacy This value is calculated by PGP based on the value of the certificate trust and the weight for each certificate trust.
BKM/SIT
Example
A series of steps will show how a public key ring table is formed for Alice.
BKM/SIT
Continued
BKM/SIT
Continued
BKM/SIT
BKM/SIT
Key Revocation
It may become necessary for an entity to revoke(withdraw) his or her public key from the ring. This may happen if the owner of the key feels that the key is compromised (stolen, for example) or just too old to be safe.
BKM/SIT
Assume that Alice is sending an Email to Bob. For that, she needs 5 pieces of information from PGP as follows: The key id of the public key she wants to use Her own private key The session key Bob s public key ID Bobs public key To get these, she has to input 4 pieces of information to PGP as follows: Her user ID Her password Key strokes BKM/SIT Bobs user ID
BKM/SIT
Continued
Extracting information at the Receiver site
BKM/SIT
PGP Packets
Format of packet header
BKM/SIT
PGP Messages A PGP message is a combination of sequenced and/or nested packets. Some examples are: Encrypted Message Signed Message Certificate Message
BKM/SIT
BKM/SIT
BKM/SIT
This packet carries data from one/many packet that have been encrypted using symmetric key algorithm. But, a session packet carrying one time session key must be sent before this.
BKM/SIT
Signature packet
It protects the integrity of the data.
BKM/SIT
Continued
BKM/SIT
Session-key packet
This packet is used to send the session key encrypted with the receivers public key
BKM/SIT
Public-key packet
This packet contains the public key of the sender.
BKM/SIT
User ID packet
This packet identifies a user and associate the used ID contents with a public key of the sender.
BKM/SIT
BKM/SIT
Signed message
BKM/SIT
Certificate message
BKM/SIT
S/MIME
Secure/Multipurpose Internet Mail Extension (S/MIME). This is an enhancement of the supplementary protocol called MIME which has been integrated to the email system. MIME helps to transmit non-ASCII data(which were not allowed earlier) to be sent over the same email. MIME transforms non-ASCII data at the sender site to NVT ASCII data and delivers it to the client MTA to be sent through the Internet. At the receiving site, it is again transformed back to original data.
BKM/SIT
MIME
BKM/SIT
Continued
BKM/SIT
Continued
Text
BKM/SIT
Continued
BKM/SIT
Radix-64 conversion
This is a solution for sending data bytes when the highest bit is not necessarily zero. It divides the binary data into 24-bit blocks. Each block is then divided into four sections, 6bits each.
BKM/SIT
Continued
BKM/SIT
Quoted-printable
This encoding can be suitable if the data consists of mostly of ASCII characters with a small non-ASCII portions. If a character is ASCII, it is sent as it is, but if it is non-ASCII, it is sent as three characters. First character is a =sign , then next two are the hexadecimal representations of the byte.
BKM/SIT
S/MIME
S/MIME adds some new content types to include security services to the MIME. All of these new types include the parameter application/pkcs7-mime, in which pkcs defines Public Key Cryptography Specification.
Cryptographic Message Syntax (CMS) To define how security services, such as confidentiality or integrity, can be added to MIME content types, S/MIME has defined Cryptographic Message Syntax (CMS). The syntax in each case defines the exact encoding scheme for each content type.
BKM/SIT
Example
The following shows an example of an enveloped-data in which a small message is encrypted using triple DES.
BKM/SIT
BKM/SIT
BKM/SIT
BKM/SIT
BKM/SIT
Key Management
The key management in S/MIME is a combination of key management used by X.509 and PGP.
BKM/SIT
Cryptographic Algorithms
S/MIME defines several cryptographic algorithms. The term must means an absolute requirement; the term should means recommendation.
BKM/SIT