Electronic Mail Security

Electronic Mail

Simplest implementation of email consists of sending a

message directly from source machine to destination.

Communication layers
Security protocols
Application layer
ssh, S/MIME, PGP, http digest
Transport layer
SSL, TLS, WTLS
Network layer
IPsec
Data Link layer
CHAP, PPTP, L2TP,
WEP (WLAN), A5 (GSM),
Bluetooth
Physical layer Frequency Hopping,Quantum
Cryptography

Pretty Good Privacy (PGP)

Philip R. Zimmerman is the creator of PGP.
This program used to encrypt and decrypt e-mail over the
Internet. It can also be used to send an encrypted digital
signature that receiver verify the sender's identity and know
that message was not changed in route. Available both as
freeware and in a low-cost commercial version.
PGP can also be used to encrypt files being stored so that they
are unreadable by other users or intruders.
PGP provides:
confidentiality
authentication service
Can be used for: electronic mail , file storage applications.

Why Is PGP Popular?

It is availiable free on a variety of platforms.

Based on well known algorithms.

Wide range of applicability

Not developed or controlled by governmental or standards

organizations.
Algorithm supported are
RSA, DSS, Diffie-Hellman for asymmetric key encryption
IDEA, 3DES for symmetric key encryption
SHA-1for message digests

How PGP works

In this public key system, each user has a publicly known
encryption key and a private key known only to that user. You
encrypt a message you send to someone else using their public
key. When they receive it, they decrypt it using their private key.
For sending digital signatures, PGP uses an efficient algorithm
that generates a hash from the user's name and other signature
information. This hash code is then encrypted with the sender's
private key. The receiver uses the sender's public key to decrypt
the hash code. If it matches the hash code sent as the digital
signature for the message, then the receiver is sure that the
message has arrived securely from the stated sender.

Operational Description
Consist of five services:
Authentication
Confidentiality
Compression
E-mail compatibility
Segmentation

Operational Description
Authentication
PGP provides it through the use digital signatures. Detail in book
diagram.
Confidentiality
Provide through the use of sysmetric block encryption.
Compression
PGP compresses the message after applying the signature but
before encryption.
This benefit save space both for email and for file storage .
The compression algorithm used is ZIP

Operational Description
E-mail Compatibility
The scheme used is radix-64 conversion (see appendix 5B).
The use of radix-64 expands the message by 33%.

Segmentation and Reassembly

Often restricted to a maximum message length of 50,000

octets.
Longer messages must be broken up into segments.
PGP automatically subdivides a message that is to large.
The receiver strip of all e-mail headers and reassemble the
block.

Summary of PGP Services

Function

Digital Signature
Message Encryption

Compression
E-mail Compatibility
Segmentation

Algorithm Used

DSS/SHA or RSA/SHA
CAST or IDEA or threekey
triple DES with DiffieHellman or RSA
ZIP
Radix-64 conversion

Revoking Public Keys

The owner issue a key revocation certificate.

Normal signature certificate with a revote
indicator.
Corresponding private key is used to sign the
certificate.

Multipurpose Internet Mail Extensions

(MIME)

MIME is an IETF standard for sending email

Defined in 1992
MIME was built for extending SMTP(Simple Mail
Transfer Protocol)

MIME specifies a standard format for encapsulating

multiple pieces of data into a single internet
message.
RFC 822 define format for sending text msg email.
Extends RFC 822 to allow email to carry non-textual
content, non AScII letters and long messages.

Header fields in MIME

MIME-Version
Must have value 1.0. This indicates that the message conforms to MIME. This field
is required.
Content-Type
This header indicates the type of data. Each body part in the message can
be preceded by a Content-Type. There are seven major content types and a
number of subtypes.
Content-Transfer-Encoding
This indicates the encoding method(type of transformation) used on the body part.
Content-ID
This is an optional field that uniquely identifies a body part for reference
elsewhere.
Content-Description
This is another option field that can be used to describe a body part.(Needed
Needed when content is not readable text (e.g.,mpeg)

Header fields in MIME

Content types

Text,message,video,image,application,multipart.
Transfer encodings

7 bit(lines of ASCII characters)8 bit(non ASCII

characters,binary(non ASCIIetters),printable(non
ASCII letters convert to hexadeci), base64(radix
64),x-token(non stardard encoding).
MIME.
Version 1.0
Content type
text/plain;
Content transfer enoding 7 bit.

Secure Multipurpose Internet Mail

Extensions (S/MIME)

A security enhancement to MIME

Based on technology from RSA Security
Commercially used unlike PGP
Uses both public key and symmetric encryption
Provides: Authentication , Message Integrity ,
Non-repudiation of origin, Privacy and data
security

S/MIME services or functions

Enveloped data
encrypted content of any type & keys for recipients standard
digital envelop.
Signed data
standard digital signature (hash and sign). content +
signature is encoded using base64 encoding. A signed data
message can only view with S/MIME capability.
Clear-signed data
standard digital signature only the signature is encoded
using base64, receiver recipient without S/MIME capability can
read the message but cannot verify the signature
Signed and enveloped data
signed and encrypted entities may be nested in any order

How S/MIME works

1. User creates an e-mail and attaches a file to it (Word doc)
2. The e-mail program puts the message in MIME format.
3. The hash algorithm generates unique digital Fingerprint(message digest)
4. The private key is used to encrypt the digest, and it is attached to the
message. The e-mail program creates a new message as an envelope for
original message.
5. The message is then sent through the Internet with a certificate that
contains the public key.
6. The recipients e-mail program checks that: the message digest, when
decrypted with public key, matches original message the certificate is from
a trusted Certificate Authority the senders address matches the address in
the certificate(non-repudiation)
7. Hash algorithm decodes message digest Original message in MIME
format
8.E-mail program disassembles message into original parts:text,Word file

Cryptographic algorithms used in S/MIME

Message digest
must support MD5 and SHA-1 Should use SHA-1
digital signature
Sender and Receiver both must support DSS
Sender and Receiver should support RSA
asymmetric-key encryption
Sender and Receiver must support Diffie-Hellman
Sender and Receiver should support RSA
symmetric-key encryption
Sender should support DES-3 and RC4
Receiver must support DES-3 and should support RC2

User Agent Role

S/MIME uses Public-Key Certificates - X.509 version 3 signed
by Certification Authority
Functions:
Key Generation - Diffie-Hellman, DSS, and RSA key-pairs.
Registration - Public keys must be registered with X.509 CA.
Certificate Storage - Local (as in browser application) for
different services.
Signed and Enveloped Data - Various orderings for encrypting
and signing.

References

http://searchsecurity.techtarget.com/definition/Prett
y-Good-Privacy
Book william stallings(chapter 5)