Email Security 1. email is one of the most widely used and regarded network services currently message contents are not secure may be inspected either.

Email Security

1

Email Security• email is one of the most widely used and regarded network

services • currently message contents are not secure

• may be inspected either in transit • or by suitably privileged users on destination system

2

Email Security Enhancements• confidentiality

• protection from disclosure• authentication

• of sender of message• message integrity

• protection from modification • non-repudiation of origin

• protection from denial by sender

3

Pretty Good Privacy (PGP)• widely used de facto secure email

• developed by Phil Zimmermann

• selected best available cryptography algorithms

integrated into a single program

• available on Unix, PC, Macintosh and Amiga systems

• originally free, now have commercial versions available also

4

PGP services• messages

• authentication

• confidentiality

• compression

• e-mail compatibility

• segmentation and reassembly

• key management• generation, distribution, and revocation of public/private keys

• generation and transport of session keys and IVs

5

Message authentication• based on digital signatures• supported algorithms: RSA/SHA and DSS/SHA

hashhash encenc

hashhash decdeccomparecompare

accept / reject

m h

Ksnd-1

Ksnd

m h h

send

erre

ceiv

er

6

PGP Operation – Authentication1.sender creates a message2. SHA-1 used to generate 160-bit hash code of message

3. hash code is encrypted with RSA using the sender's private key, and result is attached to message

4. receiver uses RSA with sender's public key to decrypt and recover hash code

5. receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic

6. From the strengths of RSA and SHA-1 the recipient is assured that only the possessor of the private key could generate the signature.

7

Message confidentiality• symmetric key encryption in CFB mode with a random

session key and IV• session key and IV is encrypted with the public key of the

receiver• supported algorithms:

• symmetric: CAST, IDEA, 3DES• asymmetric: RSA, ElGamal

prngprng

s.encs.enc

mKrcv

send

er

a.enca.enck, iv

{m}k

{k, iv}Krcv

8

PGP Operation – Confidentiality

1. sender generates message and a random 128-bit number to be used as session key for this message only.

2. message is encrypted, using CAST-128 / IDEA/3DES with session key using 64 bit CFB (cipher feedback mode)

3. session key is encrypted using RSA with recipient's public key, then attached to message

4. receiver uses RSA with its private key to decrypt and recover session key

5. session key is used to decrypt message6. Option to RSA – Diffie-Hellman variant E1Gamal

9

PGP Operation – Confidentiality & Authentication

•uses both services on same message• create signature & attach to message

• encrypt both message & signature

• attach RSA encrypted session key

10

11

Notation for Figure 5.1• Ks session key used in symmetric encryption scheme

• KRa = private key of user A

• KUa = public key of user A

• EP = Encryption Public Key

• DP = Decryption Public Key

• EP = Symmetric Encryption

• DP = Symmetric Decryption

• H hash function, || concatenation

• Z compression using ZIP

• R64 = conversion to radix 64 ASCII format12

PGP Operation – Compression• by default PGP compresses message after signing but before

encrypting• so can store uncompressed message & signature for later

verification• uses ZIP compression algorithm

13

PGP Operation – Email Compatibility• when using PGP will have binary data to send (encrypted

message etc)• however email was designed only for text• hence PGP must encode raw binary data into printable ASCII

characters• uses radix-64 algorithm• PGP also segments messages if too big

14

PGP Operation – Summary

15

Summary of PGP Services Function Algorithm Used Digital Signature DSS/ SHA or

RSA/ SHA Message Encryption

CAST or I DEA or three-key triple DES with Diffi e-Hellman or RSA

Compression ZI P E-mail Compatibility

Radix-64 conversion

Segmentation -

16

Format of PGP Message

17

Key IDs

• a user may have several public key – private key pairs• which private key to use to decrypt the session key?• which public key to use to verify a signature?

• transmitting the whole public key would be wasteful

• associating a random ID to a public key would result in management burden

• PGP key ID: least significant 64 bits of the public key• unique within a user with very high probability

19

Private-key ring• used to store the public key – private key pairs owned by a given user• essentially a table, where each row contains the following entries:

• timestamp• key ID (indexed)• public key• encrypted private key• user ID (indexed)

encencpassphrase hashhash

private key

encrypted private key20

Public-key ring• used to store public keys of other users

• a table, where each row contains the following entries:

• timestamp

• key ID (indexed)

• public key

• user ID (indexed)

• owner trust

• signature(s)

• signature trust(s)

• key legitimacy21

22

23

24

PGP Session Keys• need a session key for each message

• of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES

• generated using ANSI X12.17 mode• uses random inputs taken from previous uses and from

keystroke timing of user

25

Random number generation• true random numbers

• used to generate public key – private key pairs• provide the initial seed for the pseudo-random number

generator (PRNG)• provide additional input during pseudo-random number

generation• pseudo-random numbers

• used to generate session keys and IVs

26

Pseudo-random numbers

• based on the ANSI X9.17 PRNG standard

3DES3DES

3DES3DES

3DES3DES

+

+

DTi

Vi

Vi+1

K1, K2

Ri

27

PGP Key Management• rather than relying on certificate authorities in PGP every user is own CA

• can sign keys for users they know directly• forms a “web of trust”

• trust keys have signed• can trust keys others have signed if have a chain of signatures to

them• key ring includes trust indicators• users can also revoke their keys

28

29

The Use of Trust• Key legitimacy field• Signature trust field• Owner trust field

30

Trust management

• owner trust• assigned by the user • possible values:

• unknown user• usually not trusted to sign• usually trusted to sign• always trusted to sign• ultimately trusted (own key, present in private key ring)

31

• signature trust• assigned by the PGP system• if the corresponding public key is already in the public-

key ring, then its owner trust entry is copied into signature trust

• otherwise, signature trust is set to unknown user

32

Trust management• key legitimacy

• computed by the PGP system• if at least one signature trust is ultimate, then the key legitimacy

is 1 (complete) • otherwise, a weighted sum of the signature trust values is

computed• always trusted signatures has a weight of 1/X• usually trusted signatures has a weight of 1/Y• X, Y are user-configurable parameters

33

• example: X=2, Y=4• 1 ultimately trusted, or• 2 always trusted, or • 1 always trusted and 2 usually trusted, or• 4 usually trusted signatures are needed to obtain full legitimacy

34

35

Public-key revocation• why to revoke a public key?

• suspected to be compromised (private key got known by someone)

• re-keying• the owner issues a revocation certificate …

• has a similar format to normal public-key certificates• contains the public key to be revoked• signed with the corresponding private key

• and disseminates it as widely and quickly as possible• if a key is compromised:

• e.g., Bob knows the private key of Alice• Bob can issue a revocation certificate to revoke the public key

of Alice• even better for Alice

36

Recommended Web Sites

• PGP home page: www.pgp.com• MIT distribution site for PGP• S/MIME Charter• S/MIME Central: RSA Inc.’s Web Site

37