Securing Email Securing Email Using PGP Using PGP and Digital Certificates and Digital Certificates Putting together Putting together cipher, cipher, d d igital signature, and igital signature, and MD5 one-way hashing MD5 one-way hashing
Securing Email Securing Email Using PGPUsing PGP
and Digital Certificatesand Digital Certificates
Putting together Putting together cipher, dcipher, digital igital signature, and MD5 one-way signature, and MD5 one-way
hashing hashing
OutlineOutline
How email worksHow email works?? Signing emailSigning email Securing contentsSecuring contents PGP PGP -- Pretty Good Privacy-- Pretty Good Privacy and and
PEMPEM -- Privacy Enhanced Mail -- Privacy Enhanced Mail Public Key CertificatesPublic Key Certificates
How does email workHow does email work??
Suppose that Alice in Australia wants Suppose that Alice in Australia wants to send a message to Bob in USA via to send a message to Bob in USA via emailemailAlice starts an email program on her Alice starts an email program on her
computer, and types in Bob’s email computer, and types in Bob’s email addressaddress
Alice composes (writes) the messageAlice composes (writes) the messageAlice hits a special key to tell the Alice hits a special key to tell the
computer that the message is readycomputer that the message is ready to to go!go!
How does email work ? (2)How does email work ? (2)
Alice’s email system adds a header to the Alice’s email system adds a header to the message (including destination, return message (including destination, return address, time stamp etc), and sends it to address, time stamp etc), and sends it to the nearest email gateway (a computer)the nearest email gateway (a computer)
The message is relayed from computer to The message is relayed from computer to computer before finally reaching Bob’s computer before finally reaching Bob’s computercomputer
A sample messageA sample message
to: [email protected]: [email protected]
from: alice@from: [email protected]
subject: hellosubject: hello
date: Mon, 26 date: Mon, 26 AugAug 20012001 13:23:47 13:23:47
Hi Bob,
I am coming down to states in January.
Alice
header + messageheader + message
headermessage
Possible attacksPossible attacks
spoofingspoofinga third party may impersonate Alice and a third party may impersonate Alice and
send a fake/modified message to Bobsend a fake/modified message to Bob EavesdroppingEavesdropping
a party sitting between Alice and Bob may a party sitting between Alice and Bob may peep communications between thempeep communications between them
ReplayReplaya party sitting between Alice and Bob may a party sitting between Alice and Bob may
re-send to Bob an old message from Alicere-send to Bob an old message from Alice
Preventing spoofing & replayPreventing spoofing & replay
UseUseRSA digital signatureRSA digital signatureMD5 one-way hash algorithmMD5 one-way hash algorithm
What Alice has to doWhat Alice has to do??
prepares a pair of public and secret prepares a pair of public and secret keyskeyspublic key:public key: (e(eaa, n, naa))secret key: dsecret key: daa
registers her public key in a publicly registers her public key in a publicly available site and circulates it among available site and circulates it among friends (and also attaches it to the end friends (and also attaches it to the end of all her email messages)of all her email messages)..
composes a messagecomposes a message..
What Alice’s computer has to doWhat Alice’s computer has to do??
attaches to the message a header (to:, attaches to the message a header (to:, from:, date: subject:, etc)from:, date: subject:, etc)
uses MD5 to hash the pair (message, uses MD5 to hash the pair (message, header) into a 128-bit valueheader) into a 128-bit value
uses Alice’s secret key duses Alice’s secret key daa to sign to sign
(decrypt) the 128-bit value(decrypt) the 128-bit value sends to the email gateway a triplet sends to the email gateway a triplet
(header, message, signature)(header, message, signature)
header, message, signatureheader, message, signature
signature
Alice’s RSA secret key ka
1-way hashingby MD5
tka mod na
128 bits
signature
header
message
header
message
t
What Bob’s computer has to doWhat Bob’s computer has to do??
finds out Alice’s public key (efinds out Alice’s public key (eaa, n, naa)) verifies (header, message, signature)verifies (header, message, signature) if OK, accepts that it is a message if OK, accepts that it is a message
from Alicefrom Alice Otherwise, informs Bob that it is NOT Otherwise, informs Bob that it is NOT
a genuine message from Alicea genuine message from Alice
CheckCheck
how does the previous scheme how does the previous scheme prevent spoofing and replaying ?prevent spoofing and replaying ?
does Bob have to have his public and does Bob have to have his public and secret keys ? why ?secret keys ? why ?
Preventing peeping Preventing peeping
the basic idea to encrypt each the basic idea to encrypt each message by the use of hybrid RSA and message by the use of hybrid RSA and IDEAIDEAIDEA is a private key cipherIDEA is a private key cipher
key: 128 bits, plain/ciphertext: 64 bitskey: 128 bits, plain/ciphertext: 64 bits
an extra requirement:an extra requirement:Bob should Bob should
publish his public key (epublish his public key (ebb, n, nbb))
keeps his secret key dkeeps his secret key dbb in a safe place in a safe place
Alice’s computerAlice’s computer
As before, uses Alice’s secret key dAs before, uses Alice’s secret key daa to to
sign a message and gets a triplet sign a message and gets a triplet (header, message, signature)(header, message, signature)
picks a random 128-bit IDEA key kpicks a random 128-bit IDEA key k encrypts (message, signature) using encrypts (message, signature) using
IDEA under the key kIDEA under the key k finds out Bob’s public key (efinds out Bob’s public key (ebb, n, nbb))
encrypts k using (eencrypts k using (ebb, n, nbb))
Message formatMessage format
EIDEAkeb mod nb
IDEAkey k
IDEAkey k
signature
message
signature
Bob’s RSA public key (eb, nb)
header
message
header
Message sent by AliceMessage sent by Alice
Alice’s computer sends to Bob’s Alice’s computer sends to Bob’s computer four (4) partscomputer four (4) partsheader, un-encryptedheader, un-encryptedmessage, encrypted using IDEA under kmessage, encrypted using IDEA under ksignature, encrypted using IDEA under ksignature, encrypted using IDEA under kIDEA key k, encrypted using Bob’s RSA IDEA key k, encrypted using Bob’s RSA
public key (epublic key (ebb, n, nbb))
header + messageheader + message
to: [email protected]: [email protected]
from: [email protected]: [email protected]
subject: hellosubject: hello
date: Mon, 26 Feb 1996 13:23:47date: Mon, 26 Feb 1996 13:23:47
Hi Bob,
Meet in January at home ?
Alice
header + message + signatureheader + message + signature
to: [email protected]: [email protected]: [email protected]: [email protected]: hellosubject: hellodate: Mon, 26 Feb 1996 13:23:47date: Mon, 26 Feb 1996 13:23:47
-----BEGIN PGP SIGNED MESSAGE----------BEGIN PGP SIGNED MESSAGE-----
Hi Bob,Meet in January at home ?Alice
-----BEGIN PGP SIGNATURE-----Version: 2.6.3iCharset: noconv
iQBVAwUBMT5dAjFqX5nL8leRAQGKoAH+LKirz3rVncjQ7xYZ+q/noL9MJGVmeuDzF0FjDtE2NgZoLQh7H6tlK3HzvMLCMK1a53xbMfPEBdYq/hvF7B3/xQ===FuR2-----END PGP SIGNATURE-----
header + encrypted (message + signature)header + encrypted (message + signature)
to: [email protected]: [email protected]
from: [email protected]: [email protected]
subject: hellosubject: hello
date: Mon, 26 Feb 1996 13:23:47date: Mon, 26 Feb 1996 13:23:47
-----BEGIN PGP MESSAGE----------BEGIN PGP MESSAGE-----
Version: 2.6.3i
hEwDe3NF6ydtp0kBAf9pUR0Yf71cGBSEIYYviDZwWSEQdZdeP8ulMZofaChxQnEE
T+1Z7m1GzT/qwfrW7edYEHb1U/Jk5PuGyO56JlYipgAAAJ1H4ubdEeEAcIafD+IO
hFvHt7qiIq+OIzR3NDxlXtxp5IIBKjQqXLJduuFkTUlq0G3v1QTaR/K7IcEMGBEH
ZVxye3qsRvDN7TGgl+PIxNS7gC6rgqZpJ5M0dXdAsG1L+3GO8FFYvPPfUOjmstTn
+O5BXMYPbYkPE2fBTZ/COGxRIe09bULPwW6hnnr6It5GFB0Id/XZVcznzAql0tjO
=6pZH
-----END PGP MESSAGE-----
Bob’s computerBob’s computer
When receiving the parts from Alice, When receiving the parts from Alice, Bob’s computerBob’s computeruses Bob’s secret key duses Bob’s secret key dbb to decrypt the to decrypt the
4th part and extract IDEA key k4th part and extract IDEA key kuses k and IDEA to decrypt the 2nd & 3rd uses k and IDEA to decrypt the 2nd & 3rd
partspartsuses Alice’s public key (euses Alice’s public key (eaa, n, naa) to check ) to check
Alice’s signature on the 1st & 2nd partsAlice’s signature on the 1st & 2nd partsif OK, accepts it as a genuine message if OK, accepts it as a genuine message
from Alicefrom Alice
Check by yourselfCheck by yourself
explain howexplain howspoofingspoofingeavesdroppingeavesdroppingreplayreplay
are preventedare prevented why the 1st part (the header) is NOT why the 1st part (the header) is NOT
encrypted ?encrypted ?
Signature-and-encryption orSignature-and-encryption orencryption-and-signatureencryption-and-signature
2 alternative approaches to achieving 2 alternative approaches to achieving authenticity and confidentialityauthenticity and confidentialitySignature-and-encryptionSignature-and-encryption
Signing the message first, followed by Signing the message first, followed by “sealing” the message-signature pair“sealing” the message-signature pair
Encryption-and-signatureEncryption-and-signature“scrambling” the message first, following “scrambling” the message first, following by signing the ciphertextby signing the ciphertext
Signature-and-encryption orSignature-and-encryption orencryption-and-signature (2)encryption-and-signature (2)
message
signature signature
message
Signature-and-encryption encryption-and-signature
Bob’s
signat
ure
A potential spoofing attack against A potential spoofing attack against encryption-then-signatureencryption-then-signature
Bob’ssignature
Happy birthday !
Bill’ssignature
Happy birthday !
Bob Bill
Cathy
Thank you Bill !
The importance of orderThe importance of order
UseUse““signature followed by encryptionsignature followed by encryption””in your applications !in your applications !
Reminder: Marvin’s “Public Key Faking” Reminder: Marvin’s “Public Key Faking” AttackAttack
Instead of just eavesdropping, Marvin can try Instead of just eavesdropping, Marvin can try a more a more active active attack!attack!
Outline of the New Attack:Outline of the New Attack: Marvin generates an RSA key pairMarvin generates an RSA key pair
Public key = Kpub_* = (N_*, e_*)Public key = Kpub_* = (N_*, e_*) Secret key = Ksec_* = d_*Secret key = Ksec_* = d_*
Marvin sends the following email to Alice, Marvin sends the following email to Alice, pretending to be Bob:pretending to be Bob: Hi Alice, Hi Alice,
Please use my new public key from now on to encrypt Please use my new public key from now on to encrypt messages to me. My new public key is Kpub_*. messages to me. My new public key is Kpub_*.
Yours sincerely, Bob.Yours sincerely, Bob.
Marvin decrypts any messages Alice sends to Bob Marvin decrypts any messages Alice sends to Bob (encrypted with Kpub_*), using Ksec_*.(encrypted with Kpub_*), using Ksec_*.
Preventing Marvin’s Attack (1)Preventing Marvin’s Attack (1)
Marvin’s Attack illustrates that:Marvin’s Attack illustrates that: In the context of Public Key Encryption, Alice In the context of Public Key Encryption, Alice
must make sure she is not using a “fake public must make sure she is not using a “fake public key” produced by Marvin (like Kpub_*) to encrypt key” produced by Marvin (like Kpub_*) to encrypt messages to Bobmessages to Bob
In the context of Digital Signatures, Alice must In the context of Digital Signatures, Alice must make sure she is not using a “fake public key” make sure she is not using a “fake public key” produced by Marvin to verify digital signatures produced by Marvin to verify digital signatures on documents claimed to be produced by Bob.on documents claimed to be produced by Bob.
Preventing Marvin’s Attack (2)Preventing Marvin’s Attack (2)
When Alice obtains Bob’s public key from When Alice obtains Bob’s public key from some source, she is really receiving a some source, she is really receiving a document C containing a statement of the document C containing a statement of the form “Bob’s public key is X”.form “Bob’s public key is X”.
To prevent Marvin’s attack, Alice wants to To prevent Marvin’s attack, Alice wants to check the integrity of the document C before check the integrity of the document C before she believes the statement it contains.she believes the statement it contains.
This is commonly done using a “Public Key This is commonly done using a “Public Key Certification” system in conjunction with a Certification” system in conjunction with a digital signature scheme - This system is digital signature scheme - This system is described in the following slides.described in the following slides.
Public Key Certification System (1)Public Key Certification System (1)
A Public Key Certification System requires the A Public Key Certification System requires the establishment of (at least one) establishment of (at least one) Trusted Trusted Certification AuthorityCertification Authority (CA). (CA).
The CA is an organization known to all users The CA is an organization known to all users and trusted by the users to:and trusted by the users to: Issue Certificates by following properly the procedure Issue Certificates by following properly the procedure
described in following slidedescribed in following slide Guard its Guard its secretsecret digital signature key SK_CA very well! digital signature key SK_CA very well!
All users obtain the CA’s All users obtain the CA’s publicpublic digital digital signature key PK_CA directly from the signature key PK_CA directly from the CA.CA.
Issuing Digital Certificates (1)Issuing Digital Certificates (1)
The CA issues Digital Certificates to users as The CA issues Digital Certificates to users as follows:follows:A user Bob generates a key pair (Kpub, Ksec).A user Bob generates a key pair (Kpub, Ksec).Bob goes (ideally physically) to the CA, gives his Bob goes (ideally physically) to the CA, gives his
public key Kpub, and declares “I’m Bob Smith, public key Kpub, and declares “I’m Bob Smith, and Kpub is my public key!”and Kpub is my public key!”
The CA asks Bob to present strong proof of The CA asks Bob to present strong proof of identity (eg Passport, driver’s licence), to ensure identity (eg Passport, driver’s licence), to ensure that CA is really talking to Bob Smith (and not that CA is really talking to Bob Smith (and not Marvin, for example).Marvin, for example).
If CA is convinced it is really talking to Bob Smith, If CA is convinced it is really talking to Bob Smith, the CA produces a digital certificate for Bob (see the CA produces a digital certificate for Bob (see next slide for detailed content).next slide for detailed content).
Issuing Digital Certificates (2)Issuing Digital Certificates (2)
The Digital Certificate C_Bob given to Bob by The Digital Certificate C_Bob given to Bob by CA consists of essentially FIVE parts:CA consists of essentially FIVE parts:Part A.Part A. Bob’s unique identification information (eg Bob’s unique identification information (eg
Full name, address, etc)Full name, address, etc)Part B.Part B. Bob’s public key, Kpub Bob’s public key, KpubPart C.Part C. A unique certificate serial no. A unique certificate serial no.Part D.Part D. Issue time, Expiry time, and any other Issue time, Expiry time, and any other
conditions of use.conditions of use.Part E.Part E. The CA’s The CA’s digital signaturedigital signature on the on the
document consisting of Parts (A,B,C,D).document consisting of Parts (A,B,C,D).
So C_Bob = (A,B,C,D,E).So C_Bob = (A,B,C,D,E).
Using Digital Certificates (1)Using Digital Certificates (1)
Bob distributes his digital certificate C_Bob.Bob distributes his digital certificate C_Bob. Note that:Note that:
The certificate C_Bob is The certificate C_Bob is NOTNOT secret secretBob Bob CANNOTCANNOT use the certificate C_Bob by itself use the certificate C_Bob by itself
as a proof of identity (since anyone can get a as a proof of identity (since anyone can get a copy of it).copy of it).
When Alice needs Bob’s public key (eg to When Alice needs Bob’s public key (eg to encrypt a message to Bob, or to verify Bob’s encrypt a message to Bob, or to verify Bob’s signature on a document) she obtains Bob’s signature on a document) she obtains Bob’s digital certificate C_Bob (eg from Bob’s web digital certificate C_Bob (eg from Bob’s web server).server).
Using Digital Certificates (2)Using Digital Certificates (2)
From Part B of the certificate C_Bob, Alice From Part B of the certificate C_Bob, Alice extracts Bob’s public key PK_Bob.extracts Bob’s public key PK_Bob.
But before using PK_Bob, Alice verifies that But before using PK_Bob, Alice verifies that the certificate C_Bob is a the certificate C_Bob is a validvalid certificate for certificate for Bob - This means that Alice verifies that:Bob - This means that Alice verifies that:1. C_Bob contains (in part E) a valid signature by CA 1. C_Bob contains (in part E) a valid signature by CA
on the rest of the certificate (parts A,B,C,D).on the rest of the certificate (parts A,B,C,D).2. Part A of C_Bob contains Bob’s correct (unique) 2. Part A of C_Bob contains Bob’s correct (unique)
identification details (name, address,…).identification details (name, address,…).3. All the conditions stated in part D of the certificate 3. All the conditions stated in part D of the certificate
C_Bob are valid (eg certificate has not expired yet).C_Bob are valid (eg certificate has not expired yet). Alice rejects C_Bob if it fails the test above!Alice rejects C_Bob if it fails the test above!