E-mail SecurityE-mail Security

Introduction to E-mailIntroduction to E-mail Privacy Enhanced Mail (PEM)Privacy Enhanced Mail (PEM) The Certification SystemThe Certification System Pretty Good Privacy (PGP)Pretty Good Privacy (PGP) Secure Multipurpose Internet Secure Multipurpose Internet

Mail Extensions (S/MIME)Mail Extensions (S/MIME)

Introduction to E-mailIntroduction to E-mail

• E-E-mail is one of the most popular Internet applicationsmail is one of the most popular Internet applications

• Asynchronous (=> no session => no handshaking)Asynchronous (=> no session => no handshaking)

• FastFast

• Easy to distributeEasy to distribute

• InexpensiveInexpensive

• Modern e-mail messages can include hyperlinks, Modern e-mail messages can include hyperlinks, HTML formatted text, images, sound, and even videoHTML formatted text, images, sound, and even video

• Accessible from any host connected to the InternetAccessible from any host connected to the Internet

A A Typical E-mail JourneyTypical E-mail Journey

1.1. Starts its journey in the sender’s user agentStarts its journey in the sender’s user agent

2.2. Travels to the sender’s mail serverTravels to the sender’s mail server

3.3. Then travels to the recipient’s mail serverThen travels to the recipient’s mail server

4.4. Deposited in the recipient’s mailboxDeposited in the recipient’s mailbox

5.5. The recipient wants to access the messages in his mailboxThe recipient wants to access the messages in his mailbox

6.6. The mail server containing his mailbox authenticates him The mail server containing his mailbox authenticates him (with user name and password)(with user name and password)

7.7. Then sends the message to the recipient’s user agentThen sends the message to the recipient’s user agent

Existing E-Mail SystemExisting E-Mail System

Intermediate relay point Recipient’s mailbox host

Useragent

Editor

Mail transferAgent (SMTP)

Originator at a multiuser host

User agent

Recipient at a workstation

Mail transferAgent

(SMTP relay)

Mail transferAgent

(SMTP)

SMTP(RFC 821)

SMTP(RFC 821)

Retrieval (e.g. POP3)

The Simple Mail Transfer The Simple Mail Transfer Protocol (SMTP)Protocol (SMTP)

Defined in RFC 821Defined in RFC 821 ( (dates back to 1982dates back to 1982 ) ) The principal application-layer protocol for The principal application-layer protocol for

the internet electronic mailthe internet electronic mail Uses the reliable data transfer service of TCP Uses the reliable data transfer service of TCP

at port 25at port 25 Possess certain “archaic” characteristics Possess certain “archaic” characteristics

(such as the 7-bit ASCII restriction)(such as the 7-bit ASCII restriction)

Example to SMTPExample to SMTPS: 220 hamburger.eduS: 220 hamburger.edu

C: HELO crepes.frC: HELO crepes.fr

S: 250 Hello crepes.fr, pleased to meet youS: 250 Hello crepes.fr, pleased to meet you

C: MAIL FROM: <alice@crepes.fr>C: MAIL FROM: <alice@crepes.fr>

S: 250 alice@crepes.fr… Sender okS: 250 alice@crepes.fr… Sender ok

C: RCPT TO: <bob@hamburger.edu>C: RCPT TO: <bob@hamburger.edu>

S: 250 bob@hamburger.edu… Recipient okS: 250 bob@hamburger.edu… Recipient ok

C: DATAC: DATA

S: 354 Enter mail, end with “.” on a line by S: 354 Enter mail, end with “.” on a line by itselfitself

C: Do you like ketchup?C: Do you like ketchup?

C: .C: .

S: 250 Message accepted for deliveryS: 250 Message accepted for delivery

C: QUITC: QUIT

S: 221 hamurger.edu closing connectionS: 221 hamurger.edu closing connection

• a client C, which its a client C, which its host name is host name is crepes.frcrepes.fr

• a server S, which its a server S, which its host name is host name is hamburger.eduhamburger.edu

Header FormatHeader Format Defined in RFC 822Defined in RFC 822 Headers containing peripheral information Headers containing peripheral information

precedes the body of the message itselfprecedes the body of the message itself Specifies the exact format for mail header Specifies the exact format for mail header

lines as well as their semantic interpretationslines as well as their semantic interpretations After the message header, a blank line follows, After the message header, a blank line follows,

then the message body in ASCII followsthen the message body in ASCII follows The message terminates with a line containing The message terminates with a line containing

only a periodonly a period

Example to E-mail MessageExample to E-mail Message

From: alice@cs.huji.ac.ilFrom: alice@cs.huji.ac.il

To: bob@cs.huji.ac.ilTo: bob@cs.huji.ac.il

Subject: Mail header formatSubject: Mail header format

  

Message body (in ASCII)Message body (in ASCII)

..

Multipurpose Internet Mail Multipurpose Internet Mail Extensions (MIME)Extensions (MIME)

RFC 822 is not sufficiently rich RFC 822 is not sufficiently rich enough for multimedia messages enough for multimedia messages

Include additional headers in the Include additional headers in the message, which are defined in RFC message, which are defined in RFC 2045/2046 2045/2046

This topic will be addressed later in the This topic will be addressed later in the S/MIME section S/MIME section

The Security Issue (1)The Security Issue (1) Initial specification of internet e-mail did not address Initial specification of internet e-mail did not address

security issuessecurity issues In particular, security mechanisms to provide data In particular, security mechanisms to provide data

confidentiality, authenticity, integrity and non-confidentiality, authenticity, integrity and non-repudiation were missingrepudiation were missing

E-mail service is asynchronousE-mail service is asynchronous All the regular security protocols (such as IPSEC, SSL, All the regular security protocols (such as IPSEC, SSL,

etc.) are synchronousetc.) are synchronous PEM, S/MIME and PGP come to helpPEM, S/MIME and PGP come to help Each message is a one-time independent event with its Each message is a one-time independent event with its

own one-time symmetric keyown one-time symmetric key

The Security Issue (2)The Security Issue (2)

Why not simply use the regular Why not simply use the regular synchronous security protocols to synchronous security protocols to protect the message while en route protect the message while en route between intermediate stations ?between intermediate stations ?

Security services should be added Security services should be added between the two end users (no exposure between the two end users (no exposure in the middle)in the middle)

The secure services were build on an The secure services were build on an existing mail system (SMTP mail existing mail system (SMTP mail servers)servers)

Privacy Enhanced Mail (PEM) Privacy Enhanced Mail (PEM) IntroductionIntroduction

Primary goal of PEM is to add security Primary goal of PEM is to add security services for e-mail users in the internet services for e-mail users in the internet communitycommunity

Began in 1985 as an activity of the Privacy Began in 1985 as an activity of the Privacy and Security Research Group (PSRG)and Security Research Group (PSRG)

Defined in RFCs Defined in RFCs 1421/1422/1423/14241421/1422/1423/1424 Consists of extensions to existing message Consists of extensions to existing message

processing software plus a key management processing software plus a key management infrastructure infrastructure

PEM Security ServicesPEM Security Services

1.1. IntegrityIntegrity, which ensures a message recipient that , which ensures a message recipient that the message has not been modified en route. the message has not been modified en route.

2.2. AuthenticityAuthenticity, which ensures a message recipient , which ensures a message recipient that a message was sent by the indicated that a message was sent by the indicated originator. originator.

3.3. Non-repudiationNon-repudiation, which allows a message to be , which allows a message to be forwarded to a third party, who can verify the forwarded to a third party, who can verify the identity of the originator.identity of the originator.

4.4. ConfidentialityConfidentiality (optional), which ensures a (optional), which ensures a message originator that the message text will be message originator that the message text will be disclosed only to the designated recipients. disclosed only to the designated recipients.

PEM Overview PEM Overview

Compatible with RFC 822 message processing Compatible with RFC 822 message processing conventions conventions

Transparent to SMTP mail relays Transparent to SMTP mail relays Uses symmetric cryptography to provide (optional) Uses symmetric cryptography to provide (optional)

encryption of messages encryption of messages The RFCs strongly recommend the use of asymmetric The RFCs strongly recommend the use of asymmetric

cryptography (for digital signatures, certificates and cryptography (for digital signatures, certificates and encryption of the symmetric key) because of its ability encryption of the symmetric key) because of its ability to support vast distributed community of usersto support vast distributed community of users

PEM Overview (contd.)PEM Overview (contd.)

The use of X.509 certificates is the base for The use of X.509 certificates is the base for public key management in PEMpublic key management in PEM

This certification hierarchy supports This certification hierarchy supports universal authentication of PEM usersuniversal authentication of PEM users

PEM can be used in a wider range of PEM can be used in a wider range of messaging environmentsmessaging environments (other than RFC (other than RFC 822 and SMTP)822 and SMTP)

Integration Of PEM Into Existing Mail SystemIntegration Of PEM Into Existing Mail System

Intermediate relay point Recipient’s mailbox host

Useragent

Editor

Mail transferAgent (SMTP)

Originator at a multiuser host

User agent

Recipient at a workstation

Mail transferAgent

(SMTP relay)

Mail transferAgent

(SMTP)

SMTP(RFC 821)

SMTP(RFC 821)

Retrieval (e.g. POP3)

PEMfilter

PEMmodule

PEM Message Submission: Message PEM Message Submission: Message ProcessingProcessing

Begin privacy enhanced messageBegin privacy enhanced message

End privacy enhanced messageEnd privacy enhanced message

Encapsulated header:Encapsulated header:Contains authentication, integrity, Contains authentication, integrity, and (optional) encryption control and (optional) encryption control

fields and related informationfields and related information

Blank lineBlank line

Encapsulated text:Encapsulated text:(Encrypted)(Encrypted)

User message text and optionalUser message text and optionalReplicated header fieldsReplicated header fields

User provides User provides recipient address recipient address and other data (e.g. and other data (e.g. “Subject”) for “Subject”) for enclosing headerenclosing header

User provides User provides address information address information needed to perform needed to perform encryptionencryption

Plaintext of Plaintext of user message user message requiring requiring privacy privacy enhancementenhancement

Enclosing headerEnclosing headerRFC 822 header RFC 822 header fieldsfields

Encapsulated Encapsulated messagemessage

All data between All data between the privacy the privacy enhanced message enhanced message boundaries is boundaries is represented here, represented here, and may be and may be interspersed with interspersed with unprotected unprotected plaintextplaintext

PEM Message ProcessingPEM Message Processing

Plaintext message

“SMTP” canonicalization

MIC calculation and (optional) encryption

6-bit encoding and line length limiting

Processed message

Step 1

Step 2

Step 3

PEM Message Processing – Step 1PEM Message Processing – Step 1

Uses the canonicalization specified by Uses the canonicalization specified by SMTP to ensure a uniform presentation SMTP to ensure a uniform presentation syntax among a heterogeneous collection of syntax among a heterogeneous collection of computer systemscomputer systems . .

The shortcoming is that it restricts the input The shortcoming is that it restricts the input to 7-bit ASCII .to 7-bit ASCII .

The reason is that the Internet e-mail imposes The reason is that the Internet e-mail imposes the same restrictions.the same restrictions.

PEM Message Processing – Step 2PEM Message Processing – Step 2

A MIC is calculated over the canonicalized A MIC is calculated over the canonicalized message to permit uniform verification in the message to permit uniform verification in the heterogeneous environmentsheterogeneous environments . .

The canonical (padded as required) message The canonical (padded as required) message text is then (optionally) encrypted using a per-text is then (optionally) encrypted using a per-message symmetric keymessage symmetric key . .

The encryption action is performed only if the The encryption action is performed only if the message is of type ENCRYPTEDmessage is of type ENCRYPTED . .

PEM Message Processing – Step 3PEM Message Processing – Step 3

Renders an ENCRYPTED or MIC-ONLY Renders an ENCRYPTED or MIC-ONLY message into a printable form suitable for message into a printable form suitable for transmission via SMTP.transmission via SMTP.

This encoding step transforms the This encoding step transforms the (optionally encrypted) message text into a (optionally encrypted) message text into a restricted 6-bit alphabet.restricted 6-bit alphabet.

A MIC-CLEAR messages are not subject A MIC-CLEAR messages are not subject to any portion of the third processing step.to any portion of the third processing step.

PEM Message TypesPEM Message Types

ENCRYPTED is a signed, encrypted and ENCRYPTED is a signed, encrypted and encoded (in step 3) message .encoded (in step 3) message .

MIC-ONLY is a signed MIC-ONLY is a signed , but not encrypted,, but not encrypted, encoded message .encoded message .

MIC-CLEAR MIC-CLEAR is a signed, but not encrypted, is a signed, but not encrypted, and message that is not encoded .and message that is not encoded .

Specially so it can be sent to a mixed set of Specially so it can be sent to a mixed set of recipients, some of whom use PEM and recipients, some of whom use PEM and some do not.some do not.

PEM Message Submission: Header PEM Message Submission: Header Construction (1)Construction (1)

From: alice@cs.huji.ac.il

To: bob@cs.huji.ac.il

Subject: Encrypted PEM message

------------BEGIN PRIVACY-ENHANCED MESSAGE--------

Proc-Type: 4, ENCRYPTED

Content-Domain: RFC822

DEK-Info: DES-CBC, BGFA799HTS347KGKL0

Originator-Certificate:

3yhtrwhhj57jw5jw6w7u6juj6uu45yjj5645w4y4y5yqy

Issuer-Certificate:

Eth46u5kw57kwuw3jwjw465iw6uw57uw6u4q6jj6646

Version & type

Standard RFC 822 Header

Conforms to

Msg encryption params

)for example, IV(

Originator certificate

Issuer certificate

PEM Message Submission: Header PEM Message Submission: Header Construction (2)Construction (2)

MIC-Info: RSA-MD5, RSA,

Sdhdsh453hwe5yyh5ywjuhs5yahhaehjue78iok67k

Recipient-ID-Asymmetric:

Agw56ywjq45y2jqhj4yuq4hjq4yq3yy3yewghew5y3

Key-Info: RSA,

Adshw45w5j7w57j5u46yu5yq46ju46juqyuq4u5y35hj

 

Dfghj56er656uw6u64uu45yw46u5wjwu5i56u57i5wuiw5u

W46uw56uueueri5u6w56uw46u5wu56uw56u56u5

------------END PRIVACY-ENHANCED MESSAGE------

Digital signature

MIC & Dig.Sig algo

Recipient’s id

Public key algo

Encrypted message key

Encrypted message

Blank line

PEM Message Delivery Processing (1)PEM Message Delivery Processing (1)

• Recipient receives a PEM messageRecipient receives a PEM message

• Scans the PEM header for the version and the type Scans the PEM header for the version and the type (ENCRYPTED, MIC-ONLY, MIC-CLEAR)(ENCRYPTED, MIC-ONLY, MIC-CLEAR)

• If ENCRYPTED or MIC-ONLY then decode the If ENCRYPTED or MIC-ONLY then decode the 6-bit encoding back to ciphertext or canonical 6-bit encoding back to ciphertext or canonical plaintext formplaintext form

•If ENCRYPTED then decrypt the symmetric If ENCRYPTED then decrypt the symmetric message key using the private component of his message key using the private component of his public key pair and decrypt the message using the public key pair and decrypt the message using the symmetric message keysymmetric message key

PEM Message Delivery Processing (2)PEM Message Delivery Processing (2)

• Validate the public key of the sender by Validate the public key of the sender by validating a chain of certificatesvalidating a chain of certificates

• Validate the digital signature using the Validate the digital signature using the public component of the public key of the public component of the public key of the sendersender

• The canonical form is translated into the The canonical form is translated into the local representation and presented to the local representation and presented to the recipientrecipient

The Certification SystemThe Certification System

• A public key X.509 certificate is a digitally signed A public key X.509 certificate is a digitally signed data structure used to securely bind a public key to a data structure used to securely bind a public key to a name and to specify who vouches for the binding name and to specify who vouches for the binding

• The signature to the certificate applied by the The signature to the certificate applied by the issuer using the private component of his public key issuer using the private component of his public key pair and appended after the certificate fieldspair and appended after the certificate fields

• One validates a certificate by computing the one-One validates a certificate by computing the one-way hash function over the certificate, uses the way hash function over the certificate, uses the public key of the issuer to decrypt the value in the public key of the issuer to decrypt the value in the appended signature and compare the two resulting appended signature and compare the two resulting valuesvalues

X.509 CertificateX.509 Certificate

Certificate: = SIGNED SEQUENCE {

version[0] Version DEFAULT v1988,

serialNumber CertificateSerialNumber,

signature AlgorithmIdentifier,

issuer Name,

validity Validity,

subject Name,

subjectPublicKeyInfo SubjectPublicKeyInfo }

Uniquely identifies this certificate

Dig.sig & hash func algo & params

Issuer ID

Start & end valid times

Subject name

Public key of the subject, algo ID & params

The Internet Certification System (1)The Internet Certification System (1)

The user need to possess the public key of the The user need to possess the public key of the issuer of the certificate in order to validate the issuer of the certificate in order to validate the certificatecertificate

The issuer will also have a certificate, and thus the The issuer will also have a certificate, and thus the process of certificate validation is recursive and process of certificate validation is recursive and implicitly defines a directed certification graphimplicitly defines a directed certification graph

X.509 defines defines a X.509 defines defines a Certification Authority Certification Authority (CA)(CA) as “an authority trusted by one or more users as “an authority trusted by one or more users to create and assign certificates” to create and assign certificates”

The Internet Certification System (2)The Internet Certification System (2) Different CAs can issue certificates under different Different CAs can issue certificates under different

policies, for example, varying degrees of assurance in policies, for example, varying degrees of assurance in vouching for certificatesvouching for certificates

The root of the certification graph is the The root of the certification graph is the Internet PCA Internet PCA Registration Authority (IPRA)Registration Authority (IPRA)

The IPRA is a reference point from which all certificates The IPRA is a reference point from which all certificates can be validatedcan be validated

The IPRA issues certificates to a second layer of entities The IPRA issues certificates to a second layer of entities called called Policy Certification Authorities (PCA)Policy Certification Authorities (PCA), which, in , which, in turn, issue certificates to CAs turn, issue certificates to CAs

CAs can issue certificates to (subordinate) CAs or directly CAs can issue certificates to (subordinate) CAs or directly to usersto users

Example to a Typical Internet Example to a Typical Internet Certification HierarchyCertification Hierarchy

IPRA

High assurance

Residential Mid-level assurance

Persona

BBN Louisiana New York MIT HUJI Persona

User BBNCD New Orleans User User LCS User User User User

User UserUserUserUserUserUserUser

PEM SummeryPEM Summery

PEM represents a major effort to provide security for PEM represents a major effort to provide security for an application that touches a vast number of users an application that touches a vast number of users within the Internet and beyondwithin the Internet and beyond

PEM was designed to have backward compatibility PEM was designed to have backward compatibility with existing mail systemwith existing mail system

PEM depends on a successful establishment of the PEM depends on a successful establishment of the certification hierarchy that underlies asymmetric key certification hierarchy that underlies asymmetric key managementmanagement

Problem : PEM does not support security services to Problem : PEM does not support security services to multimedia files (MIME)multimedia files (MIME)

Next : Next : Pretty Good PrivacyPretty Good Privacy