ita, 3.11.2011, 7-secureemail.pptx 1 internet security 1 (intsi1) prof. dr. andreas steffen...

ITA, 3.11.2011, 7-SecureEmail.pptx 1

Internet Security 1 (IntSi1)

Prof. Dr. Andreas Steffen

Institute for Internet Technologies and Applications (ITA)

7 Secure Email


Security Protocols for the OSI Stack

Application layer ssh, S/MIME, PGP, Kerberos, WSS

Transport layer SSL, TLS

Network layer IPsec

Data Link layer [PPTP, L2TP], IEEE 802.1X,IEEE 802.1AE, IEEE 802.11i (WPA2)Physical layer Quantum Cryptography

Communication layers

Security protocols


Internet Security 1 (IntSi1)

7.1 S/MIME


MIME – Multipurpose Internet Mail ExtensionRFC 1521 / RFC 1522

--boundary1 Content–Type: text/plain; charset=us-ascii

Dear Neo, please study the attached Word document.

--boundary1 Content–Type: application/msword; name="Matrix.doc"Content–Transfer–Encoding: base64

ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfH 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbTrfv=

--boundary1--

From: [email protected]: [email protected]–Version: 1.0Content–Type: multipart/mixed; boundary=boundary1


S/MIME – Signed Message Format IRFC 1847 / RFC 2311 / PKCS #7

Content–Type: multipart/signed; protocol="application/pkcs7–signature"; micalg=sha1; boundary=boundary1

--boundary1 Content–Type: text/plain

This is a clear-signed message.

--boundary1 Content–Type: application/pkcs7–signature; name=smime.p7sContent–Transfer-Encoding: base64Content–Disposition: attachment; filename=smime.p7s


--boundary1--

MIME entity to be signed


S/MIME – Signed Message comprisingMultiple Attachments

Content–Type: multipart/signed; protocol="application/pkcs7–signature"; micalg=sha1; boundary=boundary1

--boundary1 Content–Type: multipart/mixed; boundary=boundary2

... multipart message with various MIME-types ...

--boundary1 Content–Type: application/pkcs7–signature; name=smime.p7sContent–Transfer-Encoding: base64Content–Disposition: attachment; filename=smime.p7s


--boundary1--


PKCS #7 – Public Key Cryptography StandardCryptographic Message Syntax Standard

versiondigestAlgorithmscontentInfocertificates (OPTIONAL)crls (OPTIONAL)signerInfos (SET OF)

• ASN.1 structure for the SignedData content type

• ASN.1 structure for the SignerInfo type

versionissuerAndSerialNumberdigestAlgorithmauthenticatedAttributesdigestEncryptionAlgorithmencryptedDigestunauthenticatedAttributes

several signers possible

empty field (content carried inseparate MIME entity)

signature


Signed Message with Multiple Signatures

MIME Entity (single-part or multi-part)MIME Entity (single-part or multi-part)

DigestAlgorithm

#1

DigestAlgorithm

#1

Signature#1

Signature#1

Private Key#1

Private Key#1

DigestAlgorithm

#2

DigestAlgorithm

#2

Signature #2

Signature #2

Private Key#2

Private Key#2

DigestAlgorithm

#n

DigestAlgorithm

#n

Signature#n

Signature#n

Private Key#n

Private Key#n


Signed Email MessageMicrosoft Outlook 2007


S/MIME – Signed Message Format IIRFC 2311 / PKCS #7

Content–Type: application/pkcs7–mime; smime–type=signed–data; name=smime.p7mContent–Transfer-Encoding: base64Content–Disposition: attachment; filename=smime.p7m


• MIME content carried within PKCS#7 Signed Data Object• This alternative signing format is optionally used by MS

Outlook• Pro: MIME content is not prone to changes of the transfer

encoding enforced by intermediate mail transfer agents.• Contra: In order to read the emedded MIME message, the

receiver‘s mail client must support S/MIME.


S/MIME – Configuration OptionsMicrosoft Outlook 2007


S/MIME – Encrypted Message FormatRFC 2311 / PKCS #7

Content–Type: application/pkcs7–mime; smime–type=enveloped–data; name=smime.p7mContent–Transfer-Encoding: base64Content–Disposition: attachment; filename=smime.p7m


versionrecipientInfosencryptedContentInfo

• ASN.1 structure for the EnvelopedData content type

several recipients possible(encrypted symmetric key)

contentTypecontentEncryptionAlgorithmencryptedContent

encrypted MIME entity(single-part or multi-part)


Encrypted Message with Multiple RecipientsEnvelope using Symmetric Encryption

MIME Entity (single-part or multi-part)MIME Entity (single-part or multi-part)

RandomKey

RandomKey Symmetric Encryption AlgorithmSymmetric Encryption Algorithm

Encrypted MIME EntityEncrypted MIME Entity

EncryptedKey #n

EncryptedKey #n

Public Key#n

Public Key#n

EncryptedKey #2

EncryptedKey #2

Public Key#2

Public Key#2

EncryptedKey #1

EncryptedKey #1

Public Key#1

Public Key#1


Encrypted Email MessageMicrosoft Outlook 2007


Signed and Encrypted Email MessagesMozilla Thunderbird


S/MIME – Signed and Encrypted Messages ISigning before Encryption

MIME entity to be encrypted

• Signature(s) not visible before decryption (Anonymity)

Content–Type: application/pkcs7–mime;

smime–type=signed–data; ...signedData SignedData ::= { ... contentInfo}


Content–Type: application/pkcs7–mime; smime–type=enveloped–data; ...

envelopedData EnvelopedData ::= { ... encryptedContentInfo}

encrypted MIME entity


S/MIME – Signed and Encrypted Messages IIEncryption before Signing


• Signature(s) can be checked before decryption (Trust)

Content–Type: application/pkcs7–mime;

smime–type=signed–data; ...signedData SignedData ::= { ... contentInfo}

Content–Type: application/pkcs7–mime; smime–type=enveloped–data; ...

envelopedData EnvelopedData ::= { ... encryptedContentInfo}

encrypted MIME entity



Signing before EncryptionMicrosoft Outlook 2007


S/MIME – Managing CertificatesMozilla Thunderbird


S/MIME – Certificates (own and other people‘s)Mozilla Thunderbird


S/MIME – Certification AuthoritiesMozilla Thunderbird


S/MIME – Account SettingsMozilla Thunderbird


S/MIME Summary

Antje

Kool CA

#2

Antje Bodo

• Sign

Dear Bodo,…Antje

Sign withprivate key

Verify with public key

Verify with public key

Kool CA

Kool CA

#0

Antje Bodo

• Encrypt

Antje

Kool CA

#2

Dear Antje,…

Bodo

Decrypt withprivate key Encrypt with

public key

Bob

Kool CA

#3

ita, 3.11.2011, 7-secureemail.pptx 1 internet security 1 (intsi1) prof. dr. andreas steffen...

Documents