CS 393 – Network Security - isis.poly.eduisis.poly.edu/courses/cs393-s2002/lectures/module-11.pdf · 4/2/02 Module 11 - Secure Email 3 Where do we provide security? üFirewall n

CS 393 – Network Security

Nasir Memon – Polytechnic UniversityModule 11 – Secure Email

4/2/02 Module 11 - Secure Email 2

Course Logistics

n HW 5 due Thursdayn Graded exams returned and discussed.n Read Chapter 5 of text


Where do we provide security?

ü Firewalln Application layer

n S-MIME, PGP, Kerberos etc.

n Transport layern SSL, TSL.

n Network layern IPSEC


Application level security

• We look at examples of application level security mechanisms – secure email. PGP and S/MIME.


Secure Email – Issues

n May seem straight forward – encrypt and/or sign. But problem is richer than that!

n Types of security services that may be required include:n Privacy – May seem simple but problems include

n How to establish keys? n What if single email multiple recipients?

n Include session key encrypted with public key of each recipient.

n What is mailing list?n Same as above but need to trust list maintainer.

n What if Alice’s employer wants to be able to read her email?n Key Escrow


Secure Email Issues – Authentication and Integrity

n Source authentication could be provided byn Public key – message digest and digital signature.

Same if multiple recipientsn Private key – Use (private) key based

cryptographic hash – MAC. n If multiple recipients then first do message digest and

then MAC with different private keys for different recipients

n Message Integrityn Authentication mechanisms serve for integrity as

well. But what if you want to send a ransom note?!!!


Secure Email Issues – Non-Repudiation and Repudiation

n Non-Repudiation – Alice to Bank – “Please transfer a million dollars from my account to Bob’s.”

n Repudiation – President to Henchmen – “Go ahead and sell Arms to Iran to fund the Contras.”

n Non-repudiation based on public key cryptography – easy. Digital Signature.n What if after sending the message, Alice claims

her private key was compromised?!n Undeniable signatures.


Protocol for Non-Repudiable Email –Private Key Version

n Needs Notary N trusted by Bob and Judge.n Alice send message M to N.n N does some computation based on M and Alice’s

name using SN (a random secret generated for this exchange) and produces a “seal” SN(M, Alice).

n Alice sends M and “seal” to Bob.n If later Bob wants to prove to Judge that Alice sent

him M, then he sends to Judge M and “seal”.n Judge sends “seal” to notary who verifies the seal.n Bob could not have produced the seal as he does not

know SN.


Protocol for Repudiable Email –Public Key Versionn Alice picks secret key K which will be used to encrypt message.n Alice encrypts S with Bob’s public key – EBOB[K].n She “signs” EBOB[K] with private key getting SALICE[EBOB[K] ]n She uses K to compute key based cryptographic hash HK[M], of

message M.n She sends SALICE[EBOB[K] ], HK[M], and M to Bob. (M can be

optionally encrypted).n Bob can verify (decrypt) M and be assured that message is from

Alice. n But once he has done that he can modify M to any M’ and

produce HK[M’]! n So all he can prove to a 3rd party is that Alice sent some

message but not what message.


Secure Email – Other Issues.

n Think about how you would provide the following: n Proof of delivery

n ???

n Proof of receiptn What if recipient refuses last packet?!! Send encrypted

message and then get acknowledgement of receipt of this and only then decryption key!!

n Message flow confidentialityn Anonymityn (Last two will be addressed a couple of weeks

later under the title of anonymity and privacy.)


Secure Email Systems

n PGP – Pretty Good Privacy –n Provides confidentiality and authentication serivde

that can be used in email and file storage application.

n Public domain and open source. Uses well known and established crypto primitives like RSA, 3DES, SHA-1, Diffie-Hellman etc.

n Phil Zimmerman – almost sent to jail for writing it.n S/MIME – Secure/Multipurpose Internat Mail

Extension.n Security enhancement of MIME based on

technology from RSA. In RFS 822.


PGP – Services

n Authenticationn SHA-1 for hash. RSA signature

n Confidentialityn CAST, IDEA or 3DES. Diffie Hellman or RSA for

session key exchange.

n Compressionn Zip

n E-mail compatibilityn Radix 64.

n Segmentation


PGP - Authentication

Notation: KRa – Private key of user A. KUa – Public key of user A. H – Hash function. M – Message. Z – Compression. Z-1 – Decompression. || - ConcatenationEP – Public Key encryption. DP – Private key decryption.


PGP - Confidentiality

Notation: KRb – Private key of user B. KUb – Public key of user B. H – Hash function. M – Message. Z – Compression. Z-1 – Decompression. || - ConcatenationEC – Private Key encryption. DC – Private key decryption. EP – Public Key encryption. DP – Private key decryption.Ks – Session key.


PGP - Authentication and Confidentiality

Notation: KRb – Private key of user B. KUb – Public key of user B. H – Hash function. M – Message. Z – Compression. Z-1 – Decompression. || - ConcatenationEC – Private Key encryption. DC – Private key decryption. EP – Public Key encryption. DP – Private key decryption.Ks – Session key.


PGP - Compression

n Zip used.n Signature generated before compression

because:n Would need to store compressed version for later

verification.n Compression algorithm not deterministic. Various

parameter settings produce different forms.

n Encryption done after compression for:n Cryptanalysis is made more difficult as compressed

message has less redundancy.n Encryption output is random which cannot be

compressed.


PGP – Email compatibility

n Many email systems only allow ASCII text.n Encrypted bytes may arbitrary.n PGP performs Radix 64 conversion – three

bytes mapped to 4 printable ASCII bytes.n Message gets expanded by 33%.n Compression more than compensates for

that.


PGP - Segmentation

n Messages larger than a given amount are automatically broken up.

n Headers enable reassembly at other end.n Segmentation done only at end so session

key etc. only appear once.


PGP - Flow


PGP – Session Key Generation

n Uses complex techniques for generating random numbers and pseudo-random numbers for key generation (Read appendix of chapter 5).n The importance of this step cannot be overemphasized.

Scheme can be broken if “random” numbers can be guessed.

n True random numbers generated from monitoring user keystrokes. Time and keystroke information used to generate key which is used to encrypt current true random buffer.

n Pseudorandom numbers generated from using encryption technique in CFB mode.


PGP – Random numbers use

n (True) Random numbers used ton Generate RSA key pairsn Initial seed for pseudorandom number generationn Additional input for pseudorandom number

generation

n Pseudorandom numbers used ton Generate session keysn Generate IV for CFB mode encryption.


PGP - Key Identifiers

n Allows user to have multiple public key/private key pairs.n Why?

n Specific key used for a message identified by assigning key identifier.

n Key identifier is simply 64 lsb’s of key.n In principle you could have two different keys with

same identifier but very very unlikely.


PGP – Message Format


PGP Key Rings


PGP Message Generation


PGP Message Reception


PGP – Assigning Trust to Keys


MIME

n The Simple Mail Transfer Protocol (SMTP) (RFC 822) used to exchange electronic mail across the Internet.

n SMTP conveys the message content as plain ASCII text.

n The Multipurpose Internet Mail Extensions (MIME) (RFC 1521) extends format of SMTP to allow multipart text and binary data message bodies to be exchanged without loss of information.


MIME (Contd)

n MIME extends SMTP by adding 5 new header fields:1. MIME version2. Content-type3. Content transfer encoding4. Content-ID5. Content-description

n 4 and 5 are optional and may be ignored by recipient.


S/MIME Functionality

n Functionality added by S/MIME includesn Enveloped datan Signed datan Clear-signed datan Signed and enveloped datan Signed receiptsn Security labeln Secure mailing lists


S/MIME v3

n The S/MIME v3 standard consists of five parts: n Cryptographic Message Syntax (RFC 2630) n S/MIME Version 3 Message Specification (RFC 2633) n S/MIME Version 3 Certificate Handling (RFC 2632) n Diffie-Hellman Key Agreement Method (RFC 2631) n Certificate Distribution Specification (draft-ietf-

smime-certdist) n Enhanced Security Services for S/MIME (RFC

2634 - set of extensions to allow signed receipts, security labels, and secure mailing lists.


Further Readingn For PGP and S/MIME read chapter 5 of text.n For PGP - The International PGP Home Page at

http://www.pgpi.org/n The PGP Attack FAQ at

http://www.stack.nl/~galactus/remailers/attack-faq.htmln NIST S/MIME page at

http://csrc.nist.gov/pki/smime/welcome.htmn IETF S/MIME page http://www.ietf.org/html.charters/smime-

charter.htmln Freeware S/MIME toolkit at http://www.imc.org/imc-sfl/

Documents

CS 393 – Network Security - isis.poly.eduisis.poly.edu/courses/cs393-s2002/lectures/module-11.pdf · 4/2/02 Module 11 - Secure Email 3 Where do we provide security? üFirewall n