Securing Email

2

Outline

Electronic mail protocols Electronic mail content security

PGP -- Pretty Good Privacy PEM -- Privacy Enhanced Mail S/MIME

3

Structure of email servers Usually the sender does not directly talk

to the receiver Dedicated mail server (in x.400 structure,

it is called message transfer agents: MTA) The source and destination are called

mail user agents (MUA) The email could go through several MTAs

4

Advantages of multiple store-and-forward MTAs Adaptable to temporary network

partitions Easy to form chain of trust Easy to implement traffic control within a

company Easy to connect partitions of networks

using different protocols

Electronic Mail

Three major components: user agents mail servers simple mail transfer

protocol: SMTP

User Agent a.k.a. “mail reader” composing, editing, reading

mail messages e.g., Eudora, Outlook, elm,

pine, Netscape Messenger outgoing, incoming

messages stored on server

user mailbox

outgoing message queue

mailserver

useragent

useragent

useragent

mailserver

useragent

useragent

mailserver

useragent

SMTP

SMTP

SMTP

6

Electronic Mail: mail servers

Mail Servers mailbox contains incoming

messages for user message queue of outgoing

(to be sent) mail messages SMTP protocol between

mail servers to send email messages client: sending mail

server “server”: receiving mail

server Note that “mail server”

behaves both as SMTP server and SMTP client

mailserver

useragent

useragent

useragent

mailserver

useragent

useragent

mailserver

useragent

SMTP

SMTP

SMTP

7

Electronic Mail: SMTP [RFC 5321]

uses TCP to reliably transfer email message from client to server, port 25/587

direct transfer: sending server to receiving server three phases of transfer

handshaking (greeting) transfer of messages closure

command/response interaction commands: ASCII text response: status code and phrase

messages must be in 7-bit ASCII

8

Scenario 1: Alice sends message to Bob

1) Alice uses UA to compose message and “to” bob@someschool.edu

2) Alice’s UA sends message to her mail server; message placed in message queue

3) Client side of SMTP opens TCP connection with Bob’s mail server

4) SMTP client sends Alice’s message over the TCP connection

5) Bob’s mail server places the message in Bob’s mailbox

6) Bob invokes his user agent to read message

user agent

mailserver

mailserver user

agent

1

2 3 4 56

9

Scenario 2: Alice sends message to Bob

1) Alice runs a telnet client

2) Alice’s telnet client opens a TCP connection to some mail server (could be Bob’s mail server) at port 25

3) Alice uses SMTP commands to compile a message which will be sent to Bob.

4) SMTP client (mail server 3) sends Alice’s message over the TCP connection to mail server 5 (Bob’s mail server)

5) Bob’s mail server places the message in Bob’s mailbox

6) Bob invokes his user agent to read message

telnetclient

mailserver

mailserver user

agent

1

2 3 4 56

10

S: 220 smtp.example.com ESMTP Postfix /* 220: service ready */

C: HELO relay.example.org /* identify urself */

S: 250 Hello relay.example.org, I am glad to meet you /* request ok */

C: MAIL FROM:<bob@example.org>

S: 250 Ok

C: RCPT TO:<alice@example.com>

S: 250 Ok

C: DATA

S: 354 End data with <CR><LF>.<CR><LF> /* start mail input */

C: From: "Bob Example" <bob@example.org>

C: To: Alice Example <alice@example.com>

C: Date: Tue, 15 Jan 2008 16:02:43 -0500

C: Subject: Test message

C:

C: Hello Alice.

C: This is a test message with 5 header fields and 4 lines in the message body.

C: Your friend,

C: Bob

C: .

S: 250 Ok: queued as 12345

C: QUIT

S: 221 Bye {The server closes the connection} /* close channel */

11

SMTP: final words

SMTP uses persistent connections

SMTP requires message (header & body) to be in 7-bit ASCII

SMTP server uses CRLF.CRLF to determine end of message (CRLF stands for carriage return and line feed)

Comparison with HTTP:

HTTP: pull SMTP: push

both have ASCII command/response interaction, status codes

HTTP: each object encapsulated in its own response msg

SMTP: multiple objects sent in multipart msg

12

Distribution lists You may need to send to a group of

people Can be summarized as distribution lists How to map a single list name to a group

of real email address: Remote exploder Local exploder

Can form a hierarchy: list in list

13

Two distribution lists may contain each other: we need to handle duplicated sending

Advantages of local exploder: It is easy to prevent mail forwarding loops It is easy for the sender to avoid sending

multiple copies to the same user It is easier to handle billing issues

14

Advantages of remote exploder You can send email to a list of users

whose identities are not known to you Reduce the amount of traffic sent by

sender Improve efficiency: multiple lists can be

handled by different DL maintainers

15

Mail message format

SMTP (RFC 5321): protocol for exchanging email msgs

RFC 822: Standard for the format of ARPA Internet text messages:

header lines, e.g., To: From: Subject:

different from SMTP commands!

body the “message”, ASCII

characters only

header

body

blankline

16

Message format: multimedia extensions

MIME: multipurpose Internet mail extension, RFC 2045, 2046, 2049 etc

additional lines in msg header declare MIME content type

From: alice@crepes.fr To: bob@hamburger.edu Subject: Picture of yummy crepe. MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Type: image/jpeg

base64 encoded data ..... ......................... ......base64 encoded data

multimedia datatype, subtype,

parameter declaration

method usedto encode data

MIME version

encoded data

17

How is base64 working:

Turn every three bytes to four 6-bit sequences

Each 6-bit sequence is mapped to a printable character: A—Z, a—z, 0—9, +,/

How to handle padding Add “=“ at the end Number of “=“ depends on the

original message

18

MIME typesContent-Type: type/subtype; parameters

Text example subtypes: plain,

html (e.g., text/plain; charset=“ISO-8859-1”)

Image example subtypes: jpeg,

gif (e.g, image/gif)

Audio example subtypes: basic

(8-bit mu-law encoded), 32kadpcm (32 kbps coding), RCF 1911

Video example subtypes: mpeg,

quicktime

Application other data that must be

processed by reader before “viewable”

example subtypes:

msword, octet-stream

19

Multipart Type

From: alice@crepes.fr To: bob@hamburger.edu Subject: Picture of yummy crepe. MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=StartOfNextPart --StartOfNextPartDear Bob, Please find a picture of a crepe.--StartOfNextPartContent-Transfer-Encoding: base64Content-Type: image/jpegbase64 encoded data ..... ......................... ......base64 encoded data --StartOfNextPartDo you want the recipe?

20

Annoying text format issues There is no single standard for text

representation E.g.: new line, line length, high bits, etc Intermediate server may change your email

format

Problem: email ruined, integrity and signature not working

Reformat data for such issues

21

Mail access protocols

SMTP: delivery/storage to receiver’s server SMTP is a push protocol, and it is good for message sending

— we need a separate protocol for message retrieval Mail access protocol: retrieval from server

POP: Post Office Protocol [RFC 1939] authorization (agent <-->server) and download

IMAP: Internet Mail Access Protocol [RFC 1730][port 143] more features (more complex) manipulation of stored msgs on server

HTTP: Hotmail , Yahoo!, etc.

useragent

sender’s mail server

useragent

SMTP SMTP accessprotocol

receiver’s mail server

22

POP3 [tcp port 110] Can work with temporary network

connections, view and manipulate email offline

Retrieve and delete from the server POP3 UIDL can leave a copy Use a unique identifier to represent an

email Support encryption through SSL or TLS

POP3 protocol (port 110)telnet xxxxxx.uncc.edu 110

authorization phase client commands:

user: declare username pass: password

server responses +OK -ERR

transaction phase, client: list: list message

numbers retr: retrieve message by

number dele: delete quit

C: list S: 1 498 S: 2 912 S: . C: retr 1 S: <message 1 contents> S: . C: dele 1 C: retr 2 S: <message 2 contents> S: . C: dele 2 C: quit S: +OK POP3 server signing off

S: +OK POP3 server ready C: user yonwang S: +OK C: pass ******* S: +OK user successfully logged on

24

IMAP: Internet Message Access Protocol Support both online and offline operation Leave copy of email on server Multiple clients access the same mailbox Support encrypted login Access to MIME parts and partial fetch Message state information Create directory in your mailbox Server side search

25

Problems of IMAP The search algorithm on the server can

consume a lot of resources Complexity of the software

26

POP3 and IMAPMore about POP3 Previous example uses

“download and delete” mode.

Bob cannot re-read e-mail if he changes client

“Download-and-keep”: copies of messages on different clients

POP3 is stateless across sessions

Create folders and see the same view from any computer? Not possible!

IMAPv4 (port 143) Keep all messages in one

place: the server Allows user to organize

messages in folders IMAP keeps user state

across sessions: names of folders and

mappings between message IDs and folder name

27

Some expected security features of secure email Privacy: only the receiver can read the message Authentication: authenticate the sender identity Integrity Non-repudiation Proof of submission Proof of delivery Hiding the existence of the message Anonymity: even the receiver does not know who

the sender is

28

More features of secure email Accounting Self-destruct Message sequence integrity

29

Details of secure email

Establishing keys There are many possibilities of keys: sender,

receiver, MTA, distribution list exploder, etc Public key approach

Sender can get receiver’s public key by Out-of-band mechanism Through PKI Piggybacking of certificates

Secret key approach Through KDC or tickets

30

Confidentiality Many sources to violate email confidentiality:

eavesdropper, MTA, company network administrator

End-to-end privacy It is not efficient to use public key to encrypt the

whole message It is not efficient when you have multiple receivers Solution: use a symmetric key to encrypt

message, and use public key to encrypt the symmetric key

31

Privacy with the distribution list exploder Remote DLE: the sender only needs to

share a key with the DLE Local DLE: establish key with every

receiver in the list

32

Authenticating sender Signing the message digest with sender’s

private key Encrypt the digest with pair wise key Source authentication with distribution

lists It is easy if we use digital signature If we are using secret key, DLE will attach its

authentication information

33

Message integrity Most of time it is integrated with source

authentication Integrity without source authentication

Ransom

The problem when you sign a hash result How is the hash result calculated (attack with

the signatures)

34

Non-repudiation With public keys

With the digital signature

Deniability based on public key technology Alice generates a symmetric key E pub-B ( Sign-A (key) ) Use this key to encrypt the message Bob can prove that Alice generates the key, but not

Alice sends that message

Non-repudiation with secret keys through notary (trusted third party)

35

Proof of submission The sending MTA provides a signed

digest of the email Proof of delivery

Receiver signs a receipt A famous problem in cryptography

Simultaneous contract signing

36

Anonymity Through a proxy Onion routing issues Anonymous email service: craigslist Anonymous IETF mailing list

37

Possible attacks

Spoofing (unbelievably easy!) a third party may impersonate Alice and send a fake/modified

message to Bob Eavesdropping

a party sitting between Alice’s UA and Bob’s mail server may peep communications between them

Replay a party sitting between Alice and Bob may re-send to Bob an old

message from Alice Attacks on mail access protocols such as POP3, IMAP, etc Other attacks such as DoS Traffic analysis Last one: should Bob trust his mail server? Or in another

word: do you trust the postman who delivers a letter to you?

38

TCP

Achieve secure email in the network stack

IP

Networkdriver

ApplContent security S/MIME, Proxies, SET, PGP

ApplicationLayer

TransportLayer

NetworkLayer

Data linkLayer

SSL, TLS,SOCKS

AH, ESP (in IPSec),Packet filtering,

Tunneling (L2TP, PPTP, L2F),CHAP (challenge handshake protocol) PAP (password auth. protocol), MS-CHAP

39

Use electronic mail securely

Preventing spoofing and replay Digital signature with one-way hash Timestamps etc.

Preventing eavesdropping Encryption (transport layer or application layer)

Preventing attacks on mail access protocols SSL (openSSL)

Preventing other attacks: general network security problems (DoS on a mail server)

40

Use Email securely

Content layer security: Transparent on the underlying layer PEM PGP S/MIME

41

Privacy Enhanced Mail (PEM)

Attempt to add security to SMTP Text only: MIME didn’t exist yet Attempt to build a CA hierarchy

along X.500 lines Hierarchy with a single root !!

Solved the data formatting problem with base64 encoding Encode 3 binary bytes as 4 NVT ASCII

characters The same encoding was later used in PGP 2.X,

mime...

42

PEM certificate hierarchy Want to use a centralized root Three types of certificate authorities

High assurance Discretionary Assurance No Assurance

43

PGP

By Phil Zimmermann Check out http://www.pgp.com or

http://web.mit.edu/network/pgp.html

Available for Windows/Linux/Macintosh Getting the PGP and install it on your

computer Crypto is useful only if it is USED!!

44

S/MIME

Who will win? PGP for personal email security S/MIME for commercial and organization

use Standards page:

http://www.ietf.org/html.charters/smime-charter.html

Main RFCs: 2630, 2632, 2633

45

Reminder: Multipart Type

From: alice@crepes.fr To: bob@hamburger.edu Subject: Picture of yummy crepe. MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=StartOfNewPart --StartOfNewPartDear Bob, Please find a picture of a crepe.--StartOfNextPartContent-Transfer-Encoding: base64Content-Type: image/jpegbase64 encoded data ..... ......................... ......base64 encoded data --StartOfNewPartDo you want the reciple?

46

S/MIME

Similar to PGP, offers signature and encryption functions. It cryptographically protects MIME entity

Based on CMS (cryptographic message syntax) Encapsulation syntax for data protection

47

Protocols

Content encryption algorithm: 3DES (DES EDE3 CBC), RC2/40 (more algorithms are being added)

Key encryption algorithm: Diffie-hellman

Message digest algorithm: SHA-1, MD5

Signature algorithm: DSA, RSA

48

User Agent

S/MIME user agents should handle the following tasks: Key generation Registration Certificate storage and retrieval including

certificate management

49

Applications

Secure e-mail EDI (Electronic Data Interchange) Online Services Healthcare applications Internet push products Indeed, used for any kind of data

content protection

50

Adopted in:

Microsoft Exchange Lotus Notes Novell Groupwise Netscape Communicator Eudora etc..