PEM

advertisement
E-mail Security
Introduction to E-mail
 Privacy Enhanced Mail (PEM)
 The Certification System
 Pretty Good Privacy (PGP)
 Secure Multipurpose Internet
Mail Extensions (S/MIME)

Introduction to E-mail
• E-mail is one of the most popular Internet applications
• Asynchronous (=> no session => no handshaking)
• Fast
• Easy to distribute
• Inexpensive
• Modern e-mail messages can include hyperlinks,
HTML formatted text, images, sound, and even video
• Accessible from any host connected to the Internet
A Typical E-mail Journey
1. Starts its journey in the sender’s user agent
2. Travels to the sender’s mail server
3. Then travels to the recipient’s mail server
4. Deposited in the recipient’s mailbox
5. The recipient wants to access the messages in his mailbox
6. The mail server containing his mailbox authenticates him
(with user name and password)
7. Then sends the message to the recipient’s user agent
Existing E-Mail System
Originator at a multiuser host
Editor
Recipient at a workstation
User
agent
User
agent
Mail transfer
Agent (SMTP)
Retrieval
(e.g. POP3)
SMTP
(RFC 821)
Mail transfer
Agent
(SMTP relay)
Intermediate relay point
SMTP
(RFC 821)
Mail transfer
Agent
(SMTP)
Recipient’s mailbox host
The Simple Mail Transfer
Protocol (SMTP)
Defined in RFC 821 (dates back to 1982 )
 The principal application-layer protocol for
the internet electronic mail
 Uses the reliable data transfer service of TCP
at port 25
 Possess certain “archaic” characteristics
(such as the 7-bit ASCII restriction)

S: 220 hamburger.edu
C: HELO crepes.fr
Example to SMTP
S: 250 Hello crepes.fr, pleased to meet you
C: MAIL FROM: <alice@crepes.fr>
S: 250 alice@crepes.fr… Sender ok
C: RCPT TO: <bob@hamburger.edu>
S: 250 bob@hamburger.edu… Recipient ok
C: DATA
S: 354 Enter mail, end with “.” on a line by itself
C: Do you like ketchup?
C: .
S: 250 Message accepted for delivery
C: QUIT
S: 221 hamurger.edu closing connection
• a client C, which its
host name is crepes.fr
• a server S, which its
host name is
hamburger.edu
Header Format
Defined in RFC 822
 Headers containing peripheral information
precedes the body of the message itself
 Specifies the exact format for mail header
lines as well as their semantic
interpretations
 After the message header, a blank line
follows, then the message body in ASCII
follows
 The message terminates with a line
containing only a period

Example to E-mail Message
From:
alice@cs.huji.ac.il
To:
bob@cs.huji.ac.il
Subject: Mail header format
Message body (in ASCII)
.
Multipurpose Internet Mail
Extensions (MIME)
 RFC
822 is not sufficiently rich
enough for multimedia messages
 Include additional headers in the
message, which are defined in RFC
2045/2046
 This topic will be addressed later in the
S/MIME section
The Security Issue (1)
Initial specification of internet e-mail did not
address security issues
 In particular, security mechanisms to provide
data confidentiality, authenticity, integrity and
non-repudiation were missing
 E-mail service is asynchronous
 All the regular security protocols (such as
IPSEC, SSL, etc.) are synchronous
 PEM, S/MIME and PGP come to help
 Each message is a one-time independent event
with its own one-time symmetric key

The Security Issue (2)
Why not simply use the regular
synchronous security protocols to
protect the message while en route
between intermediate stations ?
 Security services should be added
between the two end users (no
exposure in the middle)
 The secure services were build on an
existing mail system (SMTP mail
servers)
Privacy Enhanced Mail (PEM)
Introduction
Primary goal of PEM is to add security
services for e-mail users in the internet
community
 Began in 1985 as an activity of the Privacy
and Security Research Group (PSRG)
 Defined in RFCs 1421/1422/1423/1424
 Consists of extensions to existing message
processing software plus a key management
infrastructure

PEM Security Services
1.
2.
3.
4.
Integrity, which ensures a message recipient
that the message has not been modified en route.
Authenticity, which ensures a message
recipient that a message was sent by the
indicated originator.
Non-repudiation, which allows a message to be
forwarded to a third party, who can verify the
identity of the originator.
Confidentiality (optional), which ensures a
message originator that the message text will be
disclosed only to the designated recipients.
PEM Overview
Compatible with RFC 822 message processing
conventions
 Transparent to SMTP mail relays
 Uses symmetric cryptography to provide
(optional) encryption of messages
 The RFCs strongly recommend the use of
asymmetric cryptography (for digital signatures,
certificates and encryption of the symmetric
key) because of its ability to support vast
distributed community of users

PEM Overview (contd.)
 The
use of X.509 certificates is the base for
public key management in PEM
 This certification hierarchy supports
universal authentication of PEM users
 PEM can be used in a wider range of
messaging environments (other than RFC
822 and SMTP)
Integration Of PEM Into Existing Mail System
Originator at a multiuser host
Editor
PEM
filter
Recipient at a workstation
User
agent
User
agent
PEM
module
Mail transfer
Agent (SMTP)
Retrieval
(e.g. POP3)
SMTP
(RFC 821)
Mail transfer
Agent
(SMTP relay)
Intermediate relay point
SMTP
(RFC 821)
Mail transfer
Agent
(SMTP)
Recipient’s mailbox host
PEM Message Submission: Message
Processing
User provides
recipient address
and other data (e.g.
“Subject”) for
enclosing header
User provides
address information
needed to perform
encryption
Plaintext of
user message
requiring
privacy
enhancement
Begin privacy enhanced message
Encapsulated header:
Contains authentication, integrity,
and (optional) encryption control
fields and related information
Blank line
Encapsulated text:
(Encrypted)
User message text and optional
Replicated header fields
End privacy enhanced message
Enclosing header
RFC 822 header
fields
Encapsulated
message
All data between
the privacy
enhanced message
boundaries is
represented here,
and may be
interspersed with
unprotected
plaintext
PEM Message Processing
Plaintext message
Step 1
“SMTP” canonicalization
Step 2
MIC calculation and (optional) encryption
Step 3
6-bit encoding and line length limiting
Processed message
PEM Message Processing – Step 1
Uses the canonicalization specified by
SMTP to ensure a uniform presentation
syntax among a heterogeneous collection of
computer systems .
 The shortcoming is that it restricts the input
to 7-bit ASCII .
 The reason is that the Internet e-mail imposes
the same restrictions.

PEM Message Processing – Step 2
A MIC is calculated over the canonicalized
message to permit uniform verification in the
heterogeneous environments .
 The canonical (padded as required) message
text is then (optionally) encrypted using a permessage symmetric key .

The encryption action is performed only if the
message is of type ENCRYPTED .

PEM Message Processing – Step 3
Renders an ENCRYPTED or MIC-ONLY
message into a printable form suitable for
transmission via SMTP.
 This encoding step transforms the
(optionally encrypted) message text into a
restricted 6-bit alphabet.
 A MIC-CLEAR messages are not subject
to any portion of the third processing step.

PEM Message Types
ENCRYPTED is a signed, encrypted and
encoded (in step 3) message .
 MIC-ONLY is a signed , but not encrypted,
encoded message .
 MIC-CLEAR is a signed, but not encrypted,
and message that is not encoded .
Specially so it can be sent to a mixed set of
recipients, some of whom use PEM and
some do not.

PEM Message Submission: Header
Construction (1)
From:
alice@cs.huji.ac.il
To:
bob@cs.huji.ac.il
Subject:
Encrypted PEM message
Standard RFC 822 Header
--------BEGIN PRIVACY-ENHANCED MESSAGE-----------Proc-Type: 4, ENCRYPTED
Version & type
Content-Domain: RFC822
Conforms to
DEK-Info: DES-CBC, BGFA799HTS347KGKL0
Msg encryption
params
Originator-Certificate:
yhtrwhhj57jw5jw6w7u6juj6uu45yjj5645w4y4y5yqy3
(for example, IV)
Originator certificate
Issuer-Certificate:
Eth46u5kw57kwuw3jwjw465iw6uw57uw6u4q6jj6646
Issuer certificate
PEM Message Submission: Header
Construction (2)
MIC-Info: RSA-MD5, RSA,
MIC & Dig.Sig algo
Sdhdsh453hwe5yyh5ywjuhs5yahhaehjue78iok67k
Digital signature
Recipient-ID-Asymmetric:
Agw56ywjq45y2jqhj4yuq4hjq4yq3yy3yewghew5y3
Recipient’s id
Key-Info: RSA,
Public key algo
Adshw45w5j7w57j5u46yu5yq46ju46juqyuq4u5y35hj
Encrypted message key
Blank line
Dfghj56er656uw6u64uu45yw46u5wjwu5i56u57i5wuiw5u
W46uw56uueueri5u6w56uw46u5wu56uw56u56u5
------END PRIVACY-ENHANCED MESSAGE------------
Encrypted message
PEM Message Delivery Processing (1)
• Recipient receives a PEM message
• Scans the PEM header for the version and the type
(ENCRYPTED, MIC-ONLY, MIC-CLEAR)
• If ENCRYPTED or MIC-ONLY then decode the
6-bit encoding back to ciphertext or canonical
plaintext form
•If ENCRYPTED then decrypt the symmetric
message key using the private component of his
public key pair and decrypt the message using the
symmetric message key
PEM Message Delivery Processing (2)
• Validate the public key of the sender by
validating a chain of certificates
• Validate the digital signature using the
public component of the public key of the
sender
• The canonical form is translated into the
local representation and presented to the
recipient
The Certification System
• A public key X.509 certificate is a digitally signed
data structure used to securely bind a public key to a
name and to specify who vouches for the binding
• The signature to the certificate applied by the
issuer using the private component of his public key
pair and appended after the certificate fields
• One validates a certificate by computing the oneway hash function over the certificate, uses the
public key of the issuer to decrypt the value in the
appended signature and compare the two resulting
values
X.509 Certificate
Certificate: = SIGNED SEQUENCE {
Uniquely identifies this
certificate
version[0]
Version DEFAULT v1988,
serialNumber
CertificateSerialNumber,
signature
AlgorithmIdentifier,
Dig.sig & hash func
algo & params
issuer
Name,
Issuer ID
validity
Validity,
subject
Name,
subjectPublicKeyInfo
SubjectPublicKeyInfo }
Start & end valid
times
Subject name
Public key of the subject,
algo ID & params
The Internet Certification System (1)
The user need to possess the public key of the
issuer of the certificate in order to validate the
certificate
 The issuer will also have a certificate, and thus
the process of certificate validation is recursive
and implicitly defines a directed certification
graph
 X.509 defines defines a Certification Authority
(CA) as “an authority trusted by one or more
users to create and assign certificates”

The Internet Certification System (2)
Different CAs can issue certificates under
different policies, for example, varying degrees of
assurance in vouching for certificates
 The root of the certification graph is the Internet
PCA Registration Authority (IPRA)
 The IPRA is a reference point from which all
certificates can be validated
 The IPRA issues certificates to a second layer of
entities called Policy Certification Authorities
(PCA), which, in turn, issue certificates to CAs
 CAs can issue certificates to (subordinate) CAs or
directly to users

Example to a Typical Internet
Certification Hierarchy
IPRA
High
assurance
BBN
User
User
BBNCD
User
Residential
Mid-level
assurance
Persona
Louisiana
New York
New Orleans
User
User
LCS
User
User
User
User
User
User
User
MIT
HUJI
User
Persona
User
User
PEM Summery




PEM represents a major effort to provide security for
an application that touches a vast number of users
within the Internet and beyond
PEM was designed to have backward compatibility
with existing mail system
PEM depends on a successful establishment of the
certification hierarchy that underlies asymmetric key
management
Problem : PEM does not support security services to
multimedia files (MIME)
Next :
Pretty Good Privacy
Download