PAGE No.

DATE

Unit 5- Email secwity

retty bvod Privacy i- It developed by
Phiimmeman in 199)
s_an encryphin sotwe desíned toto ensSe
PeP
e contidenbialtty integity and auhenticiky ot virtual
Lcommunicalins and ioformaticns.
B a compleke e-mail secuity package that prouide
PGP conmpressien
privay, aubenticaiendigtkal stgnahuaes and
all in an easy to_use foim code i
The complete package.including al the 'saice
disbiuted free ot charge via the întenet: Rue to iti
eNEX,LINOX,
Lquabihy, zere pice and easy avaiabilhy n
Windws and 'macasplatforms.

PGP opeatin favolves Ave dsPPerent sewices

Compressicn 4.Emal
Authenticaten 2. Contdeniality 3-
|:
Compalibitty s segmentahin.
LAuthenkcuton - Authenticaion basically means somehing
that tsused to validate isometing as true oy Teal.
To login into seme sites somefnes je qive ou
acasn name andpassuaxd that is an_ authenticaten
yettcatin pLocedure.
In emaiL auberticatien has to be checked as tere are
Some people who spooY the emails ox some spams &
somelimes it can case a ot ot inconvenience.
The audenticaion senvice in PGP isproyided as sheon
in Higuae.
Sender creates a message
2 SHA-1s used to_ qencrate a l6o bit hash code of
message
3.The hash code is encoypted coith RSA using he sender'
 PAGE No.

OATE

privake key_ and the sexult i psepended to Be

4: The recéîver uses RSA oth senders pubi key to
Ldeczypt and zecover he hash code
s The eceiven qenenates aneu) hash code tox 4the
Lmessaçe and companes it wtth deypted hash code
I# he oo match the message fs auephed a
auhenttc
-Sende
PRa E[PRatM)]
S
M

Compae

2
Contdentiaihyin
by PGP
PGP i Another basic senvic pIovide:!
pep is centdenfalfly. iquue shaes the cantdenfialh
hih can be descibed as tollaw.
E[RUL,kl
POb
C DA
EP) M

The senden qenenates message and a xandom 2s

bt numben tobe used as a SeSsion key foy thi
message anly
The meisay S encypled using CAST- 128 oY. 3 DES uh
the session key
 PAGE No

DATE

oit
The sessien key is encryphed sing eAST RSA,uSing
receipt's public key and is prelended to the meságe.
The receve uses RSA nithih private key to denyet
and ecoven the sessien key.
The sessin key is used to deaypt the inessage.
Contidentialiy and Autenticaian : As shaon in Bause
both senvíces may be used for the same messaqe

E[P0bk] PR4 E[Re,HCM PUa

PRa PUb

Compae

: Cenidentially &authenticaen
fox te plaintext
First a sl¡nahure is qeherated Bor
meSSage ani prepended to the nessage.
Then plainte mAsagt plun sigoahä i\encyplehusty
RSA: Tats seyionee sefenble
using
Then plaintext message plus sinatue it encryphedencxypYed
0 IDEA
CAST - 12!o7 es 3DES cnd sessin key is
signs the
ohen bth seavices ane used, sender first
the
pivate key then enciptsessicn
Lmessaye he
messaqe oih sessian keyand hen encryels
key wit the reipitnks publt. key
 PAGE No.
DATE

H= hash funcion
Ks= Session key used in symmebi entiyphon scheme
pka: private key of wen Aused în publfc key encayphon
pla =puble key of use A, uIed fn puble-key enCyphie
EP > public-key enoypo
DP= publrc -key decryphen
EL = Symmehic encTypien
DC =Symmehie decryphon
IL Concatenalion
z = Compression using zrp algoihm.

3 Compresstn Befoze encsyphten, he méssage alngu~th

si¡natue is compresed. Compresian of message saves
space and ease a transmissfon. PGe make use ota
compressicn packaqe called zP Another algorihm
lampd zrvz21ö is also used io zEp compsesstn
Scheme.
By defau PEP çempresi
compês)es the email message after
aplying the siapahue but befove encyptien. Thís is
alloio Ror Jong tesm stovage ot wscompressed messages
along wih teir st¡nahne. This also decouples the
encrypien aleorithm frem the nessage vesifieaten
procedues.
Compression is achiewed with z£P algosihm.
 PAGE No

DATE

4E-m¡il Compaibily i- PGP encrypls the block of

trans mited message. Seme system uses AscII text
PAP conyets it Tnto naw g bit binay steam doa
stseam ot píntable AsII chavddes ihe scheme s called
Yadix -64 conversjon.
Atten yeelving, the inconlng daBa fs cenveted into
binaxy by xadis -64.Then th¿ encrypted message is zeCavEd
by using sessfen key and then decompresed
Since enoypin,even when ftisloited to te sinahue,.
sesulb n aabijany binany sting and since many eratl
systems only pemit th¿ use of ASCIE chasacteswe
have to be able to represent binasy dat wth As cIE ststngs
PeP use hadtx -64 encadih fox tis puupose
Radix- 64 encoding also knoon as base-&4 encoding ha
tyansmit
emeLg ed as probablj the most ommOn way tobinary
binany datu oven a netwoxk. rt first segmént steam
of bytes into 6 blt words.
The 2'e 64 diftenent'posstble 6-bit words aaê zepresenked
by gríntable charaches as Pollows : The Hrst 26 ene mapped to
uppercas e letters Atoz the next 26 to Jowercase lettes &t.
chaactels I
next o to diqit oto g and last 2 to the
The lengh of emall is
S. Segmentaton lo seassembly i- octetsionger
usually zesticed to so, messages ale
bxcken up iato smallen segments and mailed sepanately
PGP royides subdlyision of messages ndseassemblydt
te veceiviag end.
 PAGE No.

DATE

PGP MessageGeneration (Tyansmissien nd Rertpbn

Tansmissfen i- The folowin aAe shovor
Message hal
assuming tat
te steps duing message tsansmission
to be both siqped and encryhal.
the message ii
public key king
pivate key ving ,Pesphaue
select LD
Select
TD
KeyID

pivat key
(RNG
publiC key
messar seasinkey
Message
slanghue ’Output
mesag?

PGP Message qeneraton

The sendtag PGP
Pee ently pextomy the klloutng stees
Si¡ning the message
a pePÉP tetinen he sendens private key fom the piat
key îng using yw
y user id as an fodér. T
I yo used
wás not piovided fo
io the command the Ayst pyívate key o
the ing is rehieved
b- PéP pxcmpBs the usen fox the passphaase to seco
he wnenyped private key
signatune ompenent of mesage i canstncted
 PAGE No.

DATE

2. Engyphn the message

a. Peé qenexates a sessiin key and enciy pts the
messafe
b Pee yebives the reipient's pubic key hom he
public key_ ing using hen userid as an Todex.
c. The sesaion ky compnerd ot the message is
constnuded.

Message Recephien The gecekinq PGP enfBy pexformu

he FoltsothnË sBeps
Pasphase
PsivaBe key Rrng ) public key Kig
setect select
leocryghed
POiva
key

priate
pbti
Key PVa
Yeeives
key I D Dp
Eneryped Sender's
sesrion ket Key ID
session key Encypke
-diqkst DP
Encaphd
message
Sgnatue Compre
mesaye
H

PGP Mes5age Recephog

 PAGE No.
DATE

|.
Decypbng the message i
a. pGP tehives tle xeceñveas piivake key on
he pivate key sng, using he key z Aeld in the
sienahune key component of he mes sage as an index.
b:PGP zecoveis he \bansmiffel message digest.
c PGP conpudes messag digest fox thexeceived
messaga and compaues i to the tynsmited mesape
diest to auhenttcàt e
. Decyphng message
a. PGP zeives the
pivate key zing usingxereîveispsivate key tsom the
the key ID feld fo the sesicn
key tompMent ot the message as an index
b PGP prOTmpts he usen fox the
he encayped pivate key passphrase to vecoveL
(. PGP hen gecovens the
te message session key and decry pts
2. Autenbcating the
a: PGp etdves the melsage i
key zíng uaing Be key sendent publîc key rem the publi
zp Meld in the sieoatue key
component ofCF the messape. as an fndex.
b-GP recovexs e tronsmited message digest.
c. PGP computes the message digest for he
message and companes if to he Teceived
diyesE toauttentate. hrausmitted meisage
 PAGE No

DATE

S/MIMe ( Secne /Muipuupose Inteet moil

Extension )
IH is a secuihy enhancement to the mEmE
Tatenet enail ormat standard
LREC 322 defines a foxmat for text message thet
ae sent using electronic mail andit has been te
standand for Intenet-basecd mail message
MIMEis an extensiento the REC g22 trameoo1k
that i intended to address sume ot the problems and
lmitaiens of the use of SMTP.

imtation coih sTP &REC 822.

Lcan not Arans nost executable Ales ox binany abjects.
can not transntt text data that ncludei speial chanckes.
Some senveAs Yejedt mail mesage d certain size.

s/MIME Eunchenaity i- shgmE povide, alluing

Puncins :
Enveloped data : This censists of enciypBed content ef
Ayge and encxypBed content encnyphen keys kox ne oT
type
TeLeipents.
"Siened daka : Adi¡ikal st¡nahue ts Poxmed by taking the
message digest of oY the content to be signed and then
entYyphag hat wfh private key ot the sineL. the
content plus sienakuDe ane then encoded using base s4
message can ony be viewed by
encodingA signed data mersage
edipient oith s/eoME capabilthy
clean Signed datai As coith signed data,diital slenatune
the content is fomed. Only the digital sinatue a
oith¯l sl MT NNE Capabilbty
Gy: Repíent cothaat
encoded usia, base 64:
can yiew the messag cntent, altbagh tey cun not veufy
messaye
the signahute.
 PAGE No

DATE

Signed and enveloped daka : Stgned conly and encyo

lonly enhties may be nested. so that encxyphed daf
may be signed´cnd stned daka ox
oy clea signed a
dafa may b½ entypted
Cryptogiaphi algoaihos to s/MIME
slMME ncorpoxakes thaee publi key algonihms
Digikal Signatue sBandand
2 Dithe - Helma
3 Tripple DES.
s/MIME uses the follouong termin ology tuken m
AFC 2113 to specify the eguement evel :
Must i The déHihen is an
of the specihcaien An absolute zequiremênt
Aht teatie oy functin Împlementcahien
to be
nust faclude
He specihcaten.
" should Thexe mdy
o_conormante with
exist yaid zedsens.
circumstanes to
s zeommended that fenoye his eatue or fuhcn pautiwar
but tt
an
featune oy funcion
The Polleoing table
tmplementatfer Paclude the
aloitms wed in slIME. sumnasizey the cTyptogs aphc
Fun chen
Czeate a messa_e diest to Requiyement
Must support sHA-I
be used in foamin a
stynakue ital Receiver should suppoxt MD5
Fox backwand
EDcypt message dihet bbx sending and
compakibil:y
Esarpt diaital snätut. receving
MUST Suppost Dss styal
Sending ayents shudd supgsi
RSA encyein.
Reteiving ayent stooLD Suport
of RSA Sgnatuse,
oith keY size sh bb- lo24 bits.

Encrypsessien key tox Sending cnd receiving ayents
tyansmission coith message
Encypt essa_e fox
bransmission oit one- ime
sessicn key
Creat message authenh
cttn code.
PAGE No.
DATE
SHOULD Support Ditte Heinan
Sending and zeceiving al¡ori Hm
must suppst RSA encypbon wt
key sizes s2 bits to loz4 bit.
Sending cund secehin dqênts mos
syppost encIYplin with triFge DE
Send+ng agent sHoULD suppart
encrygtken aith AEs.MOST SuppaytF
Receiving agent Apettt
HMAC oit `HA-!
Receiving_ asent sHoULD Support
HMAC Oi lh. SHA-L
 PAGE No
DATE

TP secuily
IP Secuny i te capabiliy hat can becad!o
present veisen oi Loteset Protocol (IPVhTv
means of addilion heades fy seCAe communiafuo
laCross LAN, WAN and Iotenel
TPsec isa set of prctocol and mechanisn tf
provide conidentialiy, auttenbiastienmesage integxiy
and.zeplay detecion at Ip layen

TPsec mechanism uses secuihy Poliey database

ohfeh deteamines how aa messages ane handled also Hhe
secutk sersices needed and puth the packet should
tuke.
The oveall ascbitetue o IPSec îs Constihuted
by thaee majoy Companents.
J: IPSer documenti
2- IPSec Services
3. sewily Associalons CSA)
IPSec TDeCumertsi TPSec specihcaken has conststs of
NMeNGAS docwmerts: The most înpovtant ot Hese issueda
November 948 ane
REC 2401: An ovenview of sewiky anchite cuse
REC 2402: Descriphen of a packet authenicatfen extengi
to LPy4 and TPy6.
AFC 2406: Descoiphen ef a packet encryph) extensien tteo
4and Tey6 Py6.
REC 2408 :speühcation key unagenment capabilteuadditend
1 additin to these foi RF<S a Nwmben
Avak haye been publihed by the IP Secuily Profocollaoskg
dotument
LEF. The into
e divided
Grcup set by
 PAGE No.

DATE

Architecture

ESP AH
|Protocol Protoco)

Encoypho Authentca
Alqovihm algov+thm

Domcin o
inteupelatio

Key
Management

ig : TPSec DoCument

L Avchitechne : coves secwity xequiyementsdetoiten

IPSec technology.
2. Enapsulakng Secunihy Paylad (ESP) Coveas the packet
foxmat and qeneial iues related to the use ESP,
ox packek enyphien and aptkenaly authentcatey
BAuthenticatien Heuden LAH) Coves he packet format
and qeneal issues selated to the ise ot AH foz
packt authenhcaten.
a Encryphion Algcrithm Aset of docament that descaibe
hew vaius encryphen algcriabrs ane ned foy EsP
ESP.
s Authenticahien Algorim iA set o docunen's that descoibe bow
vaaious abentaatens algositn ase used oy AH and for authentcah
ophion of ESP.
 PAGE No
DATE

6.|E key Manaqement: Decuments hat descibe kes

managementschemes.
ZDomain of Toterpyekafen (DOI): (ontans value
oy the ohen dgcumênts to relake to each ote

2-IPSec Senvices i-
at the
IPSec povides secuity seruies
TP layeby enabling a system to selet
reguied secuity pyotocols, détermine the
to usefox the services
Too pyotocols ane used to provide secwihy:
algorithy
An authentcation pzotocol destpnated by He heade
of the pzotocol, authentcaton headea (AH):
Combined
by the fomatenczyphían lautbentzatien_proBoco desizoatel
of packek foy that pyotcol ESP.
The serwices
prevfded by
" Access Conlo the prabacels oie
" Connechienless integiy
Data eoifo_ authenhcaht
Reieckin ot aeplayed packek
cinttdeotalth
UogiBed tratt Aoo centidenhalily.
3. Seculy Asseciatins:
A key concept that ppeas in both the authentitio
and contdertialiiy
associatoy (SA). mechanismfoy IPthe secuiy
¢n assocîafen is ne way
and eceive.fox too selaticnsbip betoeen sende
associatiens ane eguired. Oay secwity exchange,tsseo.
Asecuwaihy associan is wniguely Tdentied by thse
paramekeis.
 PAGE No.

DATE

Secwnity Pavcmete Index (ST) ; SPT TSa stsing of bit

asstgned to SA and has local sizoificuce ony SpT is cannied
n ÁH and ESP headeis to enable the zeceiv)h system to
select the SA unde wbich a Teceived packets wtl be
processed.
2TP destinatten addvess : Tis is the end point addhesy of
SA which may be an end usee syuem or nlo
system such ai xewal or reuker
aiSecuiy Proto col Tdenlife: his Padicates whethe
he assocdaliun is an AH or EsP secihy associatien.
SA Paxameteas i- Asecuthy associaltn i notmally
detned by the followîng paxaneteas
Sequence Number CounYei It isa 32 bit Aeld used to
qenerake seguence nmbe, freld in AH oy ESp.
Sequence cointer Qyer?low : AAlag indicafing cyeuflow ot
he sequence mben counte should qenerate a auditable
event and pzevent funhen transmission ofpacket on Hhis
SA:
"Ani-eplay windo): Dse to detemiae wheher on inband AH
o PSP packet is Teplay
AH intcxmahen i Auhenhcabin algorth, keys key litehncs &
selated paxameBerS beîng used oth AH.
"ESP foYomalin : Encyphen and auttenticatan algoritham, keys,
key Jihimes and elated pavaelens being sed wih esp. ESe.
tÝsec protoco) mode : Tunnel, Tyanspoit os wildcand.
Path MTO i Patt MTU Meas obsenved path maximu,
unit and
and aging vaiables
 AgstieatiensAutheaticationHeader
Header povics spport
Authenicasn authencaken of IP packeB
data integäly and feahue ensunes that u
The daka tategsily
modificaien to a packed's conkent Th tran
possible. sste,
undehteted
'Auhenicalien featue enables an enal
Ldevice to authenticate the
Arte. tvath accodingy attack
It also pxêvets ÷I spooling
Authenicatcn is based en the use of a mesiaqe
auttentcaion code (MAC)
Authenfcaton Header format is shoan in Reue
32.
Nert Heade Payload length ReseNed
Secwy PavameBe Index (sPE
Sequence Numbe
Authentfcaen data
tg Authenicahion Headen format
Next headen : This & bit eldidenbihes the type ot
hesdea inmedately follutoy tht header.
Paybad Length (a bits): Length of AH in 32 bit enk
mius 2
Reseaved (16 bits ): foy fute use
secuily Pujamelen Tndex (32bils): Idenbhe asecu
assocfahiom
Sequente number (32 bils) :Monolonîcally focreasing
counten value.
Aubenicahen dataiA Vaiable length freld that contins
integily check vaue o1ox MAC toy this packet.
 PAGE No.

DATE

Transport ond unelMode

End to en
aultherticateon
Inteena N/

Route Extena
End toend
-uuthentiatn
End to ineumediale
authentcaen

h : End to end Veasu End to intermediate

Authentication

hien primanly
Transport mode pxovlaes pxcteasexking' kox upper
ayei protocel payloads by the authenicaten
aten oiainal T header and before IP payload.
Typically transport mode i used foy end' to endl
communîcalien behween teoc hosts.
TunnelMode provide prote ctino the inteemttite
entre Ip atter'the AH oy ESP Hields cne added to
packek plus secuy payloed
the IR packek. The entivepayload
Hlds is treated as the of neo ouden IP packet.
Tunnel Mode is used when one oY botth encds o as SA
stcuihy gaBeuway such a tirewal oT TOuter that
implement ISe
 Encapsulating Secuaky Payloads
Encap sdlaing selusty Payload proide,
contidentialy sewtces inchued'ng confaenialiy
and imited tratk Pbo contidenbalry
content authentcdion sevie
ESP can_ also provde an
wih te same MAG.
|6 24
Secunihy Pavamehe index ser)
Sequence Numbel
Payload Data
(vaiable
Padding o-55 byBes
Pad lengt | Next Headey
Authenicahey Data CVau able)

ta: Espfomak
Eiyune chees Pormat o ESP packets. It conting
klleuwng Aelds
SeLuuity Paameten Index (seE): 32bits - Tdentihey a
seuth asocialin
Sequene Number (32 bits): A menotonically focreasing.
Lcounter value ; this
hi pQvide, an anbreplay hunctan.
Poylaad Data (vaiable) This is tansport levelsëgment
Ltranspezt modo ox TP packel ctunel mode) that is
proledked by encyphien
Padding (ó-255 bytes)
Pad Magh.
Iengh (3 bits) : Dndicates the mumber ot pad bta
imnediately prtceding this feld.
Next Headei ii Ldenlities the type of daty contoinedn
Be pay bad data ield by ldentifina the Ast header in
Hat póylocd
 PAGE Na.

DATE

Authentfeutfcn Duta (Vavable) : Ayanlable length toll

that contains the întegsäy check value compuked oven Hhe
ESP packet minus the authenticetien data freld.

Transpozt and Tunnel Mode ESP

Tianspozt Mode ESP fs used to enypt and

opfenally aubenicate the date cajed by IP.
ze
Transpert Node opexaien pcvides contiaentdlhy ta eseiy
oY any applicaten that uses rt,tus avoidirg the need to.
Typlemént conitdentalthy to
fn evey odtuidua agplicaten.
This mode ot operalin i also ethcient.
one drawback 'of tis mode Is that tt is possible to do
Axath cnaysis cm the transmitted packege.packes.
Tumel mode ESP is used to encaygt on entive gp
packet . Tunnel mode is usekl în a contquaa ien
Aat includes a fhreoall or other sont of secutly
qateoay that protects a truyed frameecrk nehoosk
Prem extenal nekoosks.
.
 PAGE No.
DATE

Combining SecuihyAssociatin
Secuaihy Assocíakiun
An todivtdual´sA can fnplement ethen the
authentication ox ESP protocol but not bot,.
Sometimes aa pantcular tatt Aloo oill call Poro
he senvtces provided by both AH AH and
nd ESP. A
ta ic tlo may require TPSec services behueeD pasiaub
and x sameflow sepozate sevices bthoeen hot
4akecays.
secuwih
i all theae cases, mulkple SAs mustbe emplcyed for
He same cases tratic flo to acheve thedesired
PSec sewice
secunihy associabons may becombined foto bundles to
too
) Traxpirt adiacency moxe thun me
an same IPIp packel wihout fovoking secwity pretuce
Iterated Tunneltngi aplicaien oY tuonelting.
secuthy proBocels eected thxugh IPmulkiple layeis od
tunnelirg.
SA can implement either AH oT ESP
both Tzah lo may pxotocol but not
bchseen hosts Secuity yequire sepasate TPSec senices.
associakien 'bundle veten to a
sequene oi SAS.
Basic Combinaons:
be supponted aachitechee
IPSec Ish tou examples that muat
în on
AH oY ESP.Host to împlementaen. Each'SA can be he
host SAs ane eftey transparto
tunnelotherwise it must be tumel
Case I: AI Secuihy s provided mode.
tat fmplement IPsec behoeen end system
AH in transport mode 2.possible
ESP in combincltiens oarei
3 AH followed by Esp in transpot modetransport made
4 Any one of a, b or C nside and AH oy eSP in tungel mod e
 PAGE No.

DATE

Case 2: secuniky is provided only behuten gadeuoays

and oo hasts implement IPSec:
se 3:
Case 3 Builds cn case 2 by adding end to end secuty
Goateay to gateay tunnel ESP and odividual bast
Can implement addiienal IPseesenvîce via end to end
SAS
Case 4:Pxovides
: Suppoxt foY a remote hast ustne the
tirewall- Ooly kusnel
Iateanet and reaching behind host and Bewall.
mode zequired behweén Temote between the semote
LOne ox two sSAs may be used
and local hos
hest and