Scribd
Upload
77 views

Email Security, Certificates

The document discusses email and web security techniques using public key cryptography. It describes how PGP can provide confidentiality, authentication, and non-repudiation for email. It also explains how SSL/TLS works to secure HTTP traffic and how digital certificates bind domains to public keys to authenticate websites. A web of trust model for PGP is decentralized while PKI uses a hierarchical structure with certificate authorities.

Uploaded by

Harpreet Singh
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
77 views

Email Security, Certificates

The document discusses email and web security techniques using public key cryptography. It describes how PGP can provide confidentiality, authentication, and non-repudiation for email. It also explains how SSL/TLS works to secure HTTP traffic and how digital certificates bind domains to public keys to authenticate websites. A web of trust model for PGP is decentralized while PKI uses a hierarchical structure with certificate authorities.

Uploaded by

Harpreet Singh
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Module 7.

8
Email Security, Certificates
Email Security:
Pretty Good Privacy (PGP)

2
Sender and Receiver Keys
If the receiver
knows the senders
If the sender knows public key
the receivers Sender
authentication
public key
Sender non-
Confidentiality
repudiation
Receiver
authentication

4
Sending an E-Mail Securely
Sender digitally signs the message
Using the senders private key
Sender encrypts the data
Using a one-time session key
Sending the session key, encrypted with the receivers public
key
Sender converts to an ASCII format
Converting the message to base64 encoding
(Email messages must be sent in ASCII)
5
Public Key Certificate
Binding between identity and a public key
Identity is, for example, an e-mail address
Binding ensured using a digital signature
Contents of a certificate
Identity of the entity being certified
Public key of the entity being certified
Identity of the signer
Digital signature
Digital signature algorithm id
6
Web of Trust for PGP
Decentralized solution
Protection against government intrusion
No central certificate authorities
Customized solution
Individual decides whom to trust, and how much
Multiple certificates with different confidence levels
Key-signing parties!
Collect and provide public keys in person
Sign others keys, and get your key signed by others
7
HTTP Security

8
HTTP Threat Model
Eavesdropper
Listening on conversation (confidentiality)
Man-in-the-middle
Modifying content (integrity)
Impersonation
Bogus website (authentication, confidentiality)

9
HTTP-S: Securing HTTP
HTTP sits on top of
HTTP
secure channel
(SSL/TLS) Secure Transport
Layer
https:// vs. http://
TCP port 443 vs. 80 TCP

All (HTTP) bytes


IP
encrypted and
authenticated Link layer
No change to HTTP
itself!
10
Learning a Valid Public Key

What is that lock?


Securely binds domain name to public key (PK)
If PK is authenticated, then any message signed by
that PK cannot be forged by non-authorized party
Believable only if you trust the attesting body
Bootstrapping problem: Who to trust, and how to tell
if this message is actually from them?

11
Hierarchical Public Key
Infrastructure
Public key certificate
Binding between identity and a public key
Identity is, for example, a domain name
Digital signature to ensure integrity
Certificate authority
Issues public key certificates and verifies identities
Trusted parties (e.g., VeriSign, GoDaddy, Comodo)
Preconfigured certificates in Web browsers

12
Public Key Certificate

13

You might also like