E-Mail Security

Information and Network Security

Dr. Hadi AL Saadi

 Providing Security for Internet Applications

There are three fundamental aspects to providing

security for internet applications:
1. Authentication
2. Confidentiality
3. Key Management
Email is one of the most widely used regarded network
services
• May be inspect either in transit
• Or by suitably privileged users on destination
system
 Email Security Enhancements

• Confidentiality
• Protection from disclosure
• Authentication
• Sender of message
• Message integrity
• protection from modification
• Non-repudiation of origin
• protection from denial by sender
Introduction to Email Security
There are two widely used schemes for providing
authentication and confidentiality for email security, PGP
(Pretty Good Privacy) and S/MIME((Secure/Multipurpose
Internet Mail Extension)
SMTP (Simple Mail Transfer Protocol)
Internet email is originally based on SMTP-protocol
SMTP transfers a message consisting of header lines and
a body (all ASCII) using a packet relay network.
SMTP does not have any security services. The messages
can easily be read or modified. Also the senders address of
routing information is easy to change.
MIME
”Multipurpose Internet Mail Extensions” is an extension to solve many
limitations of using text-based messages and SMTP.
MIME does not have security sercvices either.
 PGP (Pretty Good Privacy)

PGP provides a confidentiality and authentication service that can be
used for file storage and electronic mail applications.

PGP was developed by Phil Zimmermann in 1991 and since then it has
grown in popularity. There have been several updates to PGP.

A free versions of PGP is available over the Internet, but only for non-
commercial use. The latest (Jan. 2000) current version is 6.5.

Commercial versions of PGP are available from the PGP Division of
Network Associates

For three years, Philip Zimmermann, was threatened with federal
prosecution in the United States for his actions. Charges were finally
dropped in January 1996.

At the close of 1999, Network Associates, Inc. announced that it has
been granted a full license by the U.S. Government to export PGP
world-wide, ending a decades-old ban.

PGP enables you to make your own public and secret key pairs.

PGP public keys are distributed and certified via an informal network
called "the web of trust".
 PGP
 Most experts consider PGP very secure if used correctly.
PGP is based on RSA, DSS, Diffie-Hellman in the public
encryption side, and CAST.128, IDEA, 3DES for
conventional encryption. Hash coding is done with SHA-1.
 PGP has a wide range of applicability from corprorations
that wish to enforce a standardized scheme for encrypting
files and messages to individuals who wish to
communicate securely with each others over the interent.
 What does PGP do?

PGP offers 5 services:

1. Authentication
2. Confidentiality
3. Compression
4. E-mail compatibility
5. Segmentation

7
(Authentication )

(Confidentiality )
 PGP Authentication
This is a digital signature scheme with hashing.
1. Alice has (private/public) key pair (Ad/Ae) and she wants to
send a digitally signed message m to Bob.
2. Alice hashes the message using SHA-1 to obtain SHA(m).
3. Alice encrypts the hash using her private key Ad to obtain
ciphertext c given by
c=pk.encryptAd(SHA(m))
4. Alice sends Bob the pair (m,c)
5. Bob receives (m,c) and decrypts c using Alice's public key
Ae to obtain signature s
s=pk.decryptAe(c)
9
 6. He computes the hash of m using SHA-1 and if this hash
value is equal to s then the message is authenticated.
Bob is sure that the message is correct and that it does come
from Alice. Furthermore Alice cannot later deny sending the
message since only Alice has access to her private key Ad
which works in conjunction with the public key Ae.

Ad Ae
h C H(m )
m H(m) EAd(h) C (m,c) DAe(c)

+ Internet - compare

m .
H( ) H(m )
m

10
 PGP Confidentiality
1. Alice wishes to send Bob a confidential message m.
2. Alice generates a random session key ks( 128-bit) for a
symmetric cryptosystem.
3. Alice encrypts ks using Bob’s public key Be to get
k’ = pk.encryptBe(ks) and attach to message
4. Alice encrypts the message m with the session key ks using
CAST-128/ IDEA / 3DES in CBC mode to get ciphertext c
c=sk.encryptk(m)
5. Alice sends Bob the values (k’,c)
6. Bob receives the values (k’,c) and decrypts k’ using his private
key Bd to obtain k
ks=pk.decryptBd(k’)
11
7. Bob uses the session key ks to decrypt the ciphertext c and
recover the message m
m=sk.decryptks(c)
Public and symmetric key cryptosystems are combined in
this way to provide security for key exchange and then
efficiency for encryption. The session key ks is used only to
encrypt message m and is not stored for any length of time.

KS

m E(KS ,m)
c
(c, k’)
c
KS( ) . m

+ Internet - KS

KS EKBe(Ks)
K’ K’
DKBa( k’)

KBe KBa 12
 PGP Authentication and Confidentiality
(at the same time)
The schemes for authentication and confidentiality can be
combined so that Alice can sign a confidential message which is
encrypted before transmission. The steps required are as follows:
1. Alice generates a signature c for her message m as in the
authentication scheme
c=pk.encryptAd(SHA(m))
2. Alice generates a random session key k and encrypts the message
m and the signature c using a symmetric cryptosystem to obtain
ciphertext C
C=sk.encryptk(m,c)
3. She encrypts the session key k using Bob’s public key
k’ = pk.encryptBe(k)
4. Alice sends Bob the values (k’,C)
5. Bob recieves k’ and C and decrypts k’ using his private key
Bd to obtain the session key k
k=pk.decryptBd(k’)

6. Bob decrypts the ciphertext C using the session key k to

obtain m and c
(m,c) = sk.decryptk(C)
7. Bob now has the message m. In order to authenticate it he
uses Alice’s public key Ae to decrypt the signature c and
hashes the message m using SHA-1.
If SHA(m) = pk.decryptAe(c)
Then the message is authenticated.

KAd

m .
H( ) EKAd()
c
KS
m||c
+ KS(C )

m + Internet

KS KBe( )
.
KBe(KS )
KBe
 PGP Compression
 The compression algorithm used is ZIP, a freeware
package written in C that runs as a utility on UNIX and
other systems.
 It is functionally equivalent to PKZIP.
 As a default, PGP compresses the message AFTER
applying the signature, but before encryption.
 This has the benefit of saving space and adding another
obstacle layer for snoopers.
 PGP Compression
The placement of the compression algorithm is critical
¨ Message encryption is applied AFTER compression to
strengthen cryptographic security.
¨ The signature is generated BEFORE compression for
two reasons:
1. If one signed a compressed document, then it would be necessary to
either store a compressed version of the message for later verification,
or to decompress the message when verification is required
2. Applying the hash function and signature AFTER compression would
constrain all PGP implementations to the same compression algorithm
 PGP Compression
PGP can also compress the message if desired. The
compression algorithm is ZIP and the decompression
algorithm is UNZIP.
1. The original message m is signed as before to obtain
c=pk.encryptAd(SHA(m))
2. Now the original message m is compressed to obtain
M=ZIP(m)
3. Alice generates a session key k and encrypts the compressed
message and the signature using the session key
C=sk.encryptk(M,c)
4. The session key is encrypted using Bob’s public key as before.

18
5. Alice sends Bob the encrypted session key and ciphertext C.
6. Bob decrypts the session key using his private key and then
uses the session key to decrypt the ciphertext C to obtain M and
c
(M,c) = sk.decryptk(C)
7. Bob decompresses the message M to obtain the original
message m
m=UNZIP(M)
8. Now Bob has the original message m and signature c. He
verifies the signature using SHA-1 and Alice’s public key as
before.
Note that the compression is applied after signing (due to
implementation of ZIP) but before encryption (this
strengthens the security of the scheme since the message has
less redundancy after compression)

19
 PGP E-Mail Compatibility
Many electronic mail systems can only transmit blocks
of ASCII text. This can cause a problem when sending
encrypted data since ciphertext blocks might not
correspond to ASCII characters which can be
transmitted.
PGP overcomes this problem by using radix-64
conversion.

20
PGP Operation - Summary
 PGP Segmentation
 E-mail facilities are often restricted to a maximum
message length
- for example 50,000 octets
 Longer message must be broken up into segments , which
will be mailed separately
 PGP automatically subdivides a message that is too large
into segments that are small enough to send via email
 The segmentation is done after all of the other processing ,
including radix-64
- thus the session key component and signature component
appear only once
 The receiver strips off all email headers and resemble the
22
block
 PGP Session Keys
 PGP makes use of four types of keys: one-time session
conventional keys, public keys, private keys and
passphrase-based conventional keys.
 need a session key for each message
 of varying sizes: 56-bit DES, 128-bit CAST or IDEA,

168-bit Triple-DES
 generated using ANSI X12.17 mode
 PGP Session Keys Generation
The problem : generating unpredictable session key
 Session keys are generated using CAST-128 itself
 This is a PGP specific random number generating technique
 Getting as input:
 two 64-bit blocks that are treated as plaintext to be encrypted
- Based on keystroke timing and the actual keys struck of the stream
generated by the user
 128-bit key
- random input also combined with previous session key output from
CAST-128
- The result , scrambling of CAST -128 ,is to produce a sequence
keys that effectively unpredictable
 PGP – Public and private Keys
» There are several reasons for one user to have multiple
public/private key pairs
change the key from time to time for security
use different keys for communication with different
correspondant groups
» There is not a one-to-one correspondence between users and their
public keys. This problem is solved by using key ID’s.
» The overall scheme for key storage is that each PGP entity
maintains two files, one for his own private keys, and the other for
the public keys of the correspondents.
 Key Identifier
oThe problem : user may have multiple public / private key pairs
oOne simple solution would be transmit the public key with the
message
-Would work but an RSA key may be 300 of decimal digit in length (1024 bits )
PGP solution associate a short identifier with each public key that
is unique, then only the much shorter key ID would need to be
transmitted
The key ID associate with each public key consists of its least
significant 64 bits
That is the ID of KU is ( KU mod 264)
 PGP Key Rings
• PGP uses a pair of data structures, one to store the users
public/private key pairs - their private-key ring; and one to store the
public keys of other known users, their public-key ring.
• Private-Key Ring
• We can view the private-key ring as a table, in which each row
represents one of the public/private key pairs owned by this user.
The private-key ring can be indexed by either User ID or Key ID.
• The actual private key itself encrypted using CAST-128 (or IDEA or
3DES) keyed using a user supplied pass phrase.
• As in any system based on passwords, the security of this system
depends on the security of the password, which should be not easily
guessed but easily remembered.
• Public-Key Ring
• The public-key ring is a data structure used to store the public keys
of other users that are known to this user. The public-key ring can be
indexed by either User ID or Key ID.
PGP- Key Ring
 Example:
Let us show a private key ring table for Alice . We assume
that Alice has only two user IDs , [email protected] and
[email protected] . We also assume that Alice has two sets of
private / public key. One for each user ID

Private Key Ring

User ID Key ID Public key Encrypted Timestamp
private key
[email protected] AB13….45 AB13..45..59 3245298….23 031505-16:23
[email protected] FA23..12 FA23..12..22 594A49…23 031504-08:11
PGP Message Generation
 PGP Message Generation
 The sending PGP entity performs the following steps:
 Signs the message:
• PGP gets sender’s private key from key ring using its
user id as an index.
• PGP prompts user for passphrase to decrypt private
key.
• PGP constructs the signature component of the
message.
 Encrypts the message:
• PGP generates a session key and encrypts the
message.
• PGP retrieves the receiver public key from the key ring
using its user id as an index.
• PGP constructs session component of message
PGP Message Reception
 PGP Message Reception
 The receiving PGP entity performs the following steps:
 Decrypting the message:
• PGP get private key from private-key ring using Key ID
field in session key component of message as an
index.
• PGP prompts user for passphrase to decrypt private
key.
• PGP recovers the session key and decrypts the
message.
 Authenticating the message:
• PGP retrieves the sender’s public key from the public-
key ring using the Key ID field in the signature key
component as index.
• PGP recovers the transmitted message digest.
• PGP computes the message for the received message
and compares it to the transmitted version for
authentication.
 PGP – Public key management
The main problem with public key management is protecting
public keys from tampering. PGP provides a structure for solving
this problem with several of its options:

1. Physically get key from user.

2. Verify key via telephone. (This is only good if you can
recognize user on the telephone)
3. Obtain user’s public key from a mutual trusted individual.
4. Obtain user’s public key from a trusted certifying authority.