Email Security

email is one of the most widely used and regarded network services
currently message contents are not secure
may be inspected either in transit
or by suitably privileged users on destination system
In virtually all distributed environments, electronic mail is the
most heavily used network-based application. But current email
services are roughly like "postcards”, anyone who wants could
pick it up and have a look as its in transit or sitting in the
recipients mailbox.
Email Security Enhancements
confidentiality
protection from disclosure
authentication
of sender of message
message integrity
protection from modification
non-repudiation of origin
protection from denial by sender
With the explosively growing reliance on electronic mail for every conceivable
purpose, there grows a demand for authentication and confidentiality services. What
we want is something more akin to standard mail (contents protected inside an
envelope) if not registered mail (have confidence about the sender of the mail and its
contents). That is, the “classic” security services listed are desired.
Pretty Good Privacy (PGP)
• widely used de facto secure email
• developed by Phil Zimmermann
• selected best available crypto algs to use
• integrated into a single program
• on Unix, PC, Macintosh and other systems
• originally free, now also have commercial versions available
• The Pretty Good Privacy (PGP) secure email program, is a remarkable phenomenon,
has grown explosively and is now widely used. Largely the effort of a single person,
Phil Zimmermann, who selected the best available crypto algorithms to use &
integrated them into a single program, PGP provides a confidentiality and
authentication service that can be used for electronic mail and file storage
applications. It runs on a wide range of systems, in both free & commercial versions.
PGP Operation – Authentication
1. sender creates message
2. make SHA-1160-bit hash of message
3. attached RSA signed hash to message
4. receiver decrypts & recovers hash code
5. receiver verifies received message hash
PGP Operation – Confidentiality

1. sender forms 128-bit random session key

2. encrypts message with session key
3. attaches session key encrypted with RSA
4. receiver decrypts & recovers session key
5. session key is used to decrypt message
PGP Operation – Confidentiality & Authentication
• can use both services on same message
• create signature & attach to message
• encrypt both message & signature
• attach RSA/ElGamal encrypted session key
PGP Operation – Compression
• by default PGP compresses message after signing but before encrypting
• so can store uncompressed message & signature for later verification
• & because compression is non deterministic
• uses ZIP compression algorithm
PGP Operation – Email Compatibility
• when using PGP will have binary data to send (encrypted message
etc)
• however email was designed only for text
• hence PGP must encode raw binary data into printable ASCII
characters
• uses radix-64 algorithm
• maps 3 bytes to 4 printable chars
• also appends a CRC
• PGP also segments messages if too big
PGP Operation – Summary
PGP Session Keys
• need a session key for each message
• of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES
• generated using ANSI X12.17 mode
• uses random inputs taken from previous uses and from keystroke
timing of user
PGP Public & Private Keys
• since many public/private keys may be in use, need to identify which
is actually used to encrypt session key in a message
• could send full public-key with every message
• but this is inefficient
• rather use a key identifier based on key
• is least significant 64-bits of the key
• will very likely be unique
• also use key ID in signatures
PGP Message Format
PGP Key Rings
each PGP user has a pair of keyrings:
public-key ring contains all the public-keys of other PGP users known to this
user, indexed by key ID
private-key ring contains the public/private key pair(s) for this user, indexed
by key ID & encrypted keyed from a hashed passphrase
security of private keys thus depends on the pass-phrase security
PGP Key Rings
PGP Message Generation
PGP Message Reception
PGP Key Management
• rather than relying on certificate authorities
• in PGP every user is own CA
• can sign keys for users they know directly
• forms a “web of trust”
• trust keys have signed
• can trust keys others have signed if have a chain of signatures to them
• key ring includes trust indicators
• users can also revoke their keys
PGP Trust Model Example
S/MIME (Secure/Multipurpose Internet Mail
Extensions)
• security enhancement to MIME email
• original Internet RFC822 email was text only
• MIME provided support for varying content types and multi-part messages
• with encoding of binary data to textual form
• S/MIME added security enhancements
• have S/MIME support in many mail agents
• eg MS Outlook, Mozilla, Mac Mail etc
S/MIME Functions
• enveloped data
• encrypted content and associated keys
• signed data
• encoded message + signed digest
• clear-signed data
• cleartext message + encoded signed digest
• signed & enveloped data
• nesting of signed & encrypted entities
S/MIME Cryptographic Algorithms
• digital signatures: DSS & RSA
• hash functions: SHA-1 & MD5
• session key encryption: ElGamal & RSA
• message encryption: AES, Triple-DES, RC2/40 and others
• MAC: HMAC with SHA-1
• have process to decide which algs to use
S/MIME Messages

S/MIME secures a MIME entity with a signature,

encryption, or both
forming a MIME wrapped PKCS object
have a range of content-types:
enveloped data
signed data
clear-signed data
registration request
certificate only message
S/MIME Certificate Processing
• S/MIME uses X.509 v3 certificates
• managed using a hybrid of a strict X.509 CA hierarchy & PGP’s web of
trust
• each client has a list of trusted CA’s certs
• and own public/private key pairs & certs
• certificates must be signed by trusted CA’s
Certificate Authorities

• have several well-known CA’s

• Verisign one of most widely used
• Verisign issues several types of Digital IDs
• increasing levels of checks & hence trust
Class Identity Checks Usage
1 name/email checkweb browsing/email
2 + enroll/addr check email, subs, s/w validate
3 + ID documents e-banking/service access
S/MIME Enhanced Security Services
• 3 proposed enhanced security services:
• signed receipts
• security labels
• secure mailing lists
Domain Keys Identified Mail
• a specification for cryptographically signing email messages
• so signing domain claims responsibility
• recipients / agents can verify signature
• proposed Internet Standard RFC 4871
• has been widely adopted
Internet Mail Architecture
Email Threats
• see RFC 4684- Analysis of Threats Motivating DomainKeys Identified Mail
• describes the problem space in terms of:
• range: low end, spammers, fraudsters
• capabilities in terms of where submitted, signed, volume, routing naming etc
• outside located attackers
DKIM
Strategy
• transparent to
user
• MSA sign
• MDA verify
• for pragmatic
reasons
DKIM
Functional Flow
Summary
• have considered:
• secure email
• PGP
• S/MIME
• domain-keys identified email
IP Security
If a secret piece of news is divulged by a spy before the time is ripe, he must be put
to death, together with the man to whom the secret was told.
—The Art of War, Sun Tzu
IP Security
• have a range of application specific security mechanisms
• eg. S/MIME, PGP, Kerberos, SSL/HTTPS
• however, there are security concerns that cut across protocol layers
• would like security implemented by the network for all applications
IP Security

• general IP Security mechanisms

• provides
• authentication
• confidentiality
• key management
• applicable to use over LANs, across public & private WANs, &
for the Internet
• need identified in 1994 report
• need authentication, encryption in IPv4 & IPv6
IP Security Uses
Benefits of IPSec
in a firewall/router provides strong security to all traffic crossing the perimeter
in a firewall/router is resistant to bypass
is below transport layer, hence transparent to applications
can be transparent to end users
can provide security for individual users
secures routing architecture
 IP Security Architecture
• specification is quite complex, with groups:
• Architecture
• RFC4301 Security Architecture for Internet Protocol
• Authentication Header (AH)
• RFC4302 IP Authentication Header
• Encapsulating Security Payload (ESP)
• RFC4303 IP Encapsulating Security Payload (ESP)
• Internet Key Exchange (IKE)
• RFC4306 Internet Key Exchange (IKEv2) Protocol
• Cryptographic algorithms
• Other
IPSec Services
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets
• a form of partial sequence integrity
• Confidentiality (encryption)
• Limited traffic flow confidentiality
Transport and Tunnel Modes

• Transport Mode
• to encrypt & optionally authenticate IP data
• can do traffic analysis but is efficient
• good for ESP host to host traffic
• Tunnel Mode
• encrypts entire IP packet
• add new header for next hop
• no routers on way can examine inner IP header
• good for VPNs, gateway to gateway security
Transport
and
Tunnel
Modes
Transport
and
Tunnel
Mode
Protocols
Security Associations

• a one-way relationship between sender & receiver that affords security

for traffic flow
• defined by 3 parameters:
• Security Parameters Index (SPI)
• IP Destination Address
• Security Protocol Identifier
• has a number of other parameters
• seq no, AH & ESP info, lifetime etc
• have a database of Security Associations
 Security Policy Database
relates IP traffic to specific SAs
 match subset of IP traffic to relevant SA
 use selectors to filter outgoing traffic to map
 based on: local & remote IP addresses, next layer protocol, name, local
& remote ports
Encapsulating Security Payload (ESP)
• provides message content confidentiality, data origin authentication,
connectionless integrity, an anti-replay service, limited traffic flow
confidentiality
• services depend on options selected when establish Security
Association (SA), net location
• can use a variety of encryption & authentication algorithms
Encapsulating Security Payload
 Encryption & Authentication
Algorithms & Padding
• ESP can encrypt payload data, padding, pad length, and next
header fields
• if needed have IV at start of payload data
• ESP can have optional ICV for integrity
• is computed after encryption is performed
• ESP uses padding
• to expand plaintext to required length
• to align pad length and next header fields
• to provide partial traffic flow confidentiality
Anti-Replay Service

• replay is when attacker resends a copy of an authenticated

packet
• use sequence number to thwart this attack
• sender initializes sequence number to 0 when a new SA is
established
• increment for each packet
• must not exceed limit of 232 – 1
• receiver then accepts packets with seq no within window of (N
–W+1)
Combining Security Associations

• SA’s can implement either AH or ESP

• to implement both need to combine SA’s
• form a security association bundle
• may terminate at different or same endpoints
• combined by
• transport adjacency
• iterated tunneling
• combining authentication & encryption
• ESP with authentication, bundled inner ESP & outer AH, bundled inner
transport & outer ESP
Combining Security Associations
IPSec Key Management

• handles key generation & distribution

• typically need 2 pairs of keys
• 2 per direction for AH & ESP
• manual key management
• sysadmin manually configures every system
• automated key management
• automated system for on demand creation of keys for SA’s in large systems
• has Oakley & ISAKMP elements
Oakley
• a key exchange protocol
• based on Diffie-Hellman key exchange
• adds features to address weaknesses
• no info on parties, man-in-middle attack, cost
• so adds cookies, groups (global params), nonces, DH key exchange with authentication
• can use arithmetic in prime fields or elliptic curve fields
ISAKMP

• Internet Security Association and Key Management Protocol

• provides framework for key management
• defines procedures and packet formats to establish, negotiate, modify,
& delete SAs
• independent of key exchange protocol, encryption alg, &
authentication method
• IKEv2 no longer uses Oakley & ISAKMP terms, but basic functionality is
same
IKEV2 Exchanges
ISAKMP
IKE Payloads & Exchanges
have a number of ISAKMP payload types:
 Security Association, Key Exchange, Identification, Certificate, Certificate Request,
Authentication, Nonce, Notify, Delete, Vendor ID, Traffic Selector, Encrypted, Configuration,
Extensible Authentication Protocol
payload has complex hierarchical structure
may contain multiple proposals, with multiple protocols & multiple transforms
Cryptographic Suites

• variety of cryptographic algorithm types

• to promote interoperability have
• RFC4308 defines VPN cryptographic suites
• VPN-A matches common corporate VPN security using 3DES & HMAC
• VPN-B has stronger security for new VPNs implementing IPsecv3 and
IKEv2 using AES
• RFC4869 defines four cryptographic suites compatible with US NSA
specs
• provide choices for ESP & IKE
• AES-GCM, AES-CBC, HMAC-SHA, ECP, ECDSA
Summary
• have considered:
• IPSec security framework
• IPSec security policy
• ESP
• combining security associations
• internet key exchange
• cryptographic suites used