Chapter 5

Electronic mail
security

Henric Johnson
Blekinge Institute of Technology, Sweden
http://www.its.bth.se/staff/hjo/
[email protected]
Henric Johnson 1
 Outline
• Pretty good privacy
• S/MIME
• Recommended web sites

Henric Johnson 2
 Pretty Good Privacy
• Philip R. Zimmerman is the creator
of PGP.
• PGP provides a confidentiality and
authentication service that can be
used for electronic mail and file
storage applications.

Henric Johnson 3
 Why Is PGP Popular?
• It is availiable free on a variety of
platforms.
• Based on well known algorithms.
• Wide range of applicability
• Not developed or controlled by
governmental or standards
organizations
Henric Johnson 4
Operational Description
• Consist of five services:
– Authentication
– Confidentiality
– Compression
– E-mail compatibility
– Segmentation

Henric Johnson 5
Henric Johnson 6
 Compression
• PGP compresses the message after
applying the signature but before
encryption
• The placement of the compression
algorithm is critical.
• The compression algorithm used is
ZIP (described in appendix 5A)

Henric Johnson 7
 E-mail Compatibility
• The scheme used is radix-64
conversion (see appendix 5B).
• The use of radix-64 expands the
message by 33%.

Henric Johnson 8
 Segmentation and
Reassembly
• Often restricted to a maximum
message length of 50,000 octets.
• Longer messages must be broken
up into segments.
• PGP automatically subdivides a
message that is to large.
• The receiver strip of all e-mail
headers and reassemble the block.
Henric Johnson 9
Sumary of PGP Services
Function Algorithm Used
Digital Signature DSS/ SHA or
RSA/ SHA
Message CAST or I DEA or
Encryption three-key triple DES
with Diffi e-Hellman
or RSA
Compression ZI P
E-mail Radix-64 conversion
Compatibility
- Johnson
Segmentation Henric 10
Henric Johnson 11
Format of PGP Message

Henric Johnson 12
Henric Johnson 13
Henric Johnson 14
Henric Johnson 15
 The Use of Trust
• Key legitimacy field
• Signature trust field
• Owner trust field

See Table 5.2

(W. Stallings)

Henric Johnson 16
Henric Johnson 17
 Revoking Public Keys
• The owner issue a key revocation
certificate.
• Normal signature certificate with a
revote indicator.
• Corresponding private key is used
to sign the certificate.

Henric Johnson 18
 S/MIME
• Secure/Multipurpose Internet Mail
Extension
• S/MIME will probably emerge as
the industry standard.
• PGP for personal e-mail security

Henric Johnson 19
 Simple Mail Transfer
Protocol (SMTP, RFC
822)
• SMTP Limitations - Can not transmit, or
has a problem with:
– executable files, or other binary files (jpeg
image)
– “national language” characters (non-ASCII)
– messages over a certain size
– ASCII to EBCDIC translation problems
– lines longer than a certain length (72 to 254
characters)
Henric Johnson 20
 Header fields in MIME
• MIME-Version: Must be “1.0” -> RFC 2045,
RFC 2046
• Content-Type: More types being added by
developers (application/word)
• Content-Transfer-Encoding: How message
has been encoded (radix-64)
• Content-ID: Unique identifying character
string.
• Content Description: Needed when content is
not readable text (e.g.,mpeg)
Henric Johnson 21
 S/MIME Functions
• Enveloped Data: Encrypted content and
encrypted session keys for recipients.
• Signed Data: Message Digest encrypted
with private key of “signer.”
• Clear-Signed Data: Signed but not
encrypted.
• Signed and Enveloped Data: Various
orderings for encrypting and signing.

Henric Johnson 22
 Algorithms Used
• Message Digesting: SHA-1 and MDS
• Digital Signatures: DSS
• Secret-Key Encryption: Triple-DES,
RC2/40 (exportable)
• Public-Private Key Encryption: RSA
with key sizes of 512 and 1024 bits, and
Diffie-Hellman (for session keys).

Henric Johnson 23
 User Agent Role
• S/MIME uses Public-Key Certificates - X.509
version 3 signed by Certification Authority
• Functions:
– Key Generation - Diffie-Hellman, DSS, and RSA key-
pairs.
– Registration - Public keys must be registered with
X.509 CA.
– Certificate Storage - Local (as in browser
application) for different services.
– Signed and Enveloped Data - Various orderings
for encrypting and signing.
Henric Johnson 24
 User Agent Role
• Example: Verisign
(www.verisign.com)
– Class-1: Buyer’s email address
confirmed by emailing vital info.
– Class-2: Postal address is confirmed as
well, and data checked against
directories.
– Class-3: Buyer must appear in person,
or send notarized documents.
Henric Johnson 25
 Recommended Web
Sites
• PGP home page: www.pgp.com
• MIT distribution site for PGP
• S/MIME Charter
• S/MIME Central: RSA Inc.’s Web Site

Henric Johnson 26