EMAIL SECURITY

Email Security
Student: Ashraf Gamal Ahmed El-Bialy CS634 data Security Fall 2012-2013

Supervisor: DR. Hisham ElZoka

College of Computing and Information Technology Arab Academy For Science, Technology And Maritime Transport's

EMAIL SECURITY
email is one of the most widely used and regarded network services The protection of email from unauthorized access and inspection is known as electronic privacy.

CRYPTOGRAPHY AND NETWORK SECURITY

RISKS TO USER
Email is vulnerable to both passive and active attacks.

Passive threats include Release of message contents, and Traffic analysis .

Active threats include Modification of message contents, Masquerade, Replay, and Denial of Service (DoS). Actually, all the mentioned threats are applicable to the traditional email protocols

Email Pathway

EMAIL SECURITY ENHANCEMENTS

Confidentiality

protection from disclosure

Authentication of sender of message Message integrity protection from modification Non-repudiation of origin protection from denial by sender

CRYPTOGRAPHY AND NETWORK SECURITY

METHODS/ALGORITHMS
Pretty Good Privacy (PGP)

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Transport Layer Security (TLS) Domain Keys Identified Mail (DKIM) . .

PRETTY GOOD PRIVACY (PGP)

Essentially the product of one single person Phil Zimmermann

Released in 1991 Complete email security package providing privacy, authentication, digital signatures, and compression.
Available on Unix, Linux, Windows, Mac OS It is based on algorithms that have survived extensive public review and are considered extremely secure. Specifically, the package includes RSA, DSS, and Diffie-Hellman for public-key encryption(Key Management); CAST-128, IDEA, and 3DES for symmetric encryption; and SHA-1 for hash coding.

CRYPTOGRAPHY AND NETWORK SECURITY

PGP
Five services Authentication, confidentiality, compression, email compatibility. Functions Digital signature Message encryption Compression Email compatibility

CRYPTOGRAPHY AND NETWORK SECURITY

PGP OPERATION AUTHENTICATION

1. sender creates a message 2. SHA-1 used to generate 160-bit hash code of message 3. hash code is encrypted with RSA using the sender's private key, and result is attached to message 4. receiver uses RSA or DSS with sender's public key to decrypt and recover hash code 5. receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic

CRYPTOGRAPHY AND NETWORK SECURITY

10

PGP OPERATION AUTHENTICATION

PGP CRYPTOGRAPHIC FUNCTIONS

11

PGP OPERATION CONFIDENTIALITY

1. sender generates message and random 128-bit number to be used as session key for this message only 2. message is encrypted, using CAST-128 / IDEA/3DES with session key

3. session key is encrypted using RSA with recipient's public key, then attached to message
4. receiver uses RSA with its private key to decrypt and recover session key 5. session key is used to decrypt message

CRYPTOGRAPHY AND NETWORK SECURITY

12

PGP OPERATION CONFIDENTIALITY

PGP OPERATION CONFIDENTIALITY & AUTHENTICATION

uses both services on same message create signature & attach to message encrypt both message & signature

attach RSA encrypted session key

CRYPTOGRAPHY AND NETWORK SECURITY

14

PGP OPERATION CONFIDENTIALITY & AUTHENTICATION

PGP OPERATION COMPRESSION

by default PGP compresses message after signing but before encrypting so can store uncompressed message & signature for later verification & because compression is non deterministic uses ZIP compression algorithm

CRYPTOGRAPHY AND NETWORK SECURITY

16

PGP OPERATION EMAIL COMPATIBILITY

when using PGP will have binary data to send (encrypted message etc)

however email was designed only for text

hence PGP must encode raw binary data into printable ASCII characters uses radix-64 algorithm maps 3 bytes to 4 printable chars also appends a CRC PGP also segments messages if too big

CRYPTOGRAPHY AND NETWORK SECURITY

17

PGP OPERATION SUMMARY

CRYPTOGRAPHY AND NETWORK SECURITY

18

KEY MANAGEMENT
Generating unpredictable session keys

Identifying keys
Multiple public, private key pairs for a user Maintain keys Its own public, private keys of a PGP entity Public keys of correspondents

CRYPTOGRAPHY AND NETWORK SECURITY

19

SESSION KEY GENERATION

Algorithm used: CAST-128 Input to CAST-128 A 128-bit key Two 64 bits plaintexts to be encrypted Output using cipher feedback mode Generates 2 64-bits ciphers form session key Plaintexts are from 128-bits randomized number Based on key stroke of user (timing and actual keys) Then combined with previous session key

CRYPTOGRAPHY AND NETWORK SECURITY

20

S/MIME (SECURE/MULTIPURPOSE INTERNET MAIL EXTENSIONS)

security enhancement to MIME email

original Internet RFC822 email was text only

MIME provided support for varying content types and multipart messages

with encoding of binary data to textual form

S/MIME added security enhancements have S/MIME support in various modern mail agents: MS Outlook, Netscape etc

CRYPTOGRAPHY AND NETWORK SECURITY

21

S/MIME CRYPTOGRAPHIC ALGORITHMS

hash functions: SHA-1 & MD5 digital signatures: DSS & RSA session key encryption: ElGamal & RSA

message encryption: Triple-DES, RC2/40 and others

have a procedure to decide which algorithms to use

CRYPTOGRAPHY AND NETWORK SECURITY

22

Thank you