Transcript Certificate-only message - IT352 : Network Security

Email Security
SMIME
1
IT352 | Network Security
|Najwa AlGhamdi
Email Protocol Overview
1. Simple Mail Transfer Protocol
(SMTP)
– It is an Internet standard for e-mail
transmission across Internet
Protocol (IP) networks.
– Through this protocol ,a mail sender
communicates with a mail receiver
by issuing command strings and
supplying necessary data over a TCP
connection.
2
IT352 | Network Security
|Najwa AlGhamdi
Email Protocol Overview
•
3
A typical example of sending a message via SMTP to two mailboxes
(alice and theboss) located in the same mail domain (example.com
or localhost.com) is reproduced in the following session exchange
IT352 | Network Security
|Najwa AlGhamdi
Email Protocol Overview
SMTP Drawbacks
1. SMTP cannot transmit text data
that includes national language
characters because these are
represented by 8-bit codes with
values of 128 decimal or higher,
and SMTP is limited to 7-bit ASCII.
2. SMTP servers may reject mail
message over a certain size.
3. SMTP gateways that translate
between ASCII to EBCDIC suffer
translation problems.
4
IT352 | Network Security
|Najwa AlGhamdi
Email Protocol Overview
2. Multipurpose Internet Mail
Extensions (MIME)
– is an Internet standard that extends
the format of email to support:
1. Text in character sets other than
ASCII
2. Non-text attachments
3. Message bodies with multiple parts
• MIME's use has grown beyond
describing the content of email to
describe content type in general
including for the web .
• SMTP/MIME email l Email is
transmitted via SMTP in MIME
format.
5
IT352 | Network Security
|Najwa AlGhamdi
Email Protocol Overview
MIME specification includes the
following elements:
1. Five new message header fields. These fields
provide information about the body of the
message.
1. MIME veriosn
2. Content-Type : describe the data contain in
the body.
3. Content transfer encoding: indicate the type
of transformation that has been used to
represent the body of the message in a way
that is acceptable for mail transport.
4. Content ID.
5. Content description.
2. A number of content formats are defined,
thus standardizing representations that
supports multimedia e-mail.
3. Transfer encodings are defined that enable
that protect any content format to be altered
by the mail system.
6
IT352 | Network Security
|Najwa AlGhamdi
Email Protocol Overview
MIME specification includes the following elements:
2. A number of content formats are defined, thus standardizing
representations that supports multimedia e-mail.
7
IT352 | Network Security
|Najwa AlGhamdi
Example of multipart
message
From: Nathaniel Borenstein <[email protected]>
To: Ned Freed [email protected]
Subject: Sample message
MIME-Version: 1.0
Content-type: multipart/mixed; boundary=“
simple boundary“
This is the preamble. It is to be ignored,
though it is a handy place for mail composers to
include an explanatory note to non-MIME
conformant readers.
--simple boundary
This is implicitly typed plain ASCII text. It
does NOT end with a linebreak.
--simple boundary
Content-type: text/plain; charset=us-ascii
This is explicitly typed plain ASCII text. It
DOES end with a linebreak.
--simple boundary-- This is the epilogue. It is
also to be ignored.
8
IT352 | Network Security
|Najwa AlGhamdi
Email Protocol Overview
MIME specification includes the
following elements:
3.Transfer encodings are defined that enable that
protect any content format to be altered by the mail
system.
9
IT352 | Network Security
|Najwa AlGhamdi
S/MIME (Secure/Multipurpose
Internet Mail Extensions)
• security enhancement to MIME
email
• have S/MIME support in many
mail agents
– MS Outlook, Mozilla, Mac Mail etc
S/MIME Functions
• S/MIME is very similar to PGP. Both
offer the ability to sign and/or encrypt
messages.
• S/MIME Security Functions :
1. Enveloped data:
This consists of encrypted content of
any type and encrypted content
encryption keys for one or more users.
This functions provides privacy and
data security.
2. Signed data:
A digital signature is formed by signing
the message digest and then encrypting
that with the signer private key.
• The content and the signature are then
encoded using base64 encoding.
This function provides authenticity,
message integrity and non-repudiation
of origin.
S/MIME Functions
• S/MIME Security Functions :
3. Clear signed data:
In this case a digital signature of
the content is formed, However
only the signature is encoded
with base64.
4. Signed and enveloped data:
(2) & (1) may be nested :
1. Encrypted data could be signed.
2. Or signed data could be
encrypted.
S/MIME Cryptographic
Algorithms
• digital signatures: DSS & RSA
• hash functions: SHA-1 & MD5
• session key encryption: ElGamal
& RSA
• message encryption: AES, TripleDES, RC2/40 and others
• MAC: HMAC with SHA-1
S/MIME Messages
 A MIME entity may be an entire
message or one or more of the
subparts of the message.
 S/MIME secures a MIME entity with a
signature, encryption, or both to form a
MIME wrapped (public-key
cryptography specifications ) PKCS
object
 A PKCS Object is then treated as
message content .
 have a range of content-types:
 enveloped data
 signed data
 clear-signed data
 registration request
 certificate only message
S/MIME - Message
Recipient’s
public key
Enveloped Data:
Diffie-Hellman
/ RSA
Pseudorandom
session key
Encrypt the session
key
ׁׁ(3DES or RC2/40)
Certific
ate
RecipientInfo
M
+
envelopeddata
S/MIME Message
SignedData:
Sender’s
private key
Hash
function
Encryption
M
SHA-1 or
MD5
Certific
ate
SignerI
nfo
Base64
encoding
S/MIME - Message
Clear signing:
 Clear signing is achieved using the multipart
content type with a signed sub-type .
Two parts:
 Clear text (or any MIME type) encoded in base64.
 SignedData.
S/MIME - Message
This parameter
indicates that this is
Content-Type: multipart/signed;
protocol=“application/pkcs7-signature”; a two part clearsigned entity.
micalg=sha1; boundary=boundary42
--boundary42
Content-Type: text/plain
Unsigne
d Data
This is a clear-signed message.
This parameter
indicates the type of
message digest used.
--boundary42
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7s
SignerInfo
Header
ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
--boundary42--
S/MIME - Message
Registration request:
A user will apply for certification authorities
Subject’s
name
Public-key in
bit-string
representation
010111010011
…
Publickey ID
C
A
+
CertificationRequestInfo
?
PKCS
10
User’s
private
key
S/MIME - Message
Certificate-only message:
 Used to transport certificates.
 contains only certificates or a certificate
revocation list (CRL).
 Sent in response to a registration request.
S/MIME - Message
Creating a Certificates-only Message:
Step 1:
The certificates are made available to the CMS
generating process which creates a CMS object of
type signedData.
Step 2:
The CMS signedData object is enclosed in an
application/pkcs7-mime MIME entity.
 The smime-type parameter for a certs-only
message is "certs-only".
 The file extension for this type of message is
".p7c".
S/MIME Certificate
Processing
• S/MIME uses X.509 v3 certificates
• The key-management scheme
used by S/MIME is in some
ways managed using a hybrid of
a strict X.509 CA hierarchy &
PGP’s web of trust
• each client has a list of trusted
CA’s certs
• and own public/private key pairs
& certs
• certificates must be signed by
trusted CA’s