PGP versus S/MIMEAGENDAOpenPGP OverviewS/MIME Version 3 OverviewApplication to 100 UsersApplication to 1,000 UsersApplication to Up To 20,000 UsersConclusionsPGP versus S/MIMEAPPLICATION TO LARGE ENTERPRISESTom KramlikECE590:003AGENDA• OpenPGP and S/MIME version 3 Overview• Application to 100 Users• Application to 1,000 Users• Application to 20,000 Users• ConclusionsOpenPGP Overview• Major change: incorporates X.509 certificates• Compatible with MIME messages• Special export versions available • Compatible with popular software• Mandates non-proprietary technology, with options for other technologyAlgorithm Mandatory OptionalDigest Algorithm SHA-1 MD5Signature Algorithm DSS RSASession Key Encryption Diffie-Hellman (ElGamal) RSAContent Encryption Triple-DES (CFB-mode) IDEA, CAST-128Message Authentication Codes HMAC with SHA-1 NoneS/MIME Version 3 Overview• A secure extension to MIME format• Relies on use of public key infrastructure• Incorporated into many of most popular commercial communications products• Mandated technologies are non-proprietary, and the same as OpenPGPAlgorithm Manda tory OptionalDigest Algorithm SHA-1 MD5Signature Algorithm DSS RSASession Key Encryption Diffie Hellman (ElGamal) RSAContent Encryption Triple-DES (CBC-mode) RC2 (CBC-mode)Message Authentication Codes HMAC with SHA-1 NoneApplication to 100 Users• Commercial PGP and S/MIME products have similar cost– S/MIME integrated into popular products– Free versions of PGP available, and some commercial options low cost• Less expensive to use web-of-trust than public key infrastructure– Small enough for use of web-of-trust– Depends on need for legally binding signatures• Advantage: PGPApplication to 1,000 Users• Scale of organization is too large for multiple individual webs-of-trust for all users– Requires server to coordinate certificates and avoid duplication of effort– However, much more cost effective to use informal than formal PKI certificates; corporate effort to maintain web-of-trust• PGP and S/MIME products support socket-layer encryption– Desk-top encryption only for those who need to use legally binding digital signatures• Advantage: TieApplication to Up To 20,000 Users• Public key infrastructure becomes necessary• Competition between S/MIME and PGP security servers rather than desktop competition– S/MIME advantage to a large company as integrated security solution in existing software is less attractive than the PKI savings of encrypting from server based application– PGP and S/MIME solutions very similar at server level• Costs for S/MIME products are better than for PGP• Advantage: S/MIMEConclusions• Competition between the standards is not over, and the IETF will continue to consider both• For all size organizations, there are competitive benefits to using each standard– Availability of integrated solutions favors S/MIME– Informal web-of-trust and X.509 compatibility favors PGP• Netscape and Microsoft distribute products with S/MIME, so potential for defacto standard exists• Associated PKI costs will be major
View Full Document