Computer Security CS477Lecture 14Ching-Hua ChuanNovember 5th2008Administration Homework 3 Part 2 is on (due on Nov 12th)Today’s Outline Electronic Mail Security Secure/Multipurpose Internet Mail Extension (S/MIME)Electronic Mail ProtocolsSMTPRFC 822MIMES/MIMETraditional e-mail format standardImproved format standardSecurity enhancement of MIMESimple Mail Transfer Protocol (SMTP, RFC 822) SMTP/RFC 822 Traditional e-mail format standard Limitations of SMTP/RFC 822 Can’t transmit executable files, or other binary objects Can’t transmit “national language” characters (non-ASCII) Reject messages over a certain size ASCII to EBCDIC translation problems Implementations do not adhere to the STMP standards (Ex. Truncating lines longer than 76 characters)An Example Message of RFC 822Multipurpose Internet Mail Extensions (MIME) MIME Intended to resolve the problems in RFC 822 implementations. Overview of MIME Five new message header fields are defined. A number of content formats are defined, standardizing representations that support multimedia e-mail. Transfer encodings are defined.Header Fields in MIME MIME-Version Content-Type Capable of handling content such as jpeg, mpeg, PostScript Content-Transfer-Encoding Content-ID Unique identify MIME entities in multiple contexts. Content Description Text description of the object with the body (readable)An Example Message of MIME S/MIME S/MIME: A security enhancement to the MIME Internet e-mail format standard. IETF standard tracks S/MIME: will emerge as the industry standard for commercial and organization use. PGP: will remain the choice for personal e-mail security.S/MIME Functions Enveloped data Encrypted content and encrypted session keys Signed data Encrypt message digest with private key Signature and content are encoded Clear-signed data Signed but only signature is encoded Signed and Enveloped Data Various arrangements for encrypting and signing.Algorithms Used in S/MIME Creating MD and encrypting MD to for digital signature Must: SHA-1, should: MD5, DSS, RSA Encrypting session key Must: RSA, should: Diffie-Hellman Encrypting message Must: DES, should: AES, RC2/40 Creating a MAC Must: HMAC with SHA-1S/MIME ExamplesSigned DataS/MIME Examples (Cont’d)Clear SigningplaintextsignatureUser Agent Role Key-management functions Key generation Must: key pairs of Diffie-Hellman and DSS Should: RSA key pairs with a length 768 to 1024 bits. Registration A user’s public key MUST be registered with a CA to receive X.509 public-key certificate. Certificate storage and retrieval A user requires access to a local list of certificates, in order to verify incoming signatures and to encrypt outgoing messages.VeriSign Certificates VeriSign An Internet-based company provides certification authority (CA) services. It is intended to be compatible with S/MIME. It issues X.509 certificates and VeriSign Digital ID. Digital ID (minimum) Owner’s public key, owner’s name or alias, expiration date, serial number, name and digital signature of the certificate authority.VeriSign Certificates Three levels/classes Class-1: User’s email address confirmed by emailing PIN and ID pickup info. Class-2: Postal address is confirmed as well, and data checked against directories. Class-3: User must apply in person, or provide notarized documents.Enhanced Security Services Signed receipts A signed receipt may be requested. Security labels Security information including access right, priority (secret, confidential, restricted, and so on) or role based. Secure mailing lists Per-recipient processing: use each recipient’s public key.Today’s Summary Electronic Mail Security Secure/Multipurpose Internet Mail Extension (S/MIME) Relations between SMTP, MIME, S/MIME Security functions in S/MIME User agent role VeriSign certificates Enhanced security
View Full Document