1 / 10

PEM & S/MIME

PEM & S/MIME. CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk. PEM & S/MIME. Privacy Enhanced Mail (PEM) Developed by IETF, to add encryption, source authentication & integrity protection to e-mail

cyrah
Download Presentation

PEM & S/MIME

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PEM & S/MIME CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk PEM & S/MIME

  2. PEM & S/MIME • Privacy Enhanced Mail (PEM) • Developed by IETF, to add encryption, source authentication & integrity protection to e-mail • Allows both public & secret long-term keysMessage key is always symmetric • Specifies a detailed certification hierarchy • Secure/MIME (S/MIME) • PEM never took off; CA hierarchy difficult to realize • S/MIME: PEM design incorporated into MIME PEM & S/MIME

  3. PEM Key Exchange & Encryption • “Interchange keys”: Users’ long-term PEM keys • public (a detailed PKI is defined) • secret (pre-shared symmetric keys) • Encryption • A symmetric per-message key is sent encrypted under the interchange key. • The message is encrypted under the per-message key (typically with DES in CBC mode) • Authentication • Message is authenticated by a “MIC”(Q: Any authentication for the per-message key?) PEM & S/MIME

  4. PEM Certificate Hierarchy • The root CA: “Internet Policy Registration Authority” (IPRA) • “Policy Certification Authorities”: Second-level, CA-certifying CAs, each with a different policy: • High Assurance (HA): super-secure • implemented on secure platforms • regulates that the child CAs (also HACAs) enforce the same rules • Discretionary Assurance (DA): secure • requires that the child CAs own their names • No Assurance (NA): no constraints • can be used to certify Internet personas (pseudonyms) • Lower-level CAs, certifying individuals or other CAs PEM & S/MIME

  5. Message Integrity & Authentication • “MIC”: Message integrity code. (MAC) • A checksum is computed over the message by • MD2 • MD5 • or, CBC-MAC (the key is 0F0F...  message key) • Checksum is protected by the interchange key • public key: signed by sender’s private key • secret key: encrypted by the interchange key PEM & S/MIME

  6. Message Integrity & Auth. (cont’d) • Note: In the public key case, the MIC must be encrypted if the message is encrypted. (Why?) • Problem: Message header is not protected, which may be sensitive to tempering • Solution: Include header info in the text PEM & S/MIME

  7. Structure of PEM Messages • Whole or part of the message can be protected • Protected part specified as -----BEGIN PRIVACY-ENHANCED MESSAGE----- . . . -----END PRIVACY-ENHANCED MESSAGE----- • Different types of data: • ordinary, unsecured • integrity-protected, unmodified (MIC-CLEAR) • integrity-protected, encoded (MIC-ONLY) • encrypted, integrity-protected, encoded (ENCRYPTED) PEM & S/MIME

  8. Structure of PEM Messages (cont’d) • Marker: -----BEGIN PRIVACY-ENHANCED MESSAGE----- • PEM header, inc. protection type (MIC-CLEAR etc.) • IV for DES-CBC (for ENCRYPTED only) • Chain of certificates, from sender to IPRA • MIC • Encrypted message key (for ENCRYPTED only) • Message • Marker: -----END PRIVACY-ENHANCED MESSAGE----- PEM & S/MIME

  9. CBC-MAC Problem • Fact: For a given MAC value x, and any key value k, it is possible to obtain a valid MAC for any message m (with one corrupt block) CBC-MACk(m) = x (How?) • Public key: Eve eavesdrops a MIC-ONLY message m, y = [CBC-MACk(m)]A x = [y]A-1 (BTW, what is [.]-1 ?) • Generates m’, k’ such that CBC-MACk’(m’) = x • Sends m’, y, {k’}T to Ted (or anybody else) • And many variations of the attack... (ENCRYPTED, secret key, etc. How?) • Was CBC-MAC not secure?! PEM & S/MIME

  10. S/MIME vs. PEM • Incorporated into MIME; no other encoding • Any sequence of sign & encrypt is supported (each as a recursive MIME encapsulation) • Has more options than PEM • ASN.1 header encoding • No prescribed certification hierarchy • Has a good prospect of deployment for commercial & organizational usage PEM & S/MIME

More Related