Download
1 / 10
100 likes | 474 Views
PEM & S/MIME. CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk. PEM & S/MIME. Privacy Enhanced Mail (PEM) Developed by IETF, to add encryption, source authentication & integrity protection to e-mail
E N D
PEM & S/MIME CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk PEM & S/MIME
PEM & S/MIME • Privacy Enhanced Mail (PEM) • Developed by IETF, to add encryption, source authentication & integrity protection to e-mail • Allows both public & secret long-term keysMessage key is always symmetric • Specifies a detailed certification hierarchy • Secure/MIME (S/MIME) • PEM never took off; CA hierarchy difficult to realize • S/MIME: PEM design incorporated into MIME PEM & S/MIME
PEM Key Exchange & Encryption • “Interchange keys”: Users’ long-term PEM keys • public (a detailed PKI is defined) • secret (pre-shared symmetric keys) • Encryption • A symmetric per-message key is sent encrypted under the interchange key. • The message is encrypted under the per-message key (typically with DES in CBC mode) • Authentication • Message is authenticated by a “MIC”(Q: Any authentication for the per-message key?) PEM & S/MIME
PEM Certificate Hierarchy • The root CA: “Internet Policy Registration Authority” (IPRA) • “Policy Certification Authorities”: Second-level, CA-certifying CAs, each with a different policy: • High Assurance (HA): super-secure • implemented on secure platforms • regulates that the child CAs (also HACAs) enforce the same rules • Discretionary Assurance (DA): secure • requires that the child CAs own their names • No Assurance (NA): no constraints • can be used to certify Internet personas (pseudonyms) • Lower-level CAs, certifying individuals or other CAs PEM & S/MIME
Message Integrity & Authentication • “MIC”: Message integrity code. (MAC) • A checksum is computed over the message by • MD2 • MD5 • or, CBC-MAC (the key is 0F0F... message key) • Checksum is protected by the interchange key • public key: signed by sender’s private key • secret key: encrypted by the interchange key PEM & S/MIME
Message Integrity & Auth. (cont’d) • Note: In the public key case, the MIC must be encrypted if the message is encrypted. (Why?) • Problem: Message header is not protected, which may be sensitive to tempering • Solution: Include header info in the text PEM & S/MIME
Structure of PEM Messages • Whole or part of the message can be protected • Protected part specified as -----BEGIN PRIVACY-ENHANCED MESSAGE----- . . . -----END PRIVACY-ENHANCED MESSAGE----- • Different types of data: • ordinary, unsecured • integrity-protected, unmodified (MIC-CLEAR) • integrity-protected, encoded (MIC-ONLY) • encrypted, integrity-protected, encoded (ENCRYPTED) PEM & S/MIME
Structure of PEM Messages (cont’d) • Marker: -----BEGIN PRIVACY-ENHANCED MESSAGE----- • PEM header, inc. protection type (MIC-CLEAR etc.) • IV for DES-CBC (for ENCRYPTED only) • Chain of certificates, from sender to IPRA • MIC • Encrypted message key (for ENCRYPTED only) • Message • Marker: -----END PRIVACY-ENHANCED MESSAGE----- PEM & S/MIME
CBC-MAC Problem • Fact: For a given MAC value x, and any key value k, it is possible to obtain a valid MAC for any message m (with one corrupt block) CBC-MACk(m) = x (How?) • Public key: Eve eavesdrops a MIC-ONLY message m, y = [CBC-MACk(m)]A x = [y]A-1 (BTW, what is [.]-1 ?) • Generates m’, k’ such that CBC-MACk’(m’) = x • Sends m’, y, {k’}T to Ted (or anybody else) • And many variations of the attack... (ENCRYPTED, secret key, etc. How?) • Was CBC-MAC not secure?! PEM & S/MIME
S/MIME vs. PEM • Incorporated into MIME; no other encoding • Any sequence of sign & encrypt is supported (each as a recursive MIME encapsulation) • Has more options than PEM • ASN.1 header encoding • No prescribed certification hierarchy • Has a good prospect of deployment for commercial & organizational usage PEM & S/MIME
