220 likes | 318 Views
Pertemuan 12 E-mail Security. Matakuliah : H0242 / Keamanan Jaringan Tahun : 2006 Versi : 1. Learning Outcomes. Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Mahasiswa dapat menggunakan e-mail security. Outline Materi. Konsep kerja e-mail Layanan keamanan pada e-mail PGP
E N D
Pertemuan 12 E-mail Security Matakuliah : H0242 / Keamanan Jaringan Tahun : 2006 Versi : 1
Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : • Mahasiswa dapat menggunakan e-mail security
Outline Materi • Konsep kerja e-mail • Layanan keamanan pada e-mail • PGP • S / MIME
Email Security • E-mail is one of the most widely used and regarded network services • Currently message contents are not secure, missing the following security characteristics • Confidentiality • Protection from disclosure • Authentication • Of sender of message • Message integrity • Protection from modification • Non-repudiation of origin • Protection from denial by sender
Pretty Good Privacy (PGP) • Widely used de facto secure email • Selected best available crypto algorithms to use, integrated into a single program originally free, now have commercial versions available • Wide range of applicability • Not developed or controlled by governmental or standards organizations
PGP Operational Description Consist of five services: • Authentication • Confidentiality • Compression • E-mail compatibility • Segmentation
Confidentiality & Authentication Uses both services on same message • Create signature & attach to message • Encrypt both message & signature • Attach RSA encrypted session key
Authentication • Sender creates a message • SHA-1 used to generate 160-bit hash code of message • Hash code is encrypted with RSA using the sender's private key, and result is attached to message • Receiver uses RSA or DSS with sender's public key to decrypt and recover hash code • Receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic
Confidentiality • Sender generates message and random 128-bit number to be used as session key for this message only • Message is encrypted, using CAST-128 / IDEA/3DES with session key • Session key is encrypted using RSA with recipient's public key, then attached to message • Receiver uses RSA with its private key to decrypt and recover session key • Session key is used to decrypt message
Compression • By default PGP compresses message after signing but before encrypting • Store uncompressed message & signature for later verification because compression is non deterministic • Uses ZIP compression algorithm
Email Compatibility • When using PGP will have binary data to send (encrypted message, etc);however, email was designed only for text • PGP must encode raw binary data into printable ASCII characters, uses radix-64 algorithm • maps 3 bytes to 4 printable chars • also appends a CRC • PGP also segments messages if too big
E-mail Compatibility • The scheme used is radix-64 conversion • The use of radix-64 expands the message by 33%.
Segmentation & Reassembly • Often restricted to a maximum message length of 50,000 octets. • Longer messages must be broken up into segments. • PGP automatically subdivides a message that is to large. • The receiver strip of all e-mail headers and reassemble the block.
Function Algorithm Used Digital Signature DSS/SHA or RSA/SHA Message CAST or IDEA or Encryption t hree - key triple DES with Diffie - Hellman or RSA Compression ZIP E - mail Radix - 64 conversion Compatibility - Segmentation Sumary of PGP Services
SMTP SMTP (RFC 822) Limitations • Can not transmit, or has a problem with: • Executable files, or other binary files (JPG) • National language characters (non-ASCII) • Messages over a certain size • ASCII to EBCDIC translation problems • Lines longer than a certain length (72 to 254 characters)
S/MIME • Secure/Multipurpose Internet Mail Extensions • Security enhancement to MIME email • MIME provided support for varying content types and multi-part messages with encoding of binary data to textual form • S/MIME added security enhancements • Support in various modern mail agents: MS Outlook, Netscape, etc • Will probably emerge as the industry standard, whereas PGP for personal e-mail security
Header fields in MIME • MIME-Version: • Must be 1.0 (RFC 2045, RFC 2046) • Content-Type: • More types being added by developers • Content-Transfer-Encoding: • How message has been encoded (radix-64) • Content-ID: • Unique identifying character string. • Content Description: • Needed when content is not readable text
S/MIME Functions • Enveloped Data: • Encrypted content and encrypted session keys for recipients. • Signed Data: • Message Digest encrypted with private key of signer • Clear-Signed Data: • Signed but not encrypted. • Signed and Enveloped Data: • Various orderings for encrypting and signing.
Algorithms Used • Message Digesting: • SHA-1 and MDS • Digital Signatures: • DSS • Secret-Key Encryption: • Triple-DES • RC2/40 (exportable) • Public-Private Key Encryption: • RSA with key sizes of 512 and 1024 bits • Diffie-Hellman (for session keys).
User Agent Role • S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority • Functions: • Key Generation • Diffie-Hellman, DSS, and RSA key-pairs. • Registration • Public keys must be registered with X.509 CA. • Certificate Storage • Local (as in browser application) for different services. • Signed and Enveloped Data • Various orderings for encrypting and signing.
Cryptographic Algorithms • Hash functions: • SHA-1 & MD5 • Digital signatures: • DSS & RSA • Session key encryption: • ElGamal & RSA • Message encryption: • Triple-DES, RC2/40 and others Have a procedure to decide which algorithms to use
Certificate Processing • S/MIME uses X.509 v3 certificates • Managed using a hybrid of a strict X.509 CA hierarchy & PGP’s web of trust • Each client has a list of trusted CA’s certificates and own public/private key pairs & certificates • Certificates must be signed by trusted CA’s