360 likes | 702 Views
S/MIME and CMS. Presentation for CSE712 By Yi Wen Instructor: Dr. Aidong Zhang. Basic. What is S/MIME? Secure/Multipurpose Internet Mail Extensions How does it work? Basically, it is a package in which there is a CMS object. .
E N D
S/MIME and CMS Presentation for CSE712 By Yi Wen Instructor: Dr. Aidong Zhang
Basic • What is S/MIME? • Secure/Multipurpose Internet Mail Extensions • How does it work? • Basically, it is a package in which there is a CMS object.
Several Definitions • 7-bit data: Text data with lines less than 998 characters long, where none of the characters have the 8th bit set, and there are no NULL characters. <CR> and <LF> occur only as part of a <CR><LF> end of line delimiter.
Continued... • 8-bit data: Text data with lines less than 998 characters, and where none of the characters are NULL characters. <CR> and <LF> occur only as part of a <CR><LF> end of line delimiter. • Binary data: Arbitrary data.
Continued... • ASN.1 Abstract Syntax Notation number One is a standard that defines a formalismfor the specification of abstract data types. • An Example: Person ::= SET { name IA5String, age INTEGER female BOOLEAN }.
Continued... • Encoding: BER (Basic Encoding Rules) vs. DER (Distinguished Encoding Rules)
Continued... • An Example: The BER encoding (in hexadecimal) of the instance "Maggie", 4, TRUE of Person is: • SET IA5String M a g g i e 31 14 16 06 77 65 71 71 73 69 INTEGER 4 BOOLEAN TRUE 02 01 04 01 01 FF
Continued... • Authentication is generally the process used to confirm the identity of a person or to prove the integrity of specific information. More specifically, in the case of a message, authentication involves determining its source and providing assurance that the message has not been modified or replaced in transit.
Continued... • Digital Signature: Using a symmetric encryption algorithm such as MD5 to digest the message one wants to sign first. Then encrypting the output of that symmetric algorithm with signer’s private key.
Continued… • Digital Envelope: A type of security that uses two layers of encryption to protect a message. First, the message itself is encoded using symmetric encryption, and then the key to decode the message is encrypted using public key encryption.
Introduction to MIME • What is MIME? • Itis an encoding standard for that allows non-text files like graphics, sound clips, etc., to be attached to regular text email. Your email program will encode these binary files and change them into text files. When the e-mail is sent, your program notifies the recipient program of the MIME encoding standard used, and in effect sends instructions as to how to put the file back into its original form.
Continued... • MIME Entity: A MIME entity may be a sub- part, sub-parts of a message, or the whole message with all its sub- parts. A MIME entity that is the whole message includes only the MIME headers and MIME body, and does not include the RFC-822 headers.
Introduction to CMS • What is CMS? The Cryptographic Message Syntax describes an encapsulation syntax for data protection. It supports digital signatures, message authentication codes, and encryption.
Continued... • Basically, there are six content types defined in the RFC 2630. But you can define more types yourself. • The six basic types are: data, signed-data, enveloped-data, digested-data, encrypted-data, and authenticated-data.
Continued -- General Syntax • The CMS object is defined by ASN.1 like: ContentInfo ::= SEQUENCE { contentType ContentType, content [0] EXPLICIT ANY DEFINED BY contentType } ContentType ::= OBJECT IDENTIFIER
Simple Introduction to some Type • SignedData Type:The signed-data content type consists of a content of any type and zero or more signature values. Any number of signers in parallel can sign any type of content. The typical application of the signed-data content type represents one signer's digital signature on content of the data content type. Another typical application disseminates certificates and certificate revocation lists (CRLs).
Continued... • Enveloped-data Content Type: The enveloped-data content type consists of an encrypted content of any type and encrypted content-encryption keys for one or more recipients. The combination of the encrypted content and one encrypted content-encryption key for a recipient is a "digital envelope" for that recipient. Any type of content can be enveloped for an arbitrary number of recipients using any of the three key management techniques for each recipient.
Continued... • The typical application of the enveloped-data content type will represent one or more recipients' digital envelopes on content of the data or signed-data content types.
Continued... • Digested-data Content Type: The digested-data content type consists of content of any type and a message digest of the content. Typically, the digested-data content type is used to provide content integrity, and the result generally becomes an input to the enveloped-data content type.
Continued... • Encrypted-data Content Type: The encrypted-data content type consists of encrypted content of any type. Unlike the enveloped-data content type, the encrypted-data content type has neither recipients nor encrypted content-encryption keys. Keys must be managed by other means. The typical application of the encrypted-data content type will be to encrypt the content of the data content type for local storage, perhaps where the encryption key is a password.
Continued... • Authenticated-data Content Type: The authenticated-data content type consists of content of any type, a message authentication code (MAC), and encrypted authentication keys for one or more recipients. The combination of the MAC and one encrypted authentication key for a recipient is necessary for that recipient to verify the integrity of the content. Any type of content can be integrity protected for an arbitrary number of recipients.
Preparing the MIME Entity for Signing or Enveloping • Step 1. The MIME entity is prepared according to the local conventions. Step 2. The leaf parts of the MIME entity are converted to canonical form. Step 3. Appropriate transfer encoding is applied to the leaves of the MIME entity
The application/pkcs7-mime Type: • The application/pkcs7-mime type is used to carry CMS objects of several types including envelopedData and signedData.
Continued... • The name and filename Parameters: The sender can send three filename extension which are: .p7m, .p7c and .p7s. The purpose of these file names are: 1. It is a easy way to store the S/MIME objects in the local disk;
Continued... • 2. When a MIME entity of type application/pkcs7-mime (for example) arrives at a gateway that has no special knowledge of S/MIME, it will default the entity's MIME type to application/octet-stream and treat it as a generic attachment, thus losing the type information. However, the suggested filename for an attachment is often carried across a gateway. This often allows the receiving systems to determine the appropriate application to hand the attachment off to, in this case a stand-alone S/MIME processing application.
Continued... • The smime-type parameter: The application/pkcs7-mime content type defines the optional "smime- type" parameter. The intent of this parameter is to convey details about the security applied (signed or enveloped) along with information about the contained content.
Creating an Enveloped-only Message • Step 1. The MIME entity to be enveloped is prepared. • Step 2. The MIME entity and other required data is processed into a CMS object of type envelopedData. In addition to encrypting a copy of the content-encryption key for each recipient, a copy of the content encryption key SHOULD be encrypted for the originator and included in the envelopedData. • Step 3. The CMS object is inserted into an application/pkcs7-mime MIME entity.
Creating a Signed-only Message • There are two formats for signed messages defined for S/MIME: application/pkcs7-mime with SignedData, and multipart/signed. • Messages signed using the multipart/signed format can always be viewed by the receiver whether they have S/MIME software or not.
Continued... • Signing Using application/pkcs7-mime with SignedData Step 1. The MIME entity is prepared Step 2. The MIME entity and other required data is processed into a CMS object of type signedData Step 3. The CMS object is inserted into an application/pkcs7-mime MIME entity
Registration Requests • A sending agent that signs messages MUST have a certificate for the signature so that a receiving agent can verify the signature. There are many ways of getting certificates, such as through an exchange with a certificate authority, through a hardware token or diskette, and so on.