220 likes | 385 Vues
Email Security . SMIME. Email Protocol Overview. Simple Mail Transfer Protocol ( SMTP ) It is an Internet standard for e-mail transmission across Internet Protocol (IP) networks.
E N D
Email Security SMIME IT352 | Network Security |Najwa AlGhamdi
Email Protocol Overview • Simple Mail Transfer Protocol (SMTP) • It is an Internet standard for e-mail transmission across Internet Protocol (IP) networks. • Through this protocol ,a mail sender communicates with a mail receiver by issuing command strings and supplying necessary data over a TCP connection. IT352 | Network Security |Najwa AlGhamdi
Email Protocol Overview • A typical example of sending a message via SMTP to two mailboxes (alice and theboss) located in the same mail domain (example.com or localhost.com) is reproduced in the following session exchange IT352 | Network Security |Najwa AlGhamdi
Email Protocol Overview SMTP Drawbacks • SMTP cannot transmit text data that includes national language characters because these are represented by 8-bit codes with values of 128 decimal or higher, and SMTP is limited to 7-bit ASCII. • SMTP servers may reject mail message over a certain size. • SMTP gateways that translate between ASCII to EBCDIC suffer translation problems. IT352 | Network Security |Najwa AlGhamdi
Email Protocol Overview 2. Multipurpose Internet Mail Extensions (MIME) • is an Internet standard that extends the format of email to support: • Text in character sets other than ASCII • Non-text attachments • Message bodies with multiple parts • MIME's use has grown beyond describing the content of email to describe content type in general including for the web . • SMTP/MIME email l Email is transmitted via SMTP in MIME format. IT352 | Network Security |Najwa AlGhamdi
Email Protocol Overview MIME specification includes the following elements: • Five new message header fields. These fields provide information about the body of the message. • MIME veriosn • Content-Type : describe the data contain in the body. • Content transfer encoding: indicate the type of transformation that has been used to represent the body of the message in a way that is acceptable for mail transport. • Content ID. • Content description. • A number of content formats are defined, thus standardizing representations that supports multimedia e-mail. • Transfer encodings are defined that enable that protect any content format to be altered by the mail system. IT352 | Network Security |Najwa AlGhamdi
Email Protocol Overview MIME specification includes the following elements: 2. A number of content formats are defined, thus standardizing representations that supports multimedia e-mail. IT352 | Network Security |Najwa AlGhamdi
Example of multipart message From: Nathaniel Borenstein <nsb@bellcore.com> To: Ned Freed ned@innosoft.com Subject: Sample message MIME-Version: 1.0 Content-type: multipart/mixed; boundary=“ simple boundary“ This is the preamble. It is to be ignored, though it is a handy place for mail composers to include an explanatory note to non-MIME conformant readers. --simple boundary This is implicitly typed plain ASCII text. It does NOT end with a linebreak. --simple boundary Content-type: text/plain; charset=us-ascii This is explicitly typed plain ASCII text. It DOES end with a linebreak. --simple boundary-- This is the epilogue. It is also to be ignored. IT352 | Network Security |NajwaAlGhamdi
Email Protocol Overview MIME specification includes the following elements: 3.Transfer encodings are defined that enable that protect any content format to be altered by the mail system. IT352 | Network Security |Najwa AlGhamdi
S/MIME (Secure/Multipurpose Internet Mail Extensions) • security enhancement to MIME email • have S/MIME support in many mail agents • MS Outlook, Mozilla, Mac Mail etc
S/MIME Functions • S/MIME is very similar to PGP. Both offer the ability to sign and/or encrypt messages. • S/MIME Security Functions : • Enveloped data: This consists of encrypted content of any type and encrypted content encryption keys for one or more users. This functions provides privacy and data security. 2. Signed data: A digital signature is formed by signing the message digest and then encrypting that with the signer private key. • The content and the signature are then encoded using base64 encoding. This function provides authenticity, message integrity and non-repudiation of origin.
S/MIME Functions • S/MIME Security Functions : 3. Clear signed data: In this case a digital signature of the content is formed, However only the signature is encoded with base64. 4. Signed and enveloped data: (2) & (1) may be nested : • Encrypted data could be signed. • Or signed data could be encrypted.
S/MIME Cryptographic Algorithms • digital signatures: DSS & RSA • hash functions: SHA-1 & MD5 • session key encryption: ElGamal & RSA • message encryption: AES, Triple-DES, RC2/40 and others • MAC: HMAC with SHA-1
S/MIME Messages • A MIME entity may be an entire message or one or more of the subparts of the message. • S/MIME secures a MIME entity with a signature, encryption, or both to form a MIME wrapped (public-key cryptography specifications )PKCS object • A PKCS Object is then treated as message content . • have a range of content-types: • enveloped data • signed data • clear-signed data • registration request • certificate only message
Recipient’s public key Diffie-Hellman / RSA Encrypt the session key Pseudorandom session key (3DES or RC2/40)ׁׁ M Certificate RecipientInfo enveloped-data + S/MIME - Message Enveloped Data:
Sender’s private key Hash function SHA-1 or MD5 Encryption M Certificate SignerInfo Base64 encoding S/MIME Message SignedData:
S/MIME - Message Clear signing: • Clear signing is achieved using the multipart content type with a signed sub-type . Two parts: • Clear text (or any MIME type) encoded in base64. • SignedData.
S/MIME - Message Content-Type: multipart/signed; protocol=“application/pkcs7-signature”; micalg=sha1; boundary=boundary42 --boundary42 Content-Type: text/plain This is a clear-signed message. --boundary42 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 --boundary42-- This parameter indicates that this is a two part clear-signed entity. This parameter indicates the type of message digest used. Unsigned Data SignerInfo Header
Subject’s name Public-key in bit-string representation 010111010011… + ? Public-key ID CertificationRequestInfo PKCS10 CA User’s private key S/MIME - Message Registration request: A user will apply for certification authorities
S/MIME - Message Certificate-only message: • Used to transport certificates. • contains only certificates or a certificate revocation list (CRL). • Sent in response to a registration request.
S/MIME - Message Creating a Certificates-only Message: Step 1: The certificates are made available to the CMS generating process which creates a CMS object of type signedData. Step 2: The CMS signedData object is enclosed in an application/pkcs7-mime MIME entity. • The smime-type parameter for a certs-only message is "certs-only". • The file extension for this type of message is ".p7c".
S/MIME Certificate Processing • S/MIME uses X.509 v3 certificates • The key-management scheme used by S/MIME is in some ways managed using a hybrid of a strict X.509 CA hierarchy & PGP’s web of trust • each client has a list of trusted CA’s certs • and own public/private key pairs & certs • certificates must be signed by trusted CA’s