Email Security
Web Security How Email works
Some terminology:
I MUA (Mail User Agent) - programs used for retrieving, reading and managing e-mail.
I MSA (Mail Sending Agent) - programs that receive emails from MUA’s who then forward them to MTA’s. - will check an email’s format and quickly report errors to the author (e.g., an empty To field etc.)
I MTA (Mail Transfer Agent) - programs responsible for transmitting email messages from sender to recipient.
I MDA (Mail Delivery Agent) - programs responsible for delivering email from an MTA to a local recipient’s mailbox.
Web Security SMTP (Simple Mail Transfer Protocol): a simple text-based application-layer protocol used for sending e-mail.
Courtesy of Wikipedia
Web Security POP (Post Office Protocol)
I designed to support clients with dial-up connections
I client connects to their MDA, downloads any new messages, deletes those messages from the server, disconnects
IMAP (Internet Message Access Protocol)
I allows clients to connect to mail server and maintain persistent connection
I clients can search for messages, etc.
Web Security Lack of confidentiality
I subject to packet sniffing
I SOLN: encryption No built in authentication
I the ”FROM” portion of the email can be spoofed; it can appear that the email came from someone you trust
I SOLN: use digital signatures
Email Security Issues
Suggestions?
Web Security Email Security Issues
Suggestions?
Lack of confidentiality
I subject to packet sniffing
I SOLN: encryption No built in authentication
I the ”FROM” portion of the email can be spoofed; it can appear that the email came from someone you trust
I SOLN: use digital signatures
Web Security Encryption at the Transport Layer
- Use SSL/TLS protocols between each client-server pairs - e.g., between MUA and local MTA, sender and recipient MTA’s, recipient MTA and MDA, MDA and recipient.
Web Security Alternative: Encrypt the actual contents of the email.
Using SSL/TLS:
I prevents inflight eavesdropping
I but requires a level of trust in the mail servers handling the messages; e.g., the contents of the emails can still be read at your ISP’s mail servers.
Web Security Using SSL/TLS:
I prevents inflight eavesdropping
I but requires a level of trust in the mail servers handling the messages; e.g., the contents of the emails can still be read at your ISP’s mail servers.
Alternative: Encrypt the actual contents of the email.
Web Security PGP: Pretty Good Privacy
I first written by Phil Zimmerman in 1991.
I he has been a long time anti-nuclear activist; he developed PGP so that he and similarly-minded folks might be able to communicate with each other and store files securely.
Web Security Courtesy of Wikipedia
Web Security Since PGP is using public key cryptography, it must have a way of verifying that the validity of the public keys. This is done using what’s called a web of trust. Zimmerman’s description from the manual of PGP 2.0: As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.
Web Security From Stinson’s Cryptography: Theory and Practice, 3rd Edition Each PGP certificate contains an email address (ID), a public key (PK), and one or more signatures on this (ID, PK) pair. For example:
I data = (ID= [email protected], PK=123456)
I signatures = (sigAlice (data), sigBob(data), sigCarlos (data)) By signing Alice’s data, Bob and Carlos are telling others that they believe that 123456 is indeed Alice’s public key.
Web Security Alice keeps a collection of PGP certificates which she gradually accumulated over time. She keeps them in a data structure called a keyring.
Each certificate in the key ring has two fields:
I OTF: Owner trust field - indicates how much Alice trusts the owner - values: implicitly trusted, completely trusted, partially trusted or untrusted
I KLF: Key legitimacy field - indicates how much Alice trusts the PK - values: valid, marginally valid or invalid.
Web Security 1. The KLF for user U’s certificate is set to valid if - the data of U is signed by at least one user whose OTF-value is ”trusted” or - by at least two users whose OTF-values are ”partially trusted” 2. It is set to marginally valid if the data of U is signed by a user whose OTF-value is ”partially trusted” 3. Otherwise, it is set to invalid.
Alice sets the OTF in her own certificate as implicitly trusted. If she sets Bob’s certificates OTF as completely trusted, she is saying: 1. Bob’s PK is valid and 2. She trusts that Bob won’t sign invalid (ID, PK) pairs. Once all the OTF values have been set, PGP computes the KLF values of the certificates as follows:
Web Security Alice sets the OTF in her own certificate as implicitly trusted. If she sets Bob’s certificates OTF as completely trusted, she is saying: 1. Bob’s PK is valid and 2. She trusts that Bob won’t sign invalid (ID, PK) pairs. Once all the OTF values have been set, PGP computes the KLF values of the certificates as follows: 1. The KLF for user U’s certificate is set to valid if - the data of U is signed by at least one user whose OTF-value is ”trusted” or - by at least two users whose OTF-values are ”partially trusted” 2. It is set to marginally valid if the data of U is signed by a user whose OTF-value is ”partially trusted” 3. Otherwise, it is set to invalid.
Web Security Suppose Alice’s key ring contains the following certificates. Whose PK’s does Alice consider as valid, marginally valid, invalid?
Web Security I More recent PGP (OpenPGP) specifications support the use of trust signatures which are issued by certificate authorities.
I They also support the use of certificate revocation lists as well as certificate expiration dates.
I To strengthen the web of trust, key signing parties have been organized.
Courtesy of Wikipedia
Web Security I To strengthen the web of trust, key signing parties have been organized.
Courtesy of Wikipedia
I More recent PGP (OpenPGP) specifications support the use of trust signatures which are issued by certificate authorities.
I They also support the use of certificate revocation lists as well as certificate expiration dates.
Web Security Authentication
Two main approaches:
I authenticating the sender - to be effective, mail users must have their own private-public keys (hard!) - hence, seldom used in practice
I authenticating the sending MTA - identifies the author’s organization (e.g., ISP, university, etc.) but not the individual author - used more in practice When authenticated email is in transit, it is important that it is never modified because otherwise the signature verification process will fail. A formatting process called canonicalization tries to reduce the risk of modification.
Web Security Authenticating the sender: For this to work:
I The MUA’s of the sender and recipient must (1) support the cryptographic operations associated with signing and verifying, and (2) agree on the cryptosystem to be used.
I There must be a mechanism for the recipient to obtain the sender’s public key.
Web Security Example: An S/MIME message consists of a header and a body. The body contains the message – text, attachments, etc. and a signature over the body of the message.
Web Security Authenticating the sending MTA: A first approach is DomainKeys Identified Mail (DKIM). It associates a domain name to an email message by means of a digital signature.
I The effect here is that the domain is claiming responsibility for the message.
I The recipient can obtain the signer’s PK using DNS, which can then be used to verify the message.
Web Security Structure of a DKIM Message: The DKIM signature covers not only the body of the message but also selected headers. In particular, the FROM field must be signed.
Because the PK of the domain is obtained from DNS, DKIM is also vulnerable to attacks on the DNS infrastructure. Web Security I DKIM is now used by the webmail services of Yahoo, AOL and Gmail. Any mail from these organizations carry a DKIM signature.
I Additionally, Gmail rejects all messages claiming to be from eBay and PayPal unless they have a valid DKIM signature verifying their origin.
I Nonetheless, as Google learned, if the keys used for creating the digital signatures are “short”, DKIM signatures can be spoofed!
Web Security Web Security ”He” = Zach Harris, a 35-year old mathematician based in Jupiter,FL.
Web Security Zach Harris created an email that was sent ”from” Sergey Brin to Larry Page and vice versa:
Web Security I Weaknesses: vulnerable to IP source spoofing attacks and DNS cache poisoning attacks; doesn’t protect the integrity of the message; doesn’t support mail forwarding
I Advantages over DKIM: faster to process and simpler to implement since it doesn’t use cryptography.
Another approach for authenticating sender MTA is the Sender Policy Framework (SPF).
I SPF does not use cryptography.
I Instead, it makes use of the fact that in the MAIL FROM SMTP command, the IP address of the sender’s MTA is listed.
I Using DNS, the receiving MTA checks that this IP address is in the list of authorized IP addresses for the sender’s domain.
Web Security Another approach for authenticating sender MTA is the Sender Policy Framework (SPF).
I SPF does not use cryptography.
I Instead, it makes use of the fact that in the MAIL FROM SMTP command, the IP address of the sender’s MTA is listed.
I Using DNS, the receiving MTA checks that this IP address is in the list of authorized IP addresses for the sender’s domain.
I Weaknesses: vulnerable to IP source spoofing attacks and DNS cache poisoning attacks; doesn’t protect the integrity of the message; doesn’t support mail forwarding
I Advantages over DKIM: faster to process and simpler to implement since it doesn’t use cryptography.
Web Security Digital Rights Management
Web Security Digital Rights Management refers to the practice of restricting the capabilities users have with respect to digital content.
Web Security A Technique for Content Encryption
GOAL: protect digital content from unauthorized duplication and from playing on unlicensed devices. IDEA: encrypt content and store decryption keys in authorized player.
Web Security How it works:
I The player has a secret player key P, which is unique to the player and shared with the server.
I The player requests a media file M.
I The server generates a random symmetric encryption key F , called the file key and uses it to encrypt M.
I Then the server uses the player key P to encrypt F .
I Finally, the server sends the encrypted file and the encrypted file key to the player.
Web Security Web Security Clearly the strength of this DRM approach is dependent on the type of cryptosystem and keys used. Assuming they are both “strong”, this technique has the following properties:
I An encrypted media file can be played only by the player that downloaded it. Thus, it is okay to store the file in unprotected storage.
I If the file key F is obtained by the attacker, it cannot be used to decrypt other media files.
I If the player key P is obtained by the attacker, it can decrypt only the media files downloaded by that player.
Web Security Advanced Access Control System (AACS)
I Used on next generation DVD’s.
I There is a media key that is used to decrypt media content.
I Additionally, each device has a set of key which is organized in a complete binary tree.
Web Security I Each device is represented by a leaf in the binary tree.
I It stores the keys that lie on the path from the root of the tree to its corresponding leaf.
I If there are n devices altogether, it is storing log2 n + 1 keys.
Web Security Why use a key tree? For ease of key revocation. If at some point the media key is compromised, changing this key can be done efficiently.
I Suppose the device corresp. to the black leaf is compromised.
I Then keys K2, K3, K4, K5 have to be revoked and replaced 0 0 0 0 with the new keys K2, K3, K4, K5. I The rekeying process consists of sending the following four encrypted messages that are broadcast to all players: 0 0 0 0 0 0 0 0 0 0 EH1 (K2, K3, K4, K5), EH2 (K3, K4, K5), EH3 (K4, K5), EH4 (K5).
Web Security