E-mail Security: PGP and S/MIME Overview

Overview of E-mail Security

Electronic mail (email) is the most widely used network-based application in distributed environments. As the use of email proliferates, the need for security services covering authentication, confidentiality, integrity, and non-repudiation becomes critical. Without proper safeguards, message contents remain vulnerable during transit and can be inspected by privileged users on destination systems.

Email Security Enhancements

  1. Confidentiality: Ensures protection from unauthorized disclosure of email content.

  2. Authentication: Verifies the identity of the sender.

  3. Message Integrity: Prevents unauthorized modification of the message.

  4. Non-repudiation of origin: Protects against denial of sending by the sender.

Security Schemes

Two primary schemes enhance email security:

  • Pretty Good Privacy (PGP)

  • S/MIME (Secure/Multipurpose Internet Mail Extensions)

Pretty Good Privacy (PGP)

Background

Developed by Phil Zimmermann, PGP combines multiple cryptographic algorithms into a single program. Initially free, it now offers commercial versions. PGP serves to provide services such as:

  • Authentication

  • Confidentiality

  • Compression

  • Email Compatibility

  • Segmentation

Key Concepts

  • Cryptographic Keys: PGP uses four key types:

    • One-time session symmetric keys

    • Public keys for encryption

    • Private keys for decryption

    • Passphrase-based symmetric keys

  • Key Generation: Session keys are generated with 128-bit random numbers using the CAST-128 algorithm.

PGP Operational Description
Authentication Steps

  1. The sender creates a message.

  2. Generates a 160-bit hash using the SHA-1 algorithm.

  3. Signs the hash using RSA with the sender's private key.

  4. The receiver decrypts the hash using the sender's public key and verifies it against the received message.

Confidentiality Mechanism

  1. A session key is generated and used to encrypt the message with algorithms like CAST-128 or 3DES.

  2. The session key itself is encrypted with the recipient's public key and sent along with the message.

  3. The receiver decrypts the session key with their private key and uses it to access the message.

Compression and Compatibility

  • PGP compresses the message after signing but before encrypting, which aids in storage and avoids issues related to varying implementations of compression techniques.

  • Raw binary data is encoded into printable ASCII characters using the radix-64 algorithm, enabling compatibility with text-based email systems.

Message Structure

A PGP message comprises the following components:

  • Session Key Component: Encrypted session key

  • Signature Component: Timestamp, message digest, and sender's public key ID

  • Message Component: The actual content including filename and timestamp

Key Management in PGP

PGP employs a decentralized web of trust instead of a centralized certification authority. Users can sign their public keys and those of others, thus establishing a trust level for each key in the key rings:

  • Each user has a private-key ring (stores their own keys) and a public-key ring (stores keys of others).

  • Trust indicators are used to establish the reliability of the keys within these structures.

Secure/Multipurpose Internet Mail Extension (S/MIME)

Overview

S/MIME extends MIME to enhance email security by enabling:

  1. Encrypted content (enveloped data)

  2. Signed messages (signed data)

  3. Clear-signed messages (allowing access to non-S/MIME users)

Limitations of RFC 822/SMTP

MIME addresses the limitations of previous standards, which did not support binary data or non-textual characters adequately. MIME introduces new header fields and content types and defines a transfer encoding mechanism to ensure reliability of data transmission.

Security Functions of S/MIME

  • Enveloped Data: Contains encrypted content with associated encryption keys.

  • Signed Data: Message with a digital signature created by the sender’s private key for authentication.

  • Certificate Processing: Uses X.509 public-key certificates within a trust framework, allowing secure verification of keys and signatures.

Enhanced Security Services

S/MIME provides additional services like:

  • Signed receipts: Proof of delivery for messages.

  • Security labels: Marking content sensitivity for access control.

  • Secure mailing lists: Simplifying encryption for multiple recipients.

Conclusion

Both PGP and S/MIME play essential roles in ensuring the security of email communications by providing various services such as encryption, authentication, and integrity checks. These protocols are crucial for maintaining the confidentiality and trustworthiness of email in today's digital environment.