E-mail & IP Security
UNIT-4
� Pretty Good Privacy(PGP)
PGP is an open-source, freely available software package for e-mail security. It
provides authentication through the use of digital signature, confidentiality through the use of
symmetric block encryption, compression using the ZIP algorithm, and e-mail
compatibility using the radix-64 encoding scheme.
Notations:
� Pretty Good Privacy(PGP)
Operational description:
The actual operation of PGP, as proposed to the management of keys, consists of
ourservices: authentication, confidentiality, compression, and e-mail
compatibility.
Authentication:
The sequence of steps as follows
1. The sender creates a message.
2. SHA-1 is used to generate a 160-bit hash code of the message.
3. The hash code is encrypted with RSA using the sender’s private key, and the
result is prepended to the message.
4. The receiver uses RSA with the sender’s public key to decrypt and recover the
hash code.
5. The receiver generates a new hash code for the message and compares it with
the decrypted hash code. If the two match, the message is accepted as authentic.
�Pretty Good Privacy(PGP)
� Pretty Good Privacy(PGP)
CONFIDENTIALITY Another basic service provided by PGP is
confidentiality, which is provided by encrypting messages to be transmitted
or to be stored locally as files
The sequence is as follows.
1. The sender generates a message and a random 128-bit number to be
used as a session key for this message only
2. The message is encrypted using CAST-128 (or IDEA or 3DES) with the
session key.
3. The session key is encrypted with RSA using the recipient’s public key
and is prepended to the message.
4. The receiver uses RSA with its private key to decrypt and recover the
session key.
5. The session key is used to decrypt the message
� Pretty Good Privacy(PGP)
CONFIDENTIALITY AND AUTHENTICATION As both services may be
used for the same message.
1. First, a signature is generated for the plaintext message and prepended to
the message.
2. Then the plaintext message plus signature is encrypted using CAST-128 (or
IDEA or 3DES), and the session key is encrypted using RSA (or
ElGamal).
3. This sequence is preferable to the opposite: encrypting the message and
then generating a signature for the encrypted message.
4. It is generally more convenient to store a signature with a plaintext version
of a message.
5. Furthermore, for purposes of third-party verification, if the signature is
performed first, a third party need not be concerned with the symmetric key
when verifying the signature.
� Pretty Good Privacy(PGP)
COMPRESSION As a default, PGP compresses the message after applying
the signature but before encryption. This has the benefit of saving space both
for e mail transmission and for file storage.
1. The signature is generated before compression for two reasons:
➢ It is preferable to sign an uncompressed message so that one can store
Only the uncompressed message together with the signature for future
verification.
➢ Even if one were willing to generate dynamically a recompressed
Message for verification, PGP’s compression algorithm presents a
difficulty. The algorithm is not deterministic; various implementations of
the algorithm achieve different tradeoffs in running speed versus
compression ratio and, as a result,produce different compressed forms.
2. Message encryption is applied after compression to strengthen cryptographic
security.
� Pretty Good Privacy(PGP)
E-MAIL COMPATIBILITY When PGP is used, at least part of the
block to be transmitted is encrypted. If only the signature service is
used, then the message digest is encrypted (with the sender’s private
key).
➢ If the confidentiality service is used, the message plus signature (if
present) are encrypted (with a one-time symmetric key).
➢ Thus, part or all of the resulting block consists of a stream of arbitrary
8- bit octets.
➢ However, many electronic mail systems only permit the use of blocks
consisting of ASCII text.
➢ To accommodate this restriction, PGP provides the service of
converting the raw 8-bit binary stream to a stream of printable
�Pretty Good Privacy(PGP)
�Pretty Good Privacy(PGP)
� S/MIME(Secure/Multipurpose Internet Mail Extension)
S/MIME is a security enhancement to the MIME Internet e-mail format
standard based on technology from RSA Data Security. Multipurpose Internet Mail
Extension (MIME) is an extension to the RFC 5322 framework that is intended to address
some of the problems and limitations of the use of Simple Mail Transfer Protocol
(SMTP), defined in RFC 821, or some Other mail transfer protocol and RFC 5322 for
electronic mail. [PARZ06] lists the following limitations of the SMTP/5322 scheme.
➢ SMTP cannot transmit executable files or other binary objects.
➢ SMTP cannot transmit text data that includes national language characters,because these
are represented by 8-bit codes with values of 128 decimal or higher, and SMTP is limited to
7-bit ASCII.
➢ SMTP servers may reject mail message over a certain size.
➢ SMTP gateways that translate between ASCII and the character code EBCDIC do not use
a consistent set of mappings, resulting in translation problems.
➢ Add-on which allows us to transfer non ASCII data over mail like audio,video,
images etc
� S/MIME(Secure/Multipurpose Internet Mail Extension)
➢ Secure/MIME protocol was the extension of MIME.
➢ It encrypt Emails and provides security.
➢ Allows us to digitally sign in our email
➢ Uses asymmetric key cryptography.
Functions
➢ Authentication
➢ Message Integrity
➢ Non Repudiation
➢ Privacy
➢ Data security
� S/MIME(Secure/Multipurpose Internet Mail Extension)
Header fields in MIME:
The five header fields defined in MIME are
• MIME-Version: Must have the parameter value 1.0. This field indicates
thatthe message conforms to RFCs 2045 and 2046.
• Content-Type: Describes the data contained in the body with sufficient
detailthat the receiving user agent can pick an appropriate agent or mechanism
to represent the data to the user or otherwise deal with the data in an
appropriate manner.
• Content-Transfer-Encoding: Indicates the type of transformation that has
been used to represent the body of the message in a way that is acceptable for
mail transport.
• Content-ID: Used to identify MIME entities uniquely in multiple contexts.
• Content-Description: A text description of the object with the body; this is
useful when the object is not readable (e.g., audio data).
� IP Security
Internet Protocol Security(IPSec) is a framework for protecting communication
over IP.
Applications of IPSec:
➢ Secure branch office connectivity over the Internet: A company can build a secure
virtual private network over the Internet or over a public WAN.
➢ Secure remote access over the Internet: An end user whose system is equipped with
IP security protocols can make a local call to an Internet Service Provider (ISP) and
gain secure access to a company network.
➢ Establishing extranet and intranet connectivity with partners: IPsec can be used to
secure communication with other organizations, ensuring authentication and
confidentiality and providing a key exchange mechanism.
➢ Enhancing electronic commerce security: Even though some Web and electronic
commerce applications have built-in security protocols, the use of IPsec enhances that
security.
�IP Security
� IP Security
Benefits of IPsec
Some of the benefits of IPsec:
❖ When IPsec is implemented in a firewall or router, it provides strong
security that can be applied to all traffic crossing the perimeter. Traffic
within a company or workgroup does not incur the overhead of security related
processing.
❖ IPsec in a firewall is resistant to bypass if all traffic from the outside must
use IP and the firewall is the only means of entrance from the Internet into the
organization.
❖ IPsec is below the transport layer (TCP, UDP) and so is transparent to
applications.
❖ IPsec can be transparent to end users.
❖ IPsec can provide security for individual users if needed.
� IP Security
IPsec Services
IPsec provides security services at the IP layer by enabling a system to
select required security protocols, determine the algorithm(s) to use for
the service(s), and put in place any cryptographic keys required to
provide the requested
services.
❖ Access control
❖ Connectionless integrity
❖ Data origin authentication
❖ Rejection of replayed packets (a form of partial sequence integrity)
❖ Confidentiality (encryption)
❖ Limited traffic flow confidentiality
� IP Security Architecture
IPSec (IP Security) architecture uses two protocols to secure the traffic or
data flow. These protocols are ESP (Encapsulation Security Payload) and AH
(Authentication Header). IPSec Architecture includes protocols, algorithms, DOI, and Key
Management. All these components are very important in order to provide the three main
services:
• Confidentiality
• Authentication
• Integrity
1. Architecture: Architecture or IP Security Architecture covers the general
concepts, definitions, protocols, algorithms, and security requirements of IP
Security technology.
2. ESP Protocol:ESP(Encapsulation Security Payload) provides a confidentiality
service. Encapsulation Security Payload is implemented in either two ways:
• ESP with optional Authentication.
• ESP with Authentication
�IP Security Architecture
� IP Security Architecture
3. Encryption algorithm: The encryption algorithm is the document that
describes various encryption algorithms used for Encapsulation Security Payload.
4. AH Protocol: AH (Authentication Header) Protocol provides both
Authentication and Integrity service. Authentication Header is implemented in
one way only: Authentication along with Integrity
Authentication Header covers the packet format and general issues related to the use of AH for
packet authentication and integrity.
� IP Security Architecture
5. Authentication Algorithm: The authentication Algorithm contains
the set of documents that describe the authentication algorithm used for
AH and for the authentication option of ESP.
6. DOI (Domain of Interpretation): DOI is the identifier that supports
both AH and ESP protocols. It contains values needed for
documentation related to each other.
7. Key Management: Key Management contains the document that
describes how the keys are exchanged between sender and receiver.
� IP Security Architecture
ESP:
� IP Security Architecture
ESP:
➢ Security Parameter Index(SPI): This parameter is used by Security
Association. It is used to give a unique number to the connection built
between the Client and Server.
➢ Sequence Number: Unique Sequence numbers are allotted to every packet so
that on the receiver side packets can be arranged properly.
➢ Payload Data: Payload data means the actual data or the actual message. The
Payload data is in an encrypted format to achieve confidentiality.
➢ Padding: Extra bits of space are added to the original message in order to
ensure confidentiality. Padding length is the size of the added bits of space in
the original message.
➢ Next Header: Next header means the next payload or next actual data.
➢ Authentication Data This field is optional in ESP protocol packet format.
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
�IPV6
