E-mail Security:
When an e-mail is sent between two distant sites it usually transits many machines on the way. Any one of the intermediate machines can read and record the message for future use. Here privacy is the major issue that people using e-mail demand. In the following section we discuss widely used e-mail secure systems like PGP, PEM, and S/MIME.
PGP (Pretty Good Privacy)
PGP is essentially the brainchild of one person, Phil Zimmermann. PGP is a complete e-mail security package that provides privacy, authentication, digital signatures, and compression, all in an easy to use form. Due to its easy availability on UNIX, Linux, Windows it is widely used today.
PGP encrypts data by using a block cipher called IDEA (International Data Encryption Algorithm). It uses 128-bit keys. IDEA is similar to DES. It mixes up bits in a series of rounds, key management uses RSA, and data integrity uses MD5.
In actuality, PGP uses a seies of private key, public key and one-way hash functions to encrypt a message. A one-way hash function takes some plaintext and translates it into a specific hash. The hash is unique to the message (like a fingerprint is to a person). The hash is also non-reversable, hence the name one-way.
PGP supports text compression, secrecy and digital signatures and also provides extensive key management facilities. It is more of a preprocessor that takes plain text as input and produces signed cipher text in base 64 as output.
In private-key cryptography one key is used by both parties. One problem with this kind of encryption is that if the key is intercepted, a third party could decrypt the messages. So, the idea of public-key cryptography was developed. Everyone has two keys: a public and a private key. When someone wants to send something to a recipient, they (the sender) encrypt it with the recipient's public key. Then the only way to decrypt it is with the recipient's private key.
One of the other benefits to PGP is that it allows the sender to "sign" their messages. This proves that the message came from the sender and has not been altered in transport. Based on this theory, PGP allows everyone to publicize their public keys, while keeping their private keys secret. The result is that anyone can encrypt a message to someone else, as long as they have that person's public key.
PEM: Privacy Enhanced Mail
PEM was developed in late 1980‘s and is an official internet standard. It also covers the same territory as PGP: Privacy and authentication based e-mail systems. It has some differences from PGP in approach and technology.
Messages sent using PEM are first converted to a canonical form so they all have the same conventions about white space. Message hash is computed using MD2 or MD5. The concatenation of hash and the message is encrypted using DES. The encrypted message is then encoded with base 64 coding and transmitted to the recipient.
The only problem with the PEM is nobody ever used it and the problem was largely political.
S/MIME
S/MIME is Secure/Multipurpose Internet Mail Extension is a set of secure email standards, which specify not only how to encrypt and sign messages, but also how to handle keys, certificates, and crypto algorithms.
The S/MIME specification fails to discuss the main defect. Further, the document tells implementers nothing about how to Sign & Encrypt. The S/MIME specification merely cautions users and implementers not to over-rely on a message's security.
XML Security
The XML-Signatures draft specification and the allied XML-Encryption Working Group have explicitly committed to producing low-level ``toolkit'' specifications, which will describe how to combine basic public-key operations with a rich array of XML document-structuring features. In particular, both groups are very unwilling to stipulate any high-level security behaviour, such as how to sign and encrypt with full security.
To some extent, this is proper: these standards are intended to support as broad a class of applications as possible, including document preparation and handling, financial applications, wire protocols, and potentially even intricate cryptographic security protocols. The Secure XML Working Groups say that they don't want to require secure high-level behavior in their specifications, because they don't want to constrain how low-level applications will use XML's security features. The WGs explicitly hope that a higher-level XML security specification, with out-of-the-box ``idiot-proof'' security, will be built someday to follow on the current WGs' specifications.
But for now, certainly, the XML-Signatures draft specification is most suitable for use only by experienced security engineers and cryptographers, and not for application programmers who don't want to specialize in security.
Self Assessment Questions
1. List E-mail secure systems
2. PGP encrypts data by using a block cipher called _______
3. PGP uses _______-bit keys
4. In PEM, Message hash is computed using.
5. The only problem with the ______ is nobody ever used
When an e-mail is sent between two distant sites it usually transits many machines on the way. Any one of the intermediate machines can read and record the message for future use. Here privacy is the major issue that people using e-mail demand. In the following section we discuss widely used e-mail secure systems like PGP, PEM, and S/MIME.
PGP (Pretty Good Privacy)
PGP is essentially the brainchild of one person, Phil Zimmermann. PGP is a complete e-mail security package that provides privacy, authentication, digital signatures, and compression, all in an easy to use form. Due to its easy availability on UNIX, Linux, Windows it is widely used today.
PGP encrypts data by using a block cipher called IDEA (International Data Encryption Algorithm). It uses 128-bit keys. IDEA is similar to DES. It mixes up bits in a series of rounds, key management uses RSA, and data integrity uses MD5.
In actuality, PGP uses a seies of private key, public key and one-way hash functions to encrypt a message. A one-way hash function takes some plaintext and translates it into a specific hash. The hash is unique to the message (like a fingerprint is to a person). The hash is also non-reversable, hence the name one-way.
PGP supports text compression, secrecy and digital signatures and also provides extensive key management facilities. It is more of a preprocessor that takes plain text as input and produces signed cipher text in base 64 as output.
In private-key cryptography one key is used by both parties. One problem with this kind of encryption is that if the key is intercepted, a third party could decrypt the messages. So, the idea of public-key cryptography was developed. Everyone has two keys: a public and a private key. When someone wants to send something to a recipient, they (the sender) encrypt it with the recipient's public key. Then the only way to decrypt it is with the recipient's private key.
One of the other benefits to PGP is that it allows the sender to "sign" their messages. This proves that the message came from the sender and has not been altered in transport. Based on this theory, PGP allows everyone to publicize their public keys, while keeping their private keys secret. The result is that anyone can encrypt a message to someone else, as long as they have that person's public key.
PEM: Privacy Enhanced Mail
PEM was developed in late 1980‘s and is an official internet standard. It also covers the same territory as PGP: Privacy and authentication based e-mail systems. It has some differences from PGP in approach and technology.
Messages sent using PEM are first converted to a canonical form so they all have the same conventions about white space. Message hash is computed using MD2 or MD5. The concatenation of hash and the message is encrypted using DES. The encrypted message is then encoded with base 64 coding and transmitted to the recipient.
The only problem with the PEM is nobody ever used it and the problem was largely political.
S/MIME
S/MIME is Secure/Multipurpose Internet Mail Extension is a set of secure email standards, which specify not only how to encrypt and sign messages, but also how to handle keys, certificates, and crypto algorithms.
The S/MIME specification fails to discuss the main defect. Further, the document tells implementers nothing about how to Sign & Encrypt. The S/MIME specification merely cautions users and implementers not to over-rely on a message's security.
XML Security
The XML-Signatures draft specification and the allied XML-Encryption Working Group have explicitly committed to producing low-level ``toolkit'' specifications, which will describe how to combine basic public-key operations with a rich array of XML document-structuring features. In particular, both groups are very unwilling to stipulate any high-level security behaviour, such as how to sign and encrypt with full security.
To some extent, this is proper: these standards are intended to support as broad a class of applications as possible, including document preparation and handling, financial applications, wire protocols, and potentially even intricate cryptographic security protocols. The Secure XML Working Groups say that they don't want to require secure high-level behavior in their specifications, because they don't want to constrain how low-level applications will use XML's security features. The WGs explicitly hope that a higher-level XML security specification, with out-of-the-box ``idiot-proof'' security, will be built someday to follow on the current WGs' specifications.
But for now, certainly, the XML-Signatures draft specification is most suitable for use only by experienced security engineers and cryptographers, and not for application programmers who don't want to specialize in security.
Self Assessment Questions
1. List E-mail secure systems
2. PGP encrypts data by using a block cipher called _______
3. PGP uses _______-bit keys
4. In PEM, Message hash is computed using.
5. The only problem with the ______ is nobody ever used
No comments:
Post a Comment