email security - cs.uwm.edu

Email Security

Web Security

How Email works

Some terminology:

I MUA (Mail User Agent)- programs used for retrieving, reading and managing e-mail.

I MSA (Mail Sending Agent)- programs that receive emails from MUA’s who then forwardthem to MTA’s.- will check an email’s format and quickly report errors to theauthor (e.g., an empty To field etc.)

I MTA (Mail Transfer Agent)- programs responsible for transmitting email messages fromsender to recipient.

I MDA (Mail Delivery Agent)- programs responsible for delivering email from an MTA to alocal recipient’s mailbox.

Web Security

SMTP (Simple Mail Transfer Protocol): a simple text-basedapplication-layer protocol used for sending e-mail.

Courtesy of Wikipedia

Web Security

POP (Post Office Protocol)

I designed to support clients with dial-up connections

I client connects to their MDA, downloads any new messages,deletes those messages from the server, disconnects

IMAP (Internet Message Access Protocol)

I allows clients to connect to mail server and maintainpersistent connection

I clients can search for messages, etc.

Web Security

Email Security Issues

Suggestions?

Lack of confidentiality

I subject to packet sniffing

I SOLN: encryption

No built in authentication

I the ”FROM” portion of the email can be spoofed; it canappear that the email came from someone you trust

I SOLN: use digital signatures

Web Security

Email Security Issues

Suggestions?

Lack of confidentiality

I subject to packet sniffing

I SOLN: encryption

No built in authentication

I the ”FROM” portion of the email can be spoofed; it canappear that the email came from someone you trust

I SOLN: use digital signatures

Web Security

Encryption at the Transport Layer

- Use SSL/TLS protocols between each client-server pairs- e.g., between MUA and local MTA, sender and recipient MTA’s,recipient MTA and MDA, MDA and recipient.

Web Security

Using SSL/TLS:

I prevents inflight eavesdropping

I but requires a level of trust in the mail servers handling themessages; e.g., the contents of the emails can still be read atyour ISP’s mail servers.

Alternative: Encrypt the actual contents of the email.

Web Security

Using SSL/TLS:

I prevents inflight eavesdropping

I but requires a level of trust in the mail servers handling themessages; e.g., the contents of the emails can still be read atyour ISP’s mail servers.

Alternative: Encrypt the actual contents of the email.

Web Security

PGP: Pretty Good Privacy

I first written by Phil Zimmerman in 1991.

I he has been a long time anti-nuclear activist; he developedPGP so that he and similarly-minded folks might be able tocommunicate with each other and store files securely.

Web Security

Courtesy of Wikipedia

Web Security

Since PGP is using public key cryptography, it must have a way ofverifying that the validity of the public keys. This is done usingwhat’s called a web of trust.

Zimmerman’s description from the manual of PGP 2.0:

As time goes on, you will accumulate keys from other people thatyou may want to designate as trusted introducers. Everyone elsewill each choose their own trusted introducers. And everyone willgradually accumulate and distribute with their key a collection ofcertifying signatures from other people, with the expectation thatanyone receiving it will trust at least one or two of the signatures.This will cause the emergence of a decentralized fault-tolerant webof confidence for all public keys.

Web Security

From Stinson’s Cryptography: Theory and Practice, 3rd Edition

Each PGP certificate contains an email address (ID), a public key(PK), and one or more signatures on this (ID, PK) pair.For example:

I data = (ID= alice@example.com, PK=123456)

I signatures = (sigAlice(data), sigBob(data), sigCarlos(data))

By signing Alice’s data, Bob and Carlos are telling others that theybelieve that 123456 is indeed Alice’s public key.

Web Security

Alice keeps a collection of PGP certificates which she graduallyaccumulated over time. She keeps them in a data structure calleda keyring.

Each certificate in the key ring has two fields:

I OTF: Owner trust field- indicates how much Alice trusts the owner- values: implicitly trusted, completely trusted, partiallytrusted or untrusted

I KLF: Key legitimacy field- indicates how much Alice trusts the PK- values: valid, marginally valid or invalid.

Web Security

Alice sets the OTF in her own certificate as implicitly trusted. Ifshe sets Bob’s certificates OTF as completely trusted, she issaying:

1. Bob’s PK is valid and2. She trusts that Bob won’t sign invalid (ID, PK) pairs.

Once all the OTF values have been set, PGP computes the KLFvalues of the certificates as follows:

1. The KLF for user U’s certificate is set to valid if- the data of U is signed by at least one user whoseOTF-value is ”trusted” or- by at least two users whose OTF-values are ”partiallytrusted”

2. It is set to marginally valid if the data of U is signed by a userwhose OTF-value is ”partially trusted”

3. Otherwise, it is set to invalid.

Web Security

Alice sets the OTF in her own certificate as implicitly trusted. Ifshe sets Bob’s certificates OTF as completely trusted, she issaying:

1. Bob’s PK is valid and2. She trusts that Bob won’t sign invalid (ID, PK) pairs.

Once all the OTF values have been set, PGP computes the KLFvalues of the certificates as follows:

1. The KLF for user U’s certificate is set to valid if- the data of U is signed by at least one user whoseOTF-value is ”trusted” or- by at least two users whose OTF-values are ”partiallytrusted”

2. It is set to marginally valid if the data of U is signed by a userwhose OTF-value is ”partially trusted”

3. Otherwise, it is set to invalid.

Web Security

Suppose Alice’s key ring contains the following certificates. WhosePK’s does Alice consider as valid, marginally valid, invalid?

Web Security

I To strengthen the web of trust, key signing parties have beenorganized.

Courtesy of Wikipedia

I More recent PGP (OpenPGP) specifications support the useof trust signatures which are issued by certificate authorities.

I They also support the use of certificate revocation lists as wellas certificate expiration dates.

Web Security

I To strengthen the web of trust, key signing parties have beenorganized.

Courtesy of Wikipedia

I More recent PGP (OpenPGP) specifications support the useof trust signatures which are issued by certificate authorities.

I They also support the use of certificate revocation lists as wellas certificate expiration dates.

Web Security

Authentication

Two main approaches:

I authenticating the sender- to be effective, mail users must have their own private-publickeys (hard!)- hence, seldom used in practice

I authenticating the sending MTA- identifies the author’s organization (e.g., ISP, university,etc.) but not the individual author- used more in practice

When authenticated email is in transit, it is important that it isnever modified because otherwise the signature verification processwill fail. A formatting process called canonicalization tries toreduce the risk of modification.

Web Security

Authenticating the sender:

For this to work:

I The MUA’s of the sender and recipient must (1) support thecryptographic operations associated with signing andverifying, and (2) agree on the cryptosystem to be used.

I There must be a mechanism for the recipient to obtain thesender’s public key.

Web Security

Example: An S/MIME message consists of a header and a body.The body contains the message – text, attachments, etc. and asignature over the body of the message.

Web Security

Authenticating the sending MTA:

A first approach is DomainKeys Identified Mail (DKIM). Itassociates a domain name to an email message by means of adigital signature.

I The effect here is that the domain is claiming responsibilityfor the message.

I The recipient can obtain the signer’s PK using DNS, whichcan then be used to verify the message.

Web Security

Structure of a DKIM Message: The DKIM signature covers notonly the body of the message but also selected headers. Inparticular, the FROM field must be signed.

Because the PK of the domain is obtained from DNS, DKIM isalso vulnerable to attacks on the DNS infrastructure.

Web Security

I DKIM is now used by the webmail services of Yahoo, AOLand Gmail. Any mail from these organizations carry a DKIMsignature.

I Additionally, Gmail rejects all messages claiming to be fromeBay and PayPal unless they have a valid DKIM signatureverifying their origin.

I Nonetheless, as Google learned, if the keys used for creatingthe digital signatures are “short”, DKIM signatures can bespoofed!

Web Security

Web Security

”He” = Zach Harris, a 35-year old mathematician based in Jupiter,FL.

Web Security

Zach Harris created an email that was sent ”from” Sergey Brin toLarry Page and vice versa:

Web Security

Another approach for authenticating sender MTA is the SenderPolicy Framework (SPF).

I SPF does not use cryptography.

I Instead, it makes use of the fact that in the MAIL FROMSMTP command, the IP address of the sender’s MTA is listed.

I Using DNS, the receiving MTA checks that this IP address isin the list of authorized IP addresses for the sender’s domain.

I Weaknesses: vulnerable to IP source spoofing attacks andDNS cache poisoning attacks; doesn’t protect the integrity ofthe message; doesn’t support mail forwarding

I Advantages over DKIM: faster to process and simpler toimplement since it doesn’t use cryptography.

Web Security

Another approach for authenticating sender MTA is the SenderPolicy Framework (SPF).

I SPF does not use cryptography.

I Instead, it makes use of the fact that in the MAIL FROMSMTP command, the IP address of the sender’s MTA is listed.

I Using DNS, the receiving MTA checks that this IP address isin the list of authorized IP addresses for the sender’s domain.

I Weaknesses: vulnerable to IP source spoofing attacks andDNS cache poisoning attacks; doesn’t protect the integrity ofthe message; doesn’t support mail forwarding

I Advantages over DKIM: faster to process and simpler toimplement since it doesn’t use cryptography.

Web Security

Digital Rights Management

Web Security

Digital Rights Management refers to the practice of restricting thecapabilities users have with respect to digital content.

Web Security

A Technique for Content Encryption

GOAL: protect digital content from unauthorized duplication andfrom playing on unlicensed devices.

IDEA: encrypt content and store decryption keys in authorizedplayer.

Web Security

How it works:

I The player has a secret player key P, which is unique to theplayer and shared with the server.

I The player requests a media file M.

I The server generates a random symmetric encryption key F ,called the file key and uses it to encrypt M.

I Then the server uses the player key P to encrypt F .

I Finally, the server sends the encrypted file and the encryptedfile key to the player.

Web Security

Web Security

Clearly the strength of this DRM approach is dependent on thetype of cryptosystem and keys used. Assuming they are both“strong”, this technique has the following properties:

I An encrypted media file can be played only by the player thatdownloaded it. Thus, it is okay to store the file in unprotectedstorage.

I If the file key F is obtained by the attacker, it cannot be usedto decrypt other media files.

I If the player key P is obtained by the attacker, it can decryptonly the media files downloaded by that player.

Web Security

Advanced Access Control System (AACS)

I Used on next generation DVD’s.

I There is a media key that is used to decrypt media content.

I Additionally, each device has a set of key which is organized ina complete binary tree.

Web Security

I Each device is represented by a leaf in the binary tree.

I It stores the keys that lie on the path from the root of thetree to its corresponding leaf.

I If there are n devices altogether, it is storing log2 n + 1 keys.

Web Security

Why use a key tree? For ease of key revocation. If at some pointthe media key is compromised, changing this key can be doneefficiently.

I Suppose the device corresp. to the black leaf is compromised.

I Then keys K2, K3, K4, K5 have to be revoked and replacedwith the new keys K ′

2, K ′3, K ′

4, K ′5.

I The rekeying process consists of sending the following fourencrypted messages that are broadcast to all players:EH1(K ′

2, K ′3, K ′

4, K ′5), EH2(K ′

3, K ′4, K ′

5), EH3(K ′4, K ′

5), EH4(K ′5).

Web Security