Transcript No Slide Title

http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. Copeland
[email protected]
404 894-5177
fax 404 894-0035
Office: Klaus 3362
email or call for office visit
Chapter 5b - Secure/Multipurpose Internet Mail Extensions
S/MIME
2/5/14
Simple Mail Transfer Protocol (SMTP, RFC 822)
SMTP Limitations - Can not transmit, or has a problem with:
• executable files, or other binary files (jpeg image).
• “national language” characters (non-ASCII)
• messages over a certain size
• ASCII to EBCDIC translation problems
• lines longer than a certain length (72 to 254 characters)
MIME Defined Five New Headers
• MIME-Version. Must be “1.0” -> RFC 2045, RFC 2046
• Content-Type. More types being added by developers
(application/word)
• Content-Transfer-Encoding. How message has been encoded (radix64)
• Content-ID. Unique identifying character string.
• Content Description. Needed when content is not readable text.
Carnonical Form: Standard format for use between systems ( not a “native”
format – e.g., JPG).
2
S/MIME - User Agent Role
S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification
Authority
Functions:
• Key Generation - Diffie-Hellman, DSS, and RSA key-pairs.
• Registration - Public keys must be registered with X.509 CA.
(Thawte (sub. of VeriSign), CAcert, ...) offer free registration)
• Certificate Storage - Local (as in browser application) for different
services.
• Signed and Enveloped Data: Various orderings for encrypting and
signing.
Example: Verisign (www.verisign.com)
• Class-1 Buyer’s email address confirmed by emailing vital info.
• Class-2 Postal address is confirmed as well, and data checked against
diectories.
• Class-3 Buyer must appear in person, or send notarized documents.
3
S/MIME History
S/MIME was originally developed by RSA Data Security
Inc. The original specification used the recently
developed IETF MIME specification with the de facto
industry standard PKCS #7 secure message format.
Change control to S/MIME has since been vested in the
IETF and the specification is now layered on
Cryptographic Message Syntax, an IETF specification
similar to PKCS #7
Today, S/MIME adds the use of S/MIME to PGP.
PGP is a standard, GnuPG are open programs that implement PGP
from Wikipedia 2/16/13
4
S/MIME Certificates
Before S/MIME can be used in any of the above applications,
one must obtain and install an individual key/certificate either
from one's in-house certificate authority (CA) or from a public
CA such as one of those listed below.
Encryption requires having the destination party's certificate
on store (which is typically automatic upon receiving a
message from the party with a valid signing certificate).
While it is technically possible to send a message encrypted
(using the destination party certificate) without having one's
own certificate to digitally sign, in practice, the S/MIME
clients will require you install your own certificate before they
allow encrypting to others.
from Wikipedia 2/16/09
5
General Email Problems
SMTP Headers
• Can be used to check email routing, but not reliable (spoofing, NAT, ...)
• Can reveal your IP address, mail server to recipients
Content Poisons:
• Attachments that are executable files (viruses, Worms, Back Doors, ...)
• HTML encoded mail has all the threats of an untrusted Web site
Links can execute code
FTP links can give away your email address, if used as password
Hidden keys can identify the address of the message, ID of recipient
Spammers use unwitting mail servers for exploding and relaying email, hiding their identity
• This requires “Relaying Prohibited,” makes sending email harder from the road
6
Bob logs on to the Internet from home, and is assigned an IP address in
the Earthlink domain. Bob then sends mail to smtp.gatech.edu for
alice.aol.com
Email Relaying (should be prohibited*)
MS
MS or
sender
MS
receiver
IP on earthlink.com
gatech.edu
aol.com
Allowed Email Forwarding
MS
sender
MS
MS
sender
receiver
IP on earthlink.com
gatech.edu
MS = Mail Server (e.g., mail.gatech.edu)
receiver
aol.com
*Unless user authenticates through TLS.
7
Email sent with: > telnet mail.ece.gatech.edu 25
>> YOU TYPE THIS.
<< WAIT FOR THIS REPLY FROM THE SMTP SERVER
[COMMENTS]
>> HELO c-66-53-58-172.hsd1.ga.comcast.net
[must be actual DNS name of host being used]
<< 220 mail.ece.gatech.edu ESMTP Sendmail 8.12.10/8.13.4; Wed, 28 Sep 2005 17:34:44 -0400 (EDT)
<< 250 mail.ece.gatech.edu Hello ecevpn-021.ece-int.gatech.edu [192.168.66.21], pleased to meet you
>> MAIL FROM: [email protected]
[must be an actual user on this server]
<< 250 2.1.0 [email protected]... Sender ok
>> RCPT TO: [email protected]
[must not violate any anti-relay rule]
<< 250 2.1.5 [email protected]... Recipient ok
[this would be relaying, except for VPN]
>> DATA
<< 354 Enter mail, end with "." on a line by itself
>> 'hw1/hw1. graded on *
*
Sep 28, 2005 16:49,’ >> 'Name on HW return: smith,_john'
>> 'Date & Time
submitted: Wed, 28 Sep 2005 03:45:36 -0400 (EDT)'
>> '-Email: [email protected] (at line 2) : Break the following ciphertext:'
>> ' #1'
>> '1 ok2 /N=N/ : [n] - Which cipher character'
>> '2 ok2 /THIS_CODE_IS_W=THIS_CODE_IS_W/ : [this_code_is_w] - type in the'
>> 'No. Graded = 10, Average Grade = 92'
>> .
[single period ends message text]
<< 250 2.0.0 j8SLYiLA000789 Message accepted for delivery
>> QUIT
Today, all mail servers at GT require TLS authentication.
8