CNS Unit V

File Downloaded From www.Bustudymate.
in
UNIT - V
PGP and S/MIME

Cryptography & Network Security - Behrouz
1
A. Forouzan
File Downloaded From www.Bustudymate.in

Objectives
 To explain the general structure of an e-mail
application program
 To discuss how PGP can provide security services
for e-mail
 To discuss how S/MIME can provide security
services for e-mail
 To define trust mechanism in both PGP and
S/MIME
 To show the structure of messages exchanged in
PGP and S/MIME
2
A. Forouzan

16--1 E
16 E--MAIL
Let us first discuss the electronic mail (e

(e--mail) system in
general
general..
Topics discussed in this section:

16.1.1 E-mail Architecture
16.1.2 E-mail Security
3
A. Forouzan

16.1.1 E-mail Architecture
Figure 16.1 E-mail architecture

4
A. Forouzan

16.1.2 E-mail Security
Cryptographic Algorithms
Note
In e-mail security, the sender of the message needs to
include the name or identifiers
of the algorithms used in the message.
Certificates
It is obvious that some public-public-key algorithms must be
used for e-mail security.
security .
5
A. Forouzan

16.1.2 Continued
Cryptographic Secrets
Note
In e-mail security, the encryption/decryption is done
using a symmetric-key algorithm,
but the secret key to decrypt the message is encrypted
with the public key of the
receiver and is sent with the message.

6
A. Forouzan

16--2 PGP
16
Pretty Good Privacy (PGP) can be used to create a

secure e-mail message or to store a file securely for
future retrieval.
retrieval.
One of the protocols to provide security at the

application layer is Pretty Good Privacy (PGP)
(PGP)..
PGP is designed to create authenticated and

confidential e-mails
mails..
7
A. Forouzan

Figure 32.19 Position of PGP in the TCP/IP protocol suite

8
A. Forouzan

16.2.1 Scenarios
Plaintext
Figure 16.2 A plaintext message

9
A. Forouzan

16.2.1 Continued
Message Integrity
Figure 16.3 An authenticated message

10
A. Forouzan

16.2.1 Continued
Compression
Figure 16.4 A compressed message

11
A. Forouzan

Figure 32.20 A scenario in which an e-mail message is

authenticated and encrypted

12
A. Forouzan

PGP Services
Confidentiality with One

One--Time Session Key
Figure 16.5 A confidential message

13
A. Forouzan

16.2.1 Continued
Code Conversion
Another service provided by PGP is code conversion
conversion..
PGP uses Radix
Radix--64 conversion.
conversion.
Segmentation
PGP allows segmentation of the message.
message.

14
A. Forouzan

16.2.2 Continued
PGP Algorithms

15
A. Forouzan

16.2.2 Continued

16
A. Forouzan

16.2.2 Continued

17
A. Forouzan

16.2.2 Continued

18
A. Forouzan

16.2.3 PGP Certificates
X.509 Certificates
Protocols that use X.509 certificates depend on the
hierarchical structure of the trust.
trust.
Note
In X.509, there is a single path from the fully trusted
authority to any certificate.

19
A. Forouzan

16.2.3 Continued
PGP Certificates
In PGP, there is no need for CAs
CAs;; anyone in the ring can
sign a certificate for anyone else in the ring.
ring.
Note
In PGP, there can be multiple paths from fully or
partially trusted authorities to any subject.
Trusts and Legitimacy

The entire operation of PGP is based on introducer
trust,, the certificate trust,
trust trust, and the legitimacy of the
public keys.
keys.
20
A. Forouzan

16.2.4 Key Revocation
It may become necessary for an entity to revoke his or

her public key from the ring
ring.. This may happen if the
owner of the key feels that the key is compromised
(stolen, for example) or just too old to be safe
safe..

21
A. Forouzan

16.2.6 PGP Packets
Figure 16.12 Format of packet header

22
A. Forouzan

Types of PGP Packet

23
A. Forouzan

Types of PGP Packet
Figure 16.13 Literal data packet

24
A. Forouzan

16.2.6 Continued
Figure 16.14 Compressed data packet

25
A. Forouzan

16.2.6 Continued
Figure 16.15 Encrypted data packet

26
A. Forouzan

16.2.6 Continued
Figure 16.16 Signature packet

27
A. Forouzan

16.2.6 Continued

28
A. Forouzan

16.2.6 Continued
Figure 16.17 Session-key packet

29
A. Forouzan

16.2.6 Continued
Figure 16.18 Public-key packet
Public Key

30
A. Forouzan

16.2.6 Continued
Figure 16.19 User ID packet

31
A. Forouzan

16.2.7 PGP Messages
Figure 16.20 Encrypted message

32
A. Forouzan

16.2.7 Continued
Figure 16.21 Signed message

33
A. Forouzan

16.2.7 Continued
Figure 16.22 Certificate message

34
A. Forouzan

16--3 S/MIME
16
Another security service designed for electronic mail is

Secure/Multipurpose Internet Mail Extension
(S/MIME)
(S/MIME).. The protocol is an enhancement of the
Multipurpose Internet Mail Extension (MIME) protocol
protocol..

16.3.1 MIME
16.3.2 S/MIME
16.3.3 Applications of S/MIME
35
A. Forouzan

16.3.1 Continued
Figure 16.23 MIME

36
A. Forouzan

16.3.1 Continued
Figure 16.24 Teledesic

37
A. Forouzan

16.3.1 Continued
MIME
MIME--Version
This header defines the version of MIME used.
used. The
current version is 1.1.
Content-
Content-Type
The content type and the content subtype are separated
by a slash
slash.. Depending on the subtype, the header may
contain other parameters
parameters..

38
A. Forouzan

16.3.1 Continued

39
A. Forouzan

16.3.1 Continued

40
A. Forouzan

16.3.1 Continued
Figure 16.25 Radix-64 conversion

41
A. Forouzan

16.3.1 Continued

42
A. Forouzan

16.3.1 Continued
Figure 16.26 Quoted-printable

43
A. Forouzan

16.3.2 S/MIME
S/MIME adds some new content types to include

security services to the MIME.
MIME. All of these new types
include the parameter “application/pkcs
“application/pkcs7
7-mime,” in
which “pkcs” defines “Public Key Cryptography
Specification..”
Specification
Cryptographic Message Syntax (CMS)

To define how security services, such as confidentiality
or integrity, can be added to MIME content types,
S/MIME has defined Cryptographic Message Syntax
(CMS).
(CMS). The syntax in each case defines the exact
encoding scheme for each content type
type..
44
A. Forouzan

16.3.2 Continued
Figure 16.27 Signed-data content type

45
A. Forouzan

16.3.2 Continued
Figure 16.28 Enveloped-data content type

46
A. Forouzan

16.3.2 Continued
Figure 16.29 Digest-data content type

47
A. Forouzan

16.3.2 Continued
Figure 16.30 Authenticated-data content type

48
A. Forouzan

16.3.2 Continued
Cryptographic Algorithms
S/MIME defines several cryptographic algorithms
algorithms.. The
term “must
must”
” means an absolute requirement;
requirement; the term
“should”
should” means recommendation.
recommendation.

49
A. Forouzan

Security in the
Internet:
IPSec, SSL/TLS,
PGP,
VPN, and Firewalls 31.50

Figure 32.1 Common structure of three security protocols

51
A. Forouzan

32--1 IPSecurity (IPSec)

32
IPSecurity (IPSec) is a collection of protocols designed

by the Internet Engineering Task Force (IETF) to
provide security for a packet at the network level.
level.

Two Modes
Two Security Protocols
Security Association
Internet Key Exchange (IKE)
Virtual Private Network
52
A. Forouzan

Figure 32.2 TCP/IP protocol suite and IPSec

53
A. Forouzan

Figure 32.3 Transport mode and tunnel modes of IPSec protocol

54
A. Forouzan

Note
IPSec in the transport mode does not protect the IP header; it only protects the
information coming from the transport layer.

55
A. Forouzan

Figure 32.4 Transport mode in action

56
A. Forouzan

Figure 32.5 Tunnel mode in action

57
A. Forouzan

Note
IPSec in tunnel mode protects the original IP header.

58
A. Forouzan

Figure 32.6 Authentication Header (AH) Protocol in transport mode

59
A. Forouzan

Note
The AH Protocol provides source authentication and data integrity,
but not privacy.

60
A. Forouzan

Figure 32.7 Encapsulating Security Payload (ESP) Protocol in transport mode

61
A. Forouzan

Note
ESP provides source authentication, data integrity, and privacy.

62
A. Forouzan

Table 32.1 IPSec services

63
A. Forouzan

Figure 32.8 Simple inbound and outbound security associations

64
A. Forouzan

Note
IKE creates SAs for IPSec.

65
A. Forouzan

Figure 32.9 IKE components

66
A. Forouzan

Table 32.2 Addresses for private networks

67
A. Forouzan

Figure 32.10 Private network

68
A. Forouzan

Figure 32.11 Hybrid network

69
A. Forouzan

Figure 32.12 Virtual private network

70
A. Forouzan

Figure 32.13 Addressing in a VPN

71
A. Forouzan

32--2 SSL/TLS
32
Two protocols are dominant today for providing security

at the transport layer:
layer: the Secure Sockets Layer (SSL)
Protocol and the Transport Layer Security (TLS)
Protocol.
Protocol. The latter is actually an IETF version of the
former.
former.
SSL Services
Security Parameters
Sessions and Connections
Four Protocols
Transport Layer Security
72
A. Forouzan

Figure 32.14 Location of SSL and TLS in the Internet model

73
A. Forouzan

Table 32.3 SSL cipher suite list

74
A. Forouzan

Table 32.3 SSL cipher suite list (continued)

75
A. Forouzan

Note
The client and the server have six different cryptography secrets.

76
A. Forouzan

Figure 32.15 Creation of cryptographic secrets in SSL

77
A. Forouzan

Figure 32.16 Four SSL protocols

78
A. Forouzan

Figure 32.17 Handshake Protocol

79
A. Forouzan

Figure 32.18 Processing done by the Record Protocol

80
A. Forouzan

CNS Unit V

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CNS Unit V

Uploaded by

Copyright:

Available Formats

File Downloaded From www.Bustudymate.

PGP and S/MIME

File Downloaded From www.Bustudymate.in

File Downloaded From www.Bustudymate.in

Let us first discuss the electronic mail (e

Topics discussed in this section:

File Downloaded From www.Bustudymate.in

Figure 16.1 E-mail architecture

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

File Downloaded From www.Bustudymate.in

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Pretty Good Privacy (PGP) can be used to create a

One of the protocols to provide security at the

PGP is designed to create authenticated and

File Downloaded From www.Bustudymate.in

Figure 32.19 Position of PGP in the TCP/IP protocol suite

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Figure 16.2 A plaintext message

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Figure 16.3 An authenticated message

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Figure 16.4 A compressed message

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Figure 32.20 A scenario in which an e-mail message is

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Confidentiality with One

Figure 16.5 A confidential message

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Trusts and Legitimacy

File Downloaded From www.Bustudymate.in

It may become necessary for an entity to revoke his or

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Figure 16.12 Format of packet header

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Figure 16.13 Literal data packet

Cryptography & Network Security - Behrouz

File Downloaded From www.Bustudymate.in

Figure 16.14 Compressed data packet

Cryptography & Network Security - Behrouz