Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Email Security
Web Security
How Email works
Some terminology:
I MUA (Mail User Agent)- programs used for retrieving, reading and managing e-mail.
I MSA (Mail Sending Agent)- programs that receive emails from MUA’s who then forwardthem to MTA’s.- will check an email’s format and quickly report errors to theauthor (e.g., an empty To field etc.)
I MTA (Mail Transfer Agent)- programs responsible for transmitting email messages fromsender to recipient.
I MDA (Mail Delivery Agent)- programs responsible for delivering email from an MTA to alocal recipient’s mailbox.
Web Security
SMTP (Simple Mail Transfer Protocol): a simple text-basedapplication-layer protocol used for sending e-mail.
Courtesy of Wikipedia
Web Security
POP (Post Office Protocol)
I designed to support clients with dial-up connections
I client connects to their MDA, downloads any new messages,deletes those messages from the server, disconnects
IMAP (Internet Message Access Protocol)
I allows clients to connect to mail server and maintainpersistent connection
I clients can search for messages, etc.
Web Security
Email Security Issues
Suggestions?
Lack of confidentiality
I subject to packet sniffing
I SOLN: encryption
No built in authentication
I the ”FROM” portion of the email can be spoofed; it canappear that the email came from someone you trust
I SOLN: use digital signatures
Web Security
Email Security Issues
Suggestions?
Lack of confidentiality
I subject to packet sniffing
I SOLN: encryption
No built in authentication
I the ”FROM” portion of the email can be spoofed; it canappear that the email came from someone you trust
I SOLN: use digital signatures
Web Security
Encryption at the Transport Layer
- Use SSL/TLS protocols between each client-server pairs- e.g., between MUA and local MTA, sender and recipient MTA’s,recipient MTA and MDA, MDA and recipient.
Web Security
Using SSL/TLS:
I prevents inflight eavesdropping
I but requires a level of trust in the mail servers handling themessages; e.g., the contents of the emails can still be read atyour ISP’s mail servers.
Alternative: Encrypt the actual contents of the email.
Web Security
Using SSL/TLS:
I prevents inflight eavesdropping
I but requires a level of trust in the mail servers handling themessages; e.g., the contents of the emails can still be read atyour ISP’s mail servers.
Alternative: Encrypt the actual contents of the email.
Web Security
PGP: Pretty Good Privacy
I first written by Phil Zimmerman in 1991.
I he has been a long time anti-nuclear activist; he developedPGP so that he and similarly-minded folks might be able tocommunicate with each other and store files securely.
Web Security
Courtesy of Wikipedia
Web Security
Since PGP is using public key cryptography, it must have a way ofverifying that the validity of the public keys. This is done usingwhat’s called a web of trust.
Zimmerman’s description from the manual of PGP 2.0:
As time goes on, you will accumulate keys from other people thatyou may want to designate as trusted introducers. Everyone elsewill each choose their own trusted introducers. And everyone willgradually accumulate and distribute with their key a collection ofcertifying signatures from other people, with the expectation thatanyone receiving it will trust at least one or two of the signatures.This will cause the emergence of a decentralized fault-tolerant webof confidence for all public keys.
Web Security
From Stinson’s Cryptography: Theory and Practice, 3rd Edition
Each PGP certificate contains an email address (ID), a public key(PK), and one or more signatures on this (ID, PK) pair.For example:
I data = (ID= [email protected], PK=123456)
I signatures = (sigAlice(data), sigBob(data), sigCarlos(data))
By signing Alice’s data, Bob and Carlos are telling others that theybelieve that 123456 is indeed Alice’s public key.
Web Security
Alice keeps a collection of PGP certificates which she graduallyaccumulated over time. She keeps them in a data structure calleda keyring.
Each certificate in the key ring has two fields:
I OTF: Owner trust field- indicates how much Alice trusts the owner- values: implicitly trusted, completely trusted, partiallytrusted or untrusted
I KLF: Key legitimacy field- indicates how much Alice trusts the PK- values: valid, marginally valid or invalid.
Web Security
Alice sets the OTF in her own certificate as implicitly trusted. Ifshe sets Bob’s certificates OTF as completely trusted, she issaying:
1. Bob’s PK is valid and2. She trusts that Bob won’t sign invalid (ID, PK) pairs.
Once all the OTF values have been set, PGP computes the KLFvalues of the certificates as follows:
1. The KLF for user U’s certificate is set to valid if- the data of U is signed by at least one user whoseOTF-value is ”trusted” or- by at least two users whose OTF-values are ”partiallytrusted”
2. It is set to marginally valid if the data of U is signed by a userwhose OTF-value is ”partially trusted”
3. Otherwise, it is set to invalid.
Web Security
Alice sets the OTF in her own certificate as implicitly trusted. Ifshe sets Bob’s certificates OTF as completely trusted, she issaying:
1. Bob’s PK is valid and2. She trusts that Bob won’t sign invalid (ID, PK) pairs.
Once all the OTF values have been set, PGP computes the KLFvalues of the certificates as follows:
1. The KLF for user U’s certificate is set to valid if- the data of U is signed by at least one user whoseOTF-value is ”trusted” or- by at least two users whose OTF-values are ”partiallytrusted”
2. It is set to marginally valid if the data of U is signed by a userwhose OTF-value is ”partially trusted”
3. Otherwise, it is set to invalid.
Web Security
Suppose Alice’s key ring contains the following certificates. WhosePK’s does Alice consider as valid, marginally valid, invalid?
Web Security
I To strengthen the web of trust, key signing parties have beenorganized.
Courtesy of Wikipedia
I More recent PGP (OpenPGP) specifications support the useof trust signatures which are issued by certificate authorities.
I They also support the use of certificate revocation lists as wellas certificate expiration dates.
Web Security
I To strengthen the web of trust, key signing parties have beenorganized.
Courtesy of Wikipedia
I More recent PGP (OpenPGP) specifications support the useof trust signatures which are issued by certificate authorities.
I They also support the use of certificate revocation lists as wellas certificate expiration dates.
Web Security
Authentication
Two main approaches:
I authenticating the sender- to be effective, mail users must have their own private-publickeys (hard!)- hence, seldom used in practice
I authenticating the sending MTA- identifies the author’s organization (e.g., ISP, university,etc.) but not the individual author- used more in practice
When authenticated email is in transit, it is important that it isnever modified because otherwise the signature verification processwill fail. A formatting process called canonicalization tries toreduce the risk of modification.
Web Security
Authenticating the sender:
For this to work:
I The MUA’s of the sender and recipient must (1) support thecryptographic operations associated with signing andverifying, and (2) agree on the cryptosystem to be used.
I There must be a mechanism for the recipient to obtain thesender’s public key.
Web Security
Example: An S/MIME message consists of a header and a body.The body contains the message – text, attachments, etc. and asignature over the body of the message.
Web Security
Authenticating the sending MTA:
A first approach is DomainKeys Identified Mail (DKIM). Itassociates a domain name to an email message by means of adigital signature.
I The effect here is that the domain is claiming responsibilityfor the message.
I The recipient can obtain the signer’s PK using DNS, whichcan then be used to verify the message.
Web Security
Structure of a DKIM Message: The DKIM signature covers notonly the body of the message but also selected headers. Inparticular, the FROM field must be signed.
Because the PK of the domain is obtained from DNS, DKIM isalso vulnerable to attacks on the DNS infrastructure.
Web Security
I DKIM is now used by the webmail services of Yahoo, AOLand Gmail. Any mail from these organizations carry a DKIMsignature.
I Additionally, Gmail rejects all messages claiming to be fromeBay and PayPal unless they have a valid DKIM signatureverifying their origin.
I Nonetheless, as Google learned, if the keys used for creatingthe digital signatures are “short”, DKIM signatures can bespoofed!
Web Security
Web Security
”He” = Zach Harris, a 35-year old mathematician based in Jupiter,FL.
Web Security
Zach Harris created an email that was sent ”from” Sergey Brin toLarry Page and vice versa:
Web Security
Another approach for authenticating sender MTA is the SenderPolicy Framework (SPF).
I SPF does not use cryptography.
I Instead, it makes use of the fact that in the MAIL FROMSMTP command, the IP address of the sender’s MTA is listed.
I Using DNS, the receiving MTA checks that this IP address isin the list of authorized IP addresses for the sender’s domain.
I Weaknesses: vulnerable to IP source spoofing attacks andDNS cache poisoning attacks; doesn’t protect the integrity ofthe message; doesn’t support mail forwarding
I Advantages over DKIM: faster to process and simpler toimplement since it doesn’t use cryptography.
Web Security
Another approach for authenticating sender MTA is the SenderPolicy Framework (SPF).
I SPF does not use cryptography.
I Instead, it makes use of the fact that in the MAIL FROMSMTP command, the IP address of the sender’s MTA is listed.
I Using DNS, the receiving MTA checks that this IP address isin the list of authorized IP addresses for the sender’s domain.
I Weaknesses: vulnerable to IP source spoofing attacks andDNS cache poisoning attacks; doesn’t protect the integrity ofthe message; doesn’t support mail forwarding
I Advantages over DKIM: faster to process and simpler toimplement since it doesn’t use cryptography.
Web Security
Digital Rights Management
Web Security
Digital Rights Management refers to the practice of restricting thecapabilities users have with respect to digital content.
Web Security
A Technique for Content Encryption
GOAL: protect digital content from unauthorized duplication andfrom playing on unlicensed devices.
IDEA: encrypt content and store decryption keys in authorizedplayer.
Web Security
How it works:
I The player has a secret player key P, which is unique to theplayer and shared with the server.
I The player requests a media file M.
I The server generates a random symmetric encryption key F ,called the file key and uses it to encrypt M.
I Then the server uses the player key P to encrypt F .
I Finally, the server sends the encrypted file and the encryptedfile key to the player.
Web Security
Web Security
Clearly the strength of this DRM approach is dependent on thetype of cryptosystem and keys used. Assuming they are both“strong”, this technique has the following properties:
I An encrypted media file can be played only by the player thatdownloaded it. Thus, it is okay to store the file in unprotectedstorage.
I If the file key F is obtained by the attacker, it cannot be usedto decrypt other media files.
I If the player key P is obtained by the attacker, it can decryptonly the media files downloaded by that player.
Web Security
Advanced Access Control System (AACS)
I Used on next generation DVD’s.
I There is a media key that is used to decrypt media content.
I Additionally, each device has a set of key which is organized ina complete binary tree.
Web Security
I Each device is represented by a leaf in the binary tree.
I It stores the keys that lie on the path from the root of thetree to its corresponding leaf.
I If there are n devices altogether, it is storing log2 n + 1 keys.
Web Security
Why use a key tree? For ease of key revocation. If at some pointthe media key is compromised, changing this key can be doneefficiently.
I Suppose the device corresp. to the black leaf is compromised.
I Then keys K2, K3, K4, K5 have to be revoked and replacedwith the new keys K ′
2, K ′3, K ′
4, K ′5.
I The rekeying process consists of sending the following fourencrypted messages that are broadcast to all players:EH1(K ′
2, K ′3, K ′
4, K ′5), EH2(K ′
3, K ′4, K ′
5), EH3(K ′4, K ′
5), EH4(K ′5).
Web Security