http://www.csc.gatech.edu/copeland/jac/6612/

Prof. John A. Copelandjohn.copeland@ece.gatech.edu

404 894-5177fax 404 894-0035

Office: Klaus 3362email or call for office visit

Chapter 5b - Secure/Multipurpose Internet Mail ExtensionsS/MIME

MIME HeadersMultipurpose Internet Mail Extensions (MIME)

RFC 1341 and RFC 1521

• MIME -Version: version number• Content-Description: human-readable string• Content-ID: unique identifier • Content-Transfer-Encoding: body encoding> ASCII (Plain, quoted-printable, or Richtext)> Binary (base64)• Content-Type: nature of the message> Image (gif, jpeg), Video (mpeg), > Application (Postscript, octet-stream

> A.S.Tanenbaum, "Computer Networks," (3rd ed.) p.653

2

Simple Mail Transfer Protocol (SMTP, RFC 822)SMTP Limitations - Can not transmit, or has a problem with:

• executable files, or other binary files (jpeg image).

• “national language” characters (non-ASCII)

• messages over a certain size

• ASCII to EBCDIC translation problems

• lines longer than a certain length (72 to 254 characters)

MIME Defined Five New Headers

• MIME-Version. Must be “1.0” -> RFC 2045, RFC 2046

• Content-Type. More types being added by developers (application/word)

• Content-Transfer-Encoding. How message has been encoded (radix-64)

• Content-ID. Unique identifying character string.

• Content Description. Needed when content is not readable text (e.g.,mpeg)

Carnonical Form: Standard format for use between systems ( not a “native” format - GIF).

3

Secure/MIME

Can “sign” and/or encrypt messages

Functions:

• Enveloped Data: Encrypted content and encrypted session keys for recipients.

• Signed Data: Message Digest encrypted with private key of “signer.”

• Clear-Signed Data: Signed but not encrypted.

• Signed and Enveloped Data: Various orderings for encrypting and signing.

Algorithms Used

• Message Digesting: SHA-1 and MDS

• Digital Signatures: DSS

• Secret-Key Encryption: Triple-DES, RC2/40 (exportable)

• Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie-Hellman (for session keys).

4

S/MIME - User Agent Role

S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority

Functions:

• Key Generation - Diffie-Hellman, DSS, and RSA key-pairs.

• Registration - Public keys must be registered with X.509 CA.

(Thawte (sub. of VeriSign), CAcert, ...) offer free registration)

• Certificate Storage - Local (as in browser application) for different services.

• Signed and Enveloped Data: Various orderings for encrypting and signing.

Example: Verisign (www.verisign.com)

• Class-1 Buyer’s email address confirmed by emailing vital info.

• Class-2 Postal address is confirmed as well, and data checked against diectories.

• Class-3 Buyer must appear in person, or send notarized documents.

5

S/MIME History

S/MIME was originally developed by RSA Data Security Inc. The original specification used the recently developed IETF MIME specification with the de facto industry standard PKCS #7 secure message format.

Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax, an IETF specification that is identical in most respects with PKCS #7.

Free access

Thawte (a subsidiary of VeriSign), CAcert and other companies offer free e-mail certificates for exclusive S/MIME usage on their Web site. Getting a certificate is as simple as visiting their Web site and signing up for an account. However, this does not automatically allow usage of one's name in the certificate. For that, one has to prove their identity in person to at least two Thawte notaries that are part of their Web of Trust.

from Wikipedia 2/16/09 6

S/MIME Certificates

Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA such as one of those listed below. Best practice is to use separate private keys (and associated certificates) for Signature and for Encryption, as this permits escrow of the encryption key without compromise to the non-repudiation property of the signature key.

Encryption requires having the destination party's certificate on store (which is typically automatic upon receiving a message from the party with a valid signing certificate). While it is technically possible to send a message encrypted (using the destination party certificate) without having one's own certificate to digitally sign, in practice, the S/MIME clients will require you install your own certificate before they allow encrypting to others.

from Wikipedia 2/16/09 7

A typical basic personal certificate verifies the owner's identity only in terms of binding them to an email address and does not verify the person's name or business. The latter, if needed (e.g. for signing contracts), can be obtained through CAs that offer further verification (digital notary) services or managed PKI service. For more detail on authentication, see Digital Signature.

Depending on the policy of the CA, your certificate and all its contents may be posted publicly for reference and verification. This makes your name and email address available for all to see and possibly search for. Other CAs only post serial numbers and revocation status, which does not include any of the personal information. The latter, at a minimum, is mandatory to uphold the integrity of the public key infrastructure.

S/MIME is sometimes considered not properly suited for use via Webmail clients. Though support can be hacked into a browser, some security practices require the private key to be kept accessible to the user but inaccessible from the Webmail server, complicating the key Webmail advantage of providing ubiquitous accessibility.

from Wikipedia 2/16/09 8

General Email Problems

SMTP Headers

• Can be used to check email routing, but not reliable (spoofing, NAT, ...)

• Can reveal your IP address, mail server to recipients

Content Poisons:

• Attachments that are executable files (viruses, Worms, Back Doors, ...)

• HTML encoded mail has all the threats of an untrusted Web site

Links can execute code

FTP links can give away your email address, if used as password

Hidden keys can identify the address of the message, ID of recipient

Spammers use unwitting mail servers for exploding and relaying email, hiding their identity

• This requires “Relaying Prohibited,” makes sending email harder from the road

9

>> YOU TYPE THIS. [COMMENTS]<< WAIT FOR THIS REPLY FROM THE SMTP SERVER

>> HELO c-66-53-58-172.hsd1.ga.comcast.net [must be actual DNS name of host being used]<< 220 mail.ece.gatech.edu ESMTP Sendmail 8.12.10/8.13.4; Wed, 28 Sep 2005 17:34:44 -0400 (EDT)<< 250 mail.ece.gatech.edu Hello ecevpn-021.ece-int.gatech.edu [192.168.66.21], pleased to meet you>> MAIL FROM: copeland@ece.gatech.edu [must be an actual user on this server]<< 250 2.1.0 copeland@ece.gatech.edu... Sender ok>> RCPT TO: jacopeland3@comcast.net [must not violate any anti-relay rule]<< 250 2.1.5 jacopeland3@comcast.net... Recipient ok [this would be relaying, except for VPN]>> DATA<< 354 Enter mail, end with "." on a line by itself>> 'hw1/hw1. graded on * * Sep 28, 2005 16:49, # = 13 Explanation at bottom.' >> 'Name on HW return: smith,_john' >> 'Date & Time submitted: Wed, 28 Sep 2005 03:45:36 -0400 (EDT)' >> '-Email: gte014w@prism.gatech.edu (at line 2) : Break the following ciphertext:' >> ' #1' >> '1 ok2 /N=N/ : [n] - Which cipher character' >> '2 ok2 /THIS_CODE_IS_W=THIS_CODE_IS_W/ : [this_code_is_w] - type in the' >> 'No. Graded = 10, Average Grade = 92' >> . [ends message text]<< 250 2.0.0 j8SLYiLA000789 Message accepted for delivery >> QUIT

Email sent with: % telnet mail.ece.gatech.edu 25

10

Received: from gatech.edu (gatech.edu [130.207.244.244])by mail.ee.gatech.edu (8.12.9/8.12.9) with ESMTP id h7JMHlYk014613for <john.copeland@ece.gatech.edu>; Tue, 19 Aug 2003 18:43:22 -0400 (EDT)

Received: from STUDENT235 (registration15.pbf.gatech.edu [130.207.41.235])by gatech.edu (8.12.9/8.12.9) with ESMTP id h7JKhbpf022649for <john.copeland@ece.gatech.edu>; Tue, 19 Aug 2003 16:43:39 -0400 (EDT)

Message-Id: <200308192043.h7JKhbpf022649@gatech.edu>

From: <Webmaster@StaffordLoan.com>To: <john.copeland@ece.gatech.edu>Subject: Re: Re: My detailsDate: Tue, 19 Aug 2003 16:42:16 --0400

X-MailScanner: Found to be cleanX-Mailer: Microsoft Outlook Express 6.00.2600.0000MIME-Version: 1.0Content-Type: multipart/mixed;

boundary="_NextPart_000_01EA719F"X-Virus-Scanned: by amavisd-newX-SPAM: NO

See the attached file for details

Content-Type: application/octet-stream;name="movie0045.pif"

Attachment converted: movie0045.mov.pif {Windows will hide the actual extension}

11

Return-Path: <mhxa86@bigfoot.com>Received: from hubert.mail.atl.earthlink.net (hubert.mail.atl.earthlink.net [207.69.200.45])

by mail.ee.gatech.edu (8.12.10/8.12.9) with ESMTP id h8T36j6w021206for <copeland@ece.gatech.edu>; Sun, 28 Sep 2003 23:06:46 -0400 (EDT)

Received: from 12-240-168-97.client.attbi.com ([12.240.168.97])by carus.mspring.net (Earthlink Mail Service) with SMTP id 1a3OmZ7xt3Nl5tW0for <WEBMASTER@stealthwatch.com>; Sun, 28 Sep 2003 23:06:41 -0400 (EDT)

Received: from [22.23.60.51] by 12-24-68-97.client.attbi.com with SMTP; Mon, 29 Sep 2003 03:03Message-ID: y52v0-v-s7-5$2fa-sf-kchf@q8mu3zfs.5.jsw

From: "Jerrold Hedrick" <mhxa86@bigfoot.com>To: <WEBMASTER@STEALTHWATCH.COM>Subject: Re: Email Advertise to 0.8 Million People - $87Date: Mon, 29 Sep 03 03:03:44 GMT

X-Mailer: eGroups Message PosterMIME-Version: 1.0Content-Type: multipart/alternative; boundary="B70E7F2___1DED4_.____0E"X-Virus-Scanned: by amavisd-new X-SPAM: NO Content-Type: text/plain;

Broadcast Email Advertise to 28.9 Million People - $129 http://www.broadcastemailing.com

ggsbwmzsdg hpb duqicsj {coded message, or random words to confuse a Beysian filter?}qtsaxym ae zizssn vstqcjbfmmgyogkpkn h nxw

12

# nslookup 22.239.60.151 [IP address from “Rcvd:” header]

*** eeserv.ee.gatech.edu can't find 22.239.60.151: Non-existent host/domain

[from www.geektools.com]Final results for 22.239.201.237 obtained from whois.arin.net.

OrgName: DoD Network Information Center [false email source address]OrgID: DNICAddress: 7990 Science Applications CtAddress: M/S CV 50City: ViennaStateProv: VA-------------------------------------------------------------------------# nslookup www.broadcastemailing.com [from content]

Name: www.broadcastemailing.comAddress: 202.63.201.237inetnum: 202.63.192.0 - 202.63.223.255 [actual Web location]descr: CubeXS Private Limiteddescr: Internet Service Providerdescr: Data Entrydescr: Software Housedescr: 310-311 Kassam Courtdescr: B.C. 9, Block 5, Cliftondescr: Karachi, Pakistan

13

From: "Citibank Support" <Citibank.message@emailmessage.citibank.com>To: "Jacom" <jacom@mindspring.com>Subject: ATTN: Security Update from Citibank MsgID# 92309245Date: Wed, 22 Sep 2004 03:10:44 +0100

CITIBANK(R) “Phishing”

Dear Citibank Customer:

Recently there have been a large number computer terrorist attacks over our database server. In order to safeguard your account, we require that you update your Citibank ATM/Debit card PIN.This update is requested of you as a precautionary measure against fraud. Please note that we have no particular indications that your details have been compromised in any way.This process is mandatory, and if not completed within the nearest time your account may be subject to temporary suspension.

Please make sure you have your Citibank ATM/Debit card and your login details at hand.To securely update your Citibank ATM/Debit card PIN please go to:

Customer Verification Form [Note: the actual link is to: <http://219.138.133.5/verification/>]

Please note that this update applies to your Citibank ATM/Debit card - which is linked directly to your checking account, not Citibank credit cards.

Regards,Customer Support MsgID# 92309245

(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B.,Citibank (West), FSB. Member FDIC.Citibank and ArcDesign is a registered service mark of Citicorp.

Look at Page Source Code - check links: (note directory named “scam”)

<td height="66"> <p><img src="citi44a.gif" width="61" height="44"> <img src="file:///F|/scam/scripts2/scripts/w4_0.gif" width="80" height="25"><img src="file:///F|/scam/scripts2/scripts/m4_1.gif" width="77" height="25”<p><font color="#0000CC"><b><font size="2" color="#000099">HOME | ACCOUNTS | PAYMENTS &amp; TRANSFERS | INVESTMENTS | ACCOUNT SERVICING</font></b></font> </p></td>

Note the lack of the “Padlock” symbol. HTTPS (TLS) is not being used because they have no X509 certificate.

whois.apnic.net.Results:% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 219.138.0.0 - 219.140.255.255netname: CHINANET-HBdescr: CHINANET hubei province networkdescr: China Telecomdescr: A12,Xin-Jie-Kou-Wai Streetdescr: Beijing 100088country: CNadmin-c: CH93-APtech-c: CHA1-APmnt-by: MAINT-CHINANETmnt-lower: MAINT-CN-CHINANET-HBchanged: hostmaster@ns.chinanet.cn.net 20020521status: ALLOCATED NON-PORTABLEsource: APNIC

role: CHINANET HB ADMINaddress: 8th floor of JinGuang Buildingaddress: #232 of Macao Roadaddress: HanKou Wuhan Hubei Provinceaddress: P.R.Chinacountry: CNphone: +86 27 82862199fax-no: +86 27 82861499e-mail: ip_admin_hb@public.wh.hb.cntrouble: send spam reports to spam_hb@public.wh.hb.cntrouble: and abuse reports to abuse_hb@public.wh.hb.cntrouble: Please include detailed information andtrouble: times in GMT+8

Date: Wed, 22 Sep 2004 15:01:44 +0000To: jacopeland3@mindspring.comFrom: "Lillie Haywood" <lillie_haywood_to@bitsoft.ru>Subject: Better than Norton, and Symantec for spyware z5X-ELNK-AV: 0

dodd compriest stiffing thwacks. designer azyme glebous outgrowths unconsonant unsoluble dyscrasic. phylactery docking javeline uncommandedness palmitinic checkrowed findal teretial. misshaped diabolarch aprication marsupia parallelotropism.

Clicking on the “Scan” button (or anywhere in the image) takes you to: <http://TNIKHMCYV.adwarebde.com/?id=02025><img src="http://www.adwarebde.com/m2.gif">

Notice that the serial code “02025” or system “TNIKHMCY” could be codes which may validate your IP address. The random words in the text are to get past a Basian spam filter. They could not actually “scan” my Macintosh computer, which has no spyware.

Received: from capitalgroup.ru ([221.192.242.56])

whois.apnic.net. [ results from www.geektools.com 61.240.131.217 ]Results:% [whois.apnic.net node-2]% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 61.240.0.0 - 61.243.255.255netname: UNICOMdescr: China United Telecommunications Corporationdescr: Beijing Railway Station East Avenuecountry: CNmnt-lower: MAINT-CN-CNNIC-UNICOMchanged: hostmaster@apnic.net 20010817changed: ipas@cnnic.net.cn 20010828status: ALLOCATED PORTABLEsource: APNIC person: RenYong Xuaddress: 911 Room,Xin Tong Center,No.8address: Beijing Railway Station East Avenue,address: Beijing,PRC.country: CNphone: +86-10-6527-8866fax-no: +86-10-6526-0124e-mail: ip_address@cnuninet.com

% nslookup -sil www.ad-eliminator.com

Name: www.ad-eliminator.comAddress: 61.240.131.217

earthlink.com gatech.edu aol.com

MSMS orsender

MS

MS = Mail Server

receiver

Email Relaying (should be prohibited)

19

earthlink.com gatech.edu aol.com

MS

sender

MSreceiver

Allowed Email Forwarding

receiver

senderMS

Data Compression (as in V.21bis modems)

“the_thin_thinker”

20

t - 84 h - 104

th - 256

e - 101 _ - 32

he - 257 e_ - 258 _t - 259

“84, 104, 101, 32, 256, 105,110, 259, 104, 261 . . .”

thi - 260

i - 105

in - 261

n - 110

n_ - 262

_th - 263

hi- 264

ink - 265

Dictionary has 4096 entries (12-bit tokens).

Entries 0 to 255 represent a single byte (permanent).

Other entries are filled after a string match: = string plus first unmatched character.

Message is encoded (compressed) by sending 12-bit tokens represent multiple bytes.

Note that tokens 256, 259, and 261 below represent 2 bytes (16 bits) by a 12-bit token.

In fact, of the targeted attacks Symantec detected in the last sixmonths, the majority were against e-commerce companies, including financial institutions. Small business received the second highest number of attacks.

"We're no longer talking strictly about the male teenager with thelow moral compass, or the hactivist, who defaces sites or usesmalicious code or worms against those on one side in a politicalconflict," said Vincent Weaver, senior director of Symantec Security Response. "These people are targeting e-commerce, and they are often backed by organized crime.”

The average time period between the disclosure of a vulnerability and its first exploit by hackers collapsed from several weeks in past reports to less than six days in the first half of 2004.

Security Wire Perspectives, Sept 20, 2004