18-02-2012, 03:31 PM
Electronic Mail Security
Email Security
email is one of the most widely used and regarded network services
currently message contents are not secure
may be inspected either in transit
or by suitably privileged users on destination system
Email Security Enhancements
confidentiality
protection from disclosure
authentication
of sender of message
message integrity
protection from modification
non-repudiation of origin
protection from denial by sender
Pretty Good Privacy (PGP)
Open source, freely available software package for secure e-mail
de facto standard for secure email
developed by Phil Zimmermann
selected best available crypto algs to use
Runs on a variety of platforms like Unix, PC, Macintosh and other systems
originally free (now also have commercial versions available)
PGP Operation – Authentication
sender creates message
Generates a digital signature for the message
use SHA-1 to generate 160-bit hash of message
signed hash with RSA using sender's private key, and is attached to message
receiver uses RSA with sender's public key to decrypt and recover hash code
receiver verifies received message using hash of it and compares with decrypted hash code
PGP Operation – Confidentiality
sender generates a message and encrypts it.
Generates a128-bit random number as session key
Encrypts the message using CAST-128 / IDEA / 3DES in CBC mode with session key
session key encrypted using RSA with recipient's public key and attached to the msg
receiver uses RSA with private key to decrypt and recover session key
session key is used to decrypt message
PGP Operation – Confidentiality & Authentication
can use both services on the same message
create signature & attach it to the message
encrypt both message & signature
attach RSA/ElGamal encrypted session key
This sequence is preferred because
--one can store the plaintext message/file and its signature
--no need to decrypt the message/file again and again