Chapter 15Chapter 15Electronic Mail Security – Part I: PGP

Data & Network Security

Spring 2006

Dr. Jalili

2

AgendaAgenda

In this session, we’ll study PGP. In the next session, other email security standards will be studied.

PGP History PGP Building Blocks Web of Trust PGP Key Management

3

New lords, new laws…New lords, new laws…

PGP (Pretty Good Privacy) was Phil R. Zimmermann’s (PRZ) answer to the US government 1991 Senate Bill 266:

…force manufacturers of secure communications equipment to insert special "trap doors" in their products…

4

He that never climbed never fell…He that never climbed never fell…

PRZ gave PGP to some friends of his, and they gave it to their friends, and so on. Kelly Goen posted it on several BBS networks…

Somehow, PGP leaked outside the US. The USG began investigating PRZ for

alleged aiding with ITAR violation.

(ITAR: International Traffic in Arms Regulations)

5

The wind cannot be caught in a net…The wind cannot be caught in a net…

The USG investigation of Zimmermann went on for 5 years, but was eventually dropped: PRZ was not the one who uploaded PGP to

BBS’. People were nervous about their privacy.

6

Necessity knows no law…Necessity knows no law…

PGP was using RSA & IDEA encryption algorithms.

The company holding the RSA patent, RSA Security, Inc., alleged that PGP's use of the RSA algorithm infringed on its patent.

PRZ has the same problem with IDEA’s patent.

7

Feel PGP…Feel PGP…

8

Base64?Base64?

Described in RFC 3548, Base64 is a way of encoding any stream of bits into a set of alphanumeric characters (a-z, A-Z, 0-9 and two/three other characters).

Example:111100100011010001010110

8jRW Good for RFC 822 compliance, but

increases e-mail size by about 33%.

9

PGP ServicesPGP Services

Function Algorithm

Digital signature DSS/RSA with MD5/SHA

Message encryption CAST/IDEA/3DES with RSA/DH (ElGamal)

Compression ZIP

Email compatibility Base64

Segmentation & Reassembly

-

10

What makes PGP “pretty good”What makes PGP “pretty good”

1. The best available cryptographic algorithms as building blocks.

2. A general-purpose application that is independent of operating system and processor and that is based on a small set of easy-to-use commands.

3. Well-documented, free, open-source, widely available.

4. Good support, low-cost commercial versions available, too.

11

Digging a bit deeperDigging a bit deeper

PRZ’s art was not to use the best building blocks, but also to “glue” them in the best way.

Let’s see how sticky his glue was!

12

CompressionCompression

Compensates for 33% increase of Base64 encoding.

Statistical analysis shows that, on average, ZIP compression ratio is 50%.

Typical messages are shrunk by 66% (ZIP+Base64).

13

Compression (cont’d)Compression (cont’d)

Why sign before compression?1. People are likely to store uncompressed

messages;2. Re-compression not deterministic.

Why use compression before encryption?

1. To reduce encryption time;2. To remove redundancy, thus making

cryptanalysis harder. Bruce Schneier’s “Decryption Oracle”

14

Encryption ProcessEncryption Process

1. The sender generates a message and a random 128/168-bit number to be used as a session key for this message only. The random number generation is based on ANSI X12.17.

2. The message is encrypted, using CAST-128 (or IDEA or 3DES) with the session key. Encryption is done in 64-bit CFB (Cipher Feedback) mode.

15

Encryption Process (cont’d)Encryption Process (cont’d)

3. The session key is encrypted with RSA/ElGamal, using the recipient's public key, and is appended to the message.

4. The receiver uses RSA/ElGamal with its private key to decrypt and recover the session key.

5. The session key is used to decrypt the message.

16

Types of KeysTypes of Keys

How many keys are used in PGP?1. one-time session conventional keys;

2. public keys;

3. private keys;

4. passphrase-based conventional keys (more on this later).

17

Key RequirementsKey Requirements

1. A means of generating unpredictable session key.

2. A user must be allowed to have multiple public-key/private-key pairs.

Why?

3. Each PGP entity must maintain a file of its own public/private key pairs as well as a file of public keys of correspondents.

18

Session KeysSession Keys

One-to-one relationship between messages & session keys.

Session keys are random numbers seeded with user’s keystrokes.

Both keystroke timing & the actual keys struck are used.

The conventional algorithm itself is used to derive the random number from input.

19

A PGP messageA PGP message

Differs from that of the book.

20

Key RingsKey Rings

Key management has received a large amount of attention in PGP as it is the Achilles heel of all security systems.

PGP provides two types of data structures for key management called Key Ring: Public Key Ring, and Private Key Ring.

21

Private Key RingPrivate Key Ring

Passphrase is used here

Must be unique

Usually email

address

22

Public Key RingPublic Key Ring

TrustTrust

23

Public Key Management: TrustPublic Key Management: Trust

The most important issue in public-key systems is how to distribute public keys, preventing man-in-the-middle / masquerade attacks.

This issue becomes a real pain in the neck when the parties don’t know each other, and don’t have physical access to each other.

Traditional approach: Using CAs.

24

Trust (cont’d)Trust (cont’d)

PRZ didn’t believe in the USG, so he didn’t trust in the USG’s agents (CAs) either.

He introduced a new, government-agnostic approach, called Web of Trust.

While, IMHO, WoT is the most elegant feature of PGP today, it’s also the source of every sin!

25

Trust (cont’d)Trust (cont’d)

To better understand the WoT, think you are lost in a small city, and want to find somewhere. Note that not all people can be trusted, and you’ll be in danger if you choose the wrong path

As a starting point, suppose you know a few people in the city, each of which knows a few of other citizens, but isn’t informative enough by his own to give you some hints.

26

Trust (cont’d)Trust (cont’d)

27

Trust (cont’d)Trust (cont’d)

A Trust model consists of two parts:1. A set of rule, e.g. :

I will trust everyone’s signature! I will trust everyone trusted by two distinct

persons already trusted by me.

2. A set of information: Ali, Mohsen, and Reza are trusted by me; Mohsen trusts Hassan; Ali & Reza both trust Hossein.

28

PGP Trust ModelPGP Trust Model

Each entry in the public-key ring is a public key certificate.

Associated with each entry are zero or more signatures that the key ring owner has collected that sign this certificate.

In turn, each signature has associated with it a signature trust field that indicates the degree to which this PGP user trusts the signer to certify public keys.

29

PGP Trust Model (cont’d)PGP Trust Model (cont’d)

An owner trust field indicates the degree to which this public key is trusted to sign other public-key certificates; this level of trust is assigned by the user.

The signature trust can be thought of the cached copy of this field.

30

PGP Trust Model (cont’d)PGP Trust Model (cont’d)

The key legitimacy field indicates the extent to which PGP will trust that this is a valid public key for this user; the higher the level of trust, the stronger is the binding of this user ID to this key. This field is computed by PGP.

The key legitimacy field is derived from the collection of signature trust fields in the entry.

31

Fields & ValuesFields & Values

32

Revoking Public KeysRevoking Public Keys

A user may wish to revoke his or her current public key either because compromise is suspected or simply to avoid the use of the same key for an extended period.

The convention for revoking a public key is for the owner to issue a key revocation certificate, signed by the owner.

Any Problem with this approach?

33

If privacy is outlawed, only outlaws will If privacy is outlawed, only outlaws will have privacy.have privacy. ---Phil Zimmermann---Phil Zimmermann