Electronic Mail Security
Hi all, this article is written as a part of my coursework in CP5085-Principles of Cryptography.
In a bunch of email security protocols available, we are gonna deal with PGP and S/MIME. I assume that readers of this article are familiar with basic cryptographic terms. Let me start with PGP 😃
Motivation Towards PGP: PGP an acronym for Pretty Good Privacy. Phil Zimmerman created it to transfer information securely over the internet. In short PGP provides a framework to exchange data securely among peers, as well as it guarantees authenticity and integrity of the message.
How it is achieved?
1)Phil used the best available cryptographic algorithms as building blocks.
2)Integrated the algorithms and they are independent of the operating system.
3)Phil used : RSA, Diffie-hellman for public key encryption, 3-DES for symmetric Key encryption, SHA-1 for hash coding.
PGP is owned by Symantec, but openPGP an email encryption standard is implemented by multiple software.
PGP provides four services:
1.Authentication
2.Confidentiality
3.Compression
4.Email compatibility
Assume two friends Vikram and vedha, vikram wants to send a secret message to vedha. The below diagrammatic representation explains the scenario.
This is what happens usually, what if the keys are known to the adversary , or if the message is altered. To avoid all this, PGP uses certain mechanisms, they are hashing, data compression, symmetric/asymmetric cryptography.
The hash of the message is generated using SHA-1 algorithm and that hash is encrypted using RSA algorithm. Both the message(plain text) and the hash is concatenated and compressed using Zip algorithm. To learn more about algorithm used in standard zip refer this.
Decryption is done by extracting the compressed message. If the hash values are same, then the message is accepted and said to be secure.
To provide authentication & confidentiality session keys are used for encryption. The message is encrypted using CAST-128 algorithm and the session keys are encrypted by RSA algorithm using Vedha’s(Receiver) public key. Instead of RSA algorithm, we can also use Diffie-hellman algorithm.
Similarly decryption is done in Authentication & Confidentiality service as shown in the decryption phase of Authentication only service.
To provide integrity, create a digital signature using Digital signature standard(DSS).
Compression: It is done to make the cryptanalysis(the art or process of deciphering coded messages without being told the key) part difficult. Also it has the benefit of reduction in storage space and improves performance.
Email compatibility: As a result of services provided by PGP, the resulting block consists of stream of 8-bit octets. Many email systems support only ASCII format. So use Radix-64 conversion to achieve this format.
Use of trust: If the person who adds a new public key to the public key ring is the owner of the key and if the public key also appears in the private key, then ultimate trust is provided.
If not an unknown user value is provided.
Note: Take a look at key rings before you stare at user of trust 👍
To learn more about the keys used in PGP refer this article. Thank you all for your time and patience😉
References:
