1. 1 Lecture 19: PEM and S/MIME history PEM –establishing keys –public key hierarchy –message structure –message headers –encryption and integrity protection modes S/MIME

2. 2 PEM & S/MIME Privacy Enhanced Mail (PEM) –Developed by IETF, to add encryption, source authentication & integrity protection to e-mail –Allows both public & secret long-term keys Message key is always symmetric –Specifies a detailed certification hierarchy Secure/MIME (S/MIME) –PEM never took off; CA hierarchy difficult to realize –S/MIME: PEM design incorporated into MIME

3. 3 Establishing Keys interchange key – long term key used for connection –secret key crypto (never used) – Alice and Bob’s shared key the key has to be exchanged out-of-band –public key crypto – Alice and Bob’s public keys, look up each others certificates in directory (never used) include cert chains in the message –needs public key hierarchy

4. 4 PEM Certificate Hierarchy The root CA: “Internet Policy Registration Authority” (IPRA) “Policy Certification Authorities”: Second-level, CA-certifying CAs, each with a different policy: –High Assurance (HA): very-secure implemented on secure platforms regulates that the child CAs (also HACAs) enforce the same rules –Discretionary Assurance (DA): secure requires that the child CAs own their names –No Assurance (NA): no constraints can be used to certify Internet personas (pseudonyms) Lower-level CAs, certifying individuals or other CAs

5. 5 Structure of PEM Messages whole or part of the message can be protected protected part specified as -----BEGIN PRIVACY-ENHANCED MESSAGE-----... -----END PRIVACY-ENHANCED MESSAGE----- different types of data: –ordinary, unsecured –integrity-protected, unmodified (MIC-CLEAR) –integrity-protected, encoded (MIC-ONLY) –encrypted, integrity-protected, encoded (ENCRYPTED)

6. 6 PEM Headers Marker: -----BEGIN PRIVACY-ENHANCED MESSAGE----- PEM header, inc. protection type (MIC-CLEAR etc.) IV for DES-CBC (for ENCRYPTED only) Chain of certificates, from sender to IPRA MIC Encrypted message key (for ENCRYPTED only) Message Marker: -----END PRIVACY-ENHANCED MESSAGE-----

7. 7 Encryption & Integrity Protection Modes Encryption: Typically DES in CBC mode Integrity Protection (Message Authentication): MIC: MD2 or MD5 of the message (previously included DES CBC-MAC) signed by sender’s private key encrypted if the message is encrypted (against guessable plaintext attack) message header not protected (problematic) –solution: include header info in the text

8. 8 CBC-MAC Problem Fact: For a given MAC value x, and any key value k, it is possible to obtain a valid MAC for any message m (with one corrupt block) CBC-MAC k (m) = x Attacker Eve eavesdrops y = [CBC-MAC k (m)] A x = [y] A -1 Generates m’, k’ such that CBC-MAC k’ (m’) = x Sends m’, y, {k’} T to Ted (or anybody else) And many variations of the attack... Was CBC-MAC not secure?!

9. 9 S/MIME vs. PEM Incorporated into MIME; no other encoding Any sequence of sign & encrypt is supported (each as a recursive MIME encapsulation) Has more options than PEM ASN.1 header encoding No prescribed certification hierarchy Has a good prospect of deployment for commercial & organizational usage