Prof. John A. Copeland fax Office: Klaus or call for office visit Chapter 5b - Secure/Multipurpose Internet Mail Extensions S/MIME 2/5/14

Simple Mail Transfer Protocol (SMTP, RFC 822) SMTP Limitations - Can not transmit, or has a problem with: executable files, or other binary files (jpeg image). “ national language ” characters (non-ASCII) messages over a certain size ASCII to EBCDIC translation problems lines longer than a certain length (72 to 254 characters) MIME Defined Five New Headers MIME-Version. Must be “ 1.0 ” -> RFC 2045, RFC 2046 Content-Type. More types being added by developers (application/word) Content-Transfer-Encoding. How message has been encoded (radix- 64) Content-ID. Unique identifying character string. Content Description. Needed when content is not readable text. Carnonical Form: Standard format for use between systems ( not a “ native ” format – e.g., JPG). 2

S/MIME - User Agent Role S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority Functions: Key Generation - Diffie-Hellman, DSS, and RSA key-pairs. Registration - Public keys must be registered with X.509 CA. (Thawte (sub. of VeriSign), CAcert,...) offer free registration) Certificate Storage - Local (as in browser application) for different services. Signed and Enveloped Data: Various orderings for encrypting and signing. Example: Verisign ( Class-1 Buyer ’ s address confirmed by ing vital info. Class-2 Postal address is confirmed as well, and data checked against diectories. Class-3 Buyer must appear in person, or send notarized documents. 3

S/MIME History S/MIME was originally developed by RSA Data Security Inc. The original specification used the recently developed IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax, an IETF specification similar to PKCS #7 from Wikipedia 2/16/13 4 Today, S/MIME adds the use of S/MIME to PGP. PGP is a standard, GnuPG are open programs that implement PGP

S/MIME Certificates Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA such as one of those listed below. Encryption requires having the destination party's certificate on store (which is typically automatic upon receiving a message from the party with a valid signing certificate). While it is technically possible to send a message encrypted (using the destination party certificate) without having one's own certificate to digitally sign, in practice, the S/MIME clients will require you install your own certificate before they allow encrypting to others. from Wikipedia 2/16/09 5

General Problems SMTP Headers Can be used to check routing, but not reliable (spoofing, NAT,...) Can reveal your IP address, mail server to recipients Content Poisons: Attachments that are executable files (viruses, Worms, Back Doors,...) HTML encoded mail has all the threats of an untrusted Web site Links can execute code FTP links can give away your address, if used as password Hidden keys can identify the address of the message, ID of recipient Spammers use unwitting mail servers for exploding and relaying , hiding their identity This requires “ Relaying Prohibited, ” makes sending harder from the road 6

MS = Mail Server (e.g., mail.gatech.edu) *Unless user authenticates through TLS. 7 IP on earthlink.com gatech.edu aol.com MS MS or sender MS receiver Relaying (should be prohibited*) IP on earthlink.com gatech.edu aol.com MS sender MS receiver Allowed Forwarding receiver sender MS Bob logs on to the Internet from home, and is assigned an IP address in the Earthlink domain. Bob then sends mail to smtp.gatech.edu for alice.aol.com

>> YOU TYPE THIS. [COMMENTS] << WAIT FOR THIS REPLY FROM THE SMTP SERVER >> HELO c hsd1.ga.comcast.net [must be actual DNS name of host being used] << 220 mail.ece.gatech.edu ESMTP Sendmail /8.13.4; Wed, 28 Sep :34: (EDT) << 250 mail.ece.gatech.edu Hello ecevpn-021.ece-int.gatech.edu [ ], pleased to meet you >> MAIL FROM: [must be an actual user on this server] << Sender ok >> RCPT TO: [must not violate any anti-relay rule] << Recipient ok [this would be relaying, except for VPN] >> DATA << 354 Enter mail, end with "." on a line by itself >> 'hw1/hw1. graded on * * Sep 28, :49,’ >> 'Name on HW return: smith,_john' >> 'Date & Time submitted: Wed, 28 Sep :45: (EDT)' >> '- (at line 2) : Break the following ciphertext:' >> ' #1' >> '1 ok2 /N=N/ : [n] - Which cipher character' >> '2 ok2 /THIS_CODE_IS_W=THIS_CODE_IS_W/ : [this_code_is_w] - type in the' >> 'No. Graded = 10, Average Grade = 92' >>. [single period ends message text] << j8SLYiLA Message accepted for delivery >> QUIT sent with: > telnet mail.ece.gatech.edu 25 8 Today, all mail servers at GT require TLS authentication.