No one can deny the fact that emails service is one of the world’s largest services used on the internet. If we roughly estimate the number of email addresses in the world, we may cross 1 billion. There is no denying of the fact that email facility is one of the cheapest and reliable means of communication. It is due to that everyone uses email services around the world. But with the wide spread increase in the use of email service, some risks are also evolving over the period of time. It is important for all email users to know about the basics of email security so that no one could harm to their email account. Computer scientists have developed many mechanisms to keep email users free from any harm. But this article focuses on the two famous and secure schemes to make email service secure.
Pretty Good Privacy (PGP): It is also used as abbreviation PGP. As its name suggests it is one of the most secure security scheme for electronic mail. Another distinct feature of this scheme is that it is open source or freely available for all. This remarkable technique was introduced by Phil Zimmermann. This technique provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. Following lines intend to explain this technique,
- Phil Zimmermann has used a secure cryptographic algorithm as a tool
- Then he developed an application using the combination of these algorithms
- This application is free from operating system and processor
- This application is based on small and easy to use set of commands
- He and Viacrypt (now Network Associates) entered into an agreement to provide fully compatible and low cost version of the PGP
Right after its launch in 1991, it has grown explosively. In this part we are going to discuss the reason behind the viral growth of PGP. Following are some main rationales behind the great success of Pretty Good Privacy, followed by some detailed features of PGP.
- PGP is an open source application freely available worldwide in different versions that support Window, UNIX, Macintosh and many more. They also provide vendor support to commercially available version users.
- It is based on an algorithm that is highly secure. It includes RSA, DSS, Diffie-Hellman for public key encryption; CAST-128, IDEA, and 3DES for symmetric encryption; and SHA-1 for hash coding.
- It provides security solutions to a wide range of people. Be a corporation or an individual, it is useful for all and helps people share data safely to the indented recipients.
- Another feature that makes attractive is the reason it is not managed by a governmental or standardization organization. This is so because some people like to avoid the applications controlled by establishments.
- PGP is now on an Internet Standard Track (RFC 3156). Nevertheless, PGP still has an aura of an antiestablishment endeavor.
Operational Description: the actual operation of PGP, as against the management of key, consists of five services: Authentication, Confidentiality, Compression, e-mail compatibility and segmentation.
- Authentication: Authentication is the main feature of PGP For authentication, digital signature scheme is used when sender creates a message and by applying SHA-1 a 160-bit hash code is generated. Then hash code is encrypted using RSA using the sender’s private key. Then receiver uses RSA using the sender’s public key to decrypt and recover the hash code. Then receiver generates a new hash code for the message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic.
- Confidentiality: Confidentiality is provided by encrypting messages to be transmitted or to be stored locally as file. In both case symmetric encryption algorithm CAST-128 may be used.
- Authentication and Confidentiality: It is possible to use authentication and confidentiality at the same time. In this case, first a signature is generated for the plain text message and attached to the message. Then the plain text and signature is subjected to encryption using CAST-128, and the session key is encrypted using RSA (ElGamal).
- Compression: PGP technique applies encryption to message after applying signature and before applying encryption.
- E-mail Compatibility: When PGP is used, at least part of the block to be transmitted is encrypted with the sender’s private key. If the confidentiality service is used, the message plus signature are encrypted with one time symmetric key.
Segmentation and Reassembly: E-mail facilities often are restricted to a maximum message length. For example, many of the facilities accessible through the internet impose a maximum length of 50,000 octets. Any message longer than that must be broken into smaller segments and each of which is mailed separately.
Secure/Multipurpose Internet Mail Extension (S/MIME): S/MIME is a security enhancement to the MIME (Multipurpose Internet Mail Extension) Internet e-mail format standard based on technology from RSA Data Security. Although both, S/MIME and PGP are on IETF standard track but it is apparent that S/MIME is emerging as industry standard for industry and organizational use, while PGP is prevalent in personal use. S/MIME is defined in a number of documents, most importantly RFCs 3369, 3370, 3850 and 3851. S/MIME is based on MIME and MIME is based on traditional e-mail format, RFC 822, which still in common use. So now we are going to start from RFC 822.
RFC 822: RFC 822 is an e-mail format standard that defines the format of a standard e-mail. It is widely used as internet-based text mail message. In RFC 822 e-mail format, the message is divided into two parts. One part of message is called ‘Header’, which consists of five lines, and the other part of the message is called ‘Body’. Please see a typical RFC 822 e-mail message specimen below,
Header Date: Mon, 16th February 2015 1:30 (EST)
Subject: The Syntax in RFC 822
Body Hello! This section begins the actual message body, which is delimited from the message heading by a blank line.
Multipurpose Internet Mail Extension (MIME): MIME is an extension to the RFC 822 framework that is intended to address some of the problems and limitations of the use of SMTP (Simple Mail Transfer Protocol) or some other mail transfer protocol and RFC 822 for the electronic mail. There many limitations in SMTP/822 scheme. MIME is intended to resolve these problems in a manner that is compatible with RFC 822 implementations. The five header fields of MIME are as follows.
- MIME Version
- Content Transfer-Encoding
- Content ID
Overview of Multipurpose Internet Mail Extension (MIME): The five header fields defined in MIME are listed below,
- Plain and Enriched
- Mixed, Parallel, Alternative, Digest
- RFC 822, Partial and External-body
- Jpeg, gif
- PostScript, Octet-stream
S/MIME Functionality: As far as functionality is concerned, S/MIME is very much similar to PGP. S/MIME and PGP both provide the ability to sign and/or encrypt messages. S/MIME provides the following functions,
- Enveloped Data:
- Signed Data:
- Clear-Signed Data:
- Signed and Enveloped Data:
S/MIME Messages: S/MIME makes use of a number of new MIME content types. All of the new application types use the designation PKCS. This refers to a set of public-key cryptography specifications issued by RSA Laboratories and made available for the S/MIME effort,
- Securing a MIME Entity
- Enveloped Data
- Signed Data
- Clear Signing
- Registration Request
- S/MIME Certification Processing
- User Agent Roles
- Key Generation
- Certificate Storage and Retrieval
- User Agent Roles
VeriSign Certificates: There are many companies in the world that are providing certification authority (CA) services. For example, an enterprise CA solution designed by Nortel provides S/MIME support to an organization. Like this, there are number of internet-based CAs. The list includes, VeriSign (purchased by Symantec), Comodo SSL, Go Daddy, and the GlobalSign. Nowadays, these companies provide digital certificates.
Enhanced Security Services: In addition to certification authorization, enhanced security services are designed to make internet communication stronger. There are many types of enhanced security services but we are going to discuss the following three services,
- Signed Receipts: A signed receipt may be requested in a SignedData object. Returning a signed receipt provides proof of delivery to the originator of a message and allows the originator to demonstrate to a third party that the recipient received the message. In essence, the recipient signs the entire original message plus original (sender’s) signature and appends the new signature to form a new S/MIME message.
- Security Labels: We can also attach a security label to authenticated attributes of a SignedData object. A security label is a set of security information regarding the sensitivity of the content that is protected by S/MIME encapsulation. The label may be used for access control, by indicating which users are permitted access to an object.
Secure Mailing Lists: When a user sends a message to multiple recipients, a certain per-recipient processing is required, including the use of each recipient’s public key. The user can be relieved of this work by employing the services of an S/MIME Mail List Agent (MLA). An MLA can take a single incoming message, perform the recipient-specific encryption for each recipient and forward the message