32 Electronic Mail security-PGP
Learning Objectives
- To introduce email security for designing security environment for electronic files.
- To discuss about various PGP Operations.
- To protect unauthorized access and inspection of electronic mail.
- To discuss about PGP session keys and PGP key rings.
- Introduction
Email is one of the most widely used and regarded network services currently message contents are not secure may be inspected either in transit or by suitably privileged users on destination system. There are pretty good privacy in email like Open source, freely available software package for secure e-mail de facto standard for secure email. Developed by Phil Zimmermann selected best available crypto algorithms to use, it rurns on a variety of platforms like UNIX, PC, Macintosh and other systems originally free.
1. Email Security Enhancements
Due to updated security enhancements, there is now more stringent security to enforce strong email passwords. The security enhancement adds confidentiality; protection from disclosure, authentication of sender of message, message integrity protection from modification, non-repudiation of origin gives protection from denial by sender
2.PGP Operation – Authentication
We all have information we want to keep private and protected and we all need to communicate online. With PGP, you can add a very strong yet easy to use layer of security to your online communication .In asymmetric cryptography we need two separate keys, one of which is private (used for decryption or digital signing) and one that is public (used to encrypt plaintext or verify a digital signature). It’s not necessary to understand everything right away, just remember that you’ll understand it better as you get more experience with your everyday usage. However, we’ll review some basic concepts of public key cryptography so you can feel more comfortable when starting to use all the tools available for your OS of choice. Sender creates message generates a digital signature for the message use SHA-1 to generate 160-bit hash of message signed hash with RSA using sender’s private key, and is attached to message receiver uses RSA with sender’s public key to decrypt and recover hash code receiver verifies received message using hash of it and compares with decrypted hash code.
3. PGP Confidentiality
In PGP operation it provides confidentiality this includes a sender generates a message and encrypts it and generates a128-bit random number as session key. Later it encrypts the message using CAST-128 / IDEA / 3DES in CBC mode with session key, the session key encrypted using RSA with recipient’s public key and attached to the message receiver uses RSA with private key to decrypt and recover session key then session key is used to decrypt message it can use both services on the same message to create signature and attach it to the message by encrypting both message and signature attach RSA or ElGamal encrypted session key.
This sequence is preferred because one can store the plaintext message or file and its signature, it is not necessary to decrypt the message or file again and again.
- PGP Compression and Compatibility
PGP compresses messages to save space for e- mail transmission and storageBy default PGP compresses message after signing but before encrypting, so can store uncompressed message & signature for later verification. Encryption after compression strengthens security (because compression has less redundancy) uses ZIP compression algorithm when using PGP will have binary data (8-bit octets) to send (encrypted message, etc) however email was designed only for text Hence PGP must encode raw binary data into printable ASCII characters uses radix-64 algorithm maps 3 bytes to 4 printable chars also appends a CRC PGP also segments messages if too big(maximum length 50,000 octets)
5. Session Keys, Public key and Private Key
A session key is needed for each message having various sizes like 56 bit DES 128 bit CAST or IDEA, 168 bit triple DES it uses random inputs taken from actual keys hit provides the key stroke timing of a user. since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message .This could send full public-key with every message but this is inefficient rather use a key identifier based on key .this is least significant 64-bits of the key and will very likely be unique also use key ID in signatures
- PGP Key Rings
The pair of key rings is used in PGP. The public key ring contains all the key of the other PGP users known to this user this is indexed by using key ID.private key ring contains the public and private key pairs for this user this is also indexed by key ID and encrypted keys from a hashed pass phrase. The security of private keys thus depends on the pass-phrase security
Summary
- Complete theory of secure E-Mail is explained
- Pretty Good Privacy is detailed with proper message authentication.
you can view video on Electronic Mail security-PGP |