S/MIME - Overview
After the development of PEM industry working group led by RSA Security, Inc. started to develop another specification for conveying digitally signed and/or encrypted and digitally enveloped data in accordance to the MIME message formats.
S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-mail format standard.
S/MIME is not restricted to mail; it can be used with any transport mechanism that transports MIME data, such as HTTP. S/MIME is likely to emerge as the industry standard for commercial and organizational use, while PGP will remain the choice for personal e-mail security for many.
S/MIME - Overview
MIME - Overview
RFC 822 defines a format for text messages that are sent using electronic mail.
3. 4.
5.
SMTP cannot transmit executable files or other binary files. SMTP cannot transmit text data that includes national language characters because these are represented by 8-bit codes with values of 128 decimal or higher, and SMTP is limited to 7-bit ASCII. SMTP servers may reject mail message over a certain size. SMTP gateways that translate between ASCII to EBCDIC suffer translation problems. Some SMTP implementations do not adhere completely to the SMTP standard defined in RFC 822.
MIME (contd.)
1.
2.
3.
MIME (contd.)
Here is a summary of the different MIME content types:
Type
Text
Subtype
Plain Enriched
Description
Unformatted text (ASCII or ISO 8859). Provides greater format flexibility.
Multipart
The different parts are independent but are to be transmitted together. Should be presented to the receiver in their original order. Differs from mixed only in that no order is defined. The different parts are alternative versions of the same information. Similar to Mixed but the default type/subtype of each part is message/rfc822.
Message
The body is itself an encapsulated message that conforms to RFC822. Used to allow fragmentation in a transparent way to the recipient. Contains a pointer to an object exists else where.
MIME (contd.)
Type
Image Video
Subtype
Jpeg gif
Description
The image is in JPEG format. The image is in GIF format.
Mpeg
MPEG format.
Audio
Application
Basic
Postscript Octet-stream
MIME (contd.)
The other major component of MIME is a definition of transfer encodings for message contents:
Description
The data are all represented by short lines of ASCII chars. The lines are short, but there may be non-ASCII chars. Not only may non-ASCII chars be presented but lines are not necessarily short enough for SMTP transport. Encodes the data in such a way that if the data being encoded are mostly ASCII text, the encoded form of the data remains largely recognizable by humans. Encodes data by mapping 6-bit blocks to 8-bit printable ASCII characters blocks. A nonstandard encoding.
Encoding
7bit 8bit Binary Quoted-printable Base64 x-token
MIME (contd.)
Canonical form is a format that is standardized for use between systems. Conclusions:
MIME is a necessity in todays Internet and e-mail traffic requirements. The Object Oriented structure of the MIME message enhances its capability to serve as multipurpose standard. The MIME is capable of transferring data between two distinct systems which uses different formats
S/MIME - Functions
S/MIME is based on the Cryptographic Message Syntax (CMS) specified in RFC 2630. Enveloped data:
This consists of encrypted content of any type and encrypted content encryption keys for one or more users. This functions provides privacy and data security. Signed data: A digital signature is formed by signing the message digest and then encrypting that with the signer private key. The content and the signature are then encoded using base64 encoding. This function provides authenticity, message integrity and non-repudiation of origin.
S/MIME - Functions
SignerInfo: allows the inclusion of unsigned and signed attributes to be included along with a signature.
signingTime sMIMECapabilities sMIMEEncryptionKeyPreference
S/MIME - Functions
Clear signed data: In this case a digital signature of the content is formed, However only the signature is encoded with base64. Signed and enveloped data: Because of S/MIME encapsulating capability (multipart type), signed only and encrypted only entities may be nested, so that encrypted data may be signed and signed data may be encrypted.
S/MIME - Cryptography
Be liberal in what you receive and conservative in what you send.
Definitions: MUST: The definition is an absolute requirement of the specification. SHOULD: There may exist valid reasons in particular circumstances to ignore this feature or function, but it is recommended that an implementation include the feature or function.
S/MIME - Cryptography
Function
Creation of a message digest.
Requirement
MUST support SHA-1. SHOULD use sha-1. Receiving agents SHOULD support MD5 for the purpose of providing backward compatibility with S/MIME v2. Both sending and receiving agents MUST support DSS. Receiving agents SHOULD support verification of RSA signatures with key sizes 512 bits to 1024 bits. Note that S/MIME v2 clients are only capable of verifying digital signatures using RSA.
S/MIME - Cryptography
Function A session key encryption for transmission with the message. Requirement Both sending and receiving agents MUST support Diffie-Hellman. Sending agents SHOULD support RSA encryption with key sizes 512 to 1024 bits. Receiving agents SHOULD support RSA decryption. Sending an receiving agent MUST support Encryption/Decryption with 3DES. Receiving agents SHOULD support decryption with RC2/40. (S/MIME V 2. - Sending agents SHOULD support RSA encryption with 3DES and RC2/40. Receiving agents MUST support decryption with RC2/40.)
S/MIME - Cryptography
Algorithm use decision procedure:
Preferred decrypting capabilities: SHOULD choose the first (highest preference) capability on the list. No list of capabilities but has received message/s: SHOULD use the same encryption algorithm as was used on the last signed and encrypted message. No knowledge & Willing to risk: willing to risk that the recipient may not be able to decrypt the message, then the sending agent SHOULD use 3DES. No knowledge & Not willing to risk: sending agent MUST use RC2/40.
S/MIME - Cryptography
The Solution:
This problem is solved using an Enhanced Security service called S/MIME Mail List Agent (MLA). An MLA perform the recipient-specific encryption for each recipient, and forward the message.
S/MIME - Message
Canonical MIME Certificates Algorithm Identifiers CMS MIME bodies + CMS.
CMS object
MIME
S/MIME - Message
S/MIME makes use of a number of new MIME content types: Type Subtype Signed S/MIME parameter Description A clear message in tow parts: One is the message and the other is the signature. signedData envelopedData -A signed S/MIE entity. An encrypted S/MIME entity. multipart/signed message. A certificate registration request message.
Multipart
pkcs10-mime
--
S/MIME - Message
Enveloped Data:
Recipients public key Diffie-Hellman / RSA
Certificate
RecipientInfo
M
enveloped-data
S/MIME - Message
SignedData:
Hash function
Encryption
M
SHA-1 or MD5 Certificate
SignerInfo
Base64 encoding
S/MIME - Message
Clear signing: Clear signing is achieved using the multipart content type with a signed sub-type . Two parts:
Clear text (or any MIME type) encoded in base64. SignedData.
S/MIME - Message
Content-Type: multipart/signed; protocol=application/pkcs7-signature; micalg=sha1; boundary=boundary42 --boundary42 This parameter indicates that this is a two part clearsigned entity.
Unsigned Data
SignerInfo Header
S/MIME - Message
Certificate-only message: Used to transport certificates.
contains only certificates or a certificate revocation list (CRL). Sent in response to a registration request. The message is an application/pkcs7-mime type/subtype.
S/MIME - Message
Creating a Certificates-only Message: Step 1: The certificates are made available to the CMS generating process which creates a CMS object of type signedData. Step 2:
The smime-type parameter for a certs-only message is "certs-only". The file extension for this type of message is ".p7c".
S/MIME - Message
Registration request: A message signer MUST have a certificate for the signature so that the receiving agent can verify the signature.
S/MIME - Message
Registration request:
Subjects name Public-key in bitstring representation 010111010011
CertificationRequestInfo
Public-key ID
?
PKCS10
Users private key
CA
S/MIME - Certificates
S/MIME uses public-key certificates that conform to version 3 of X.509. A hybrid between a strict X.509 certification hierarchy and PGP's web of trust. A receiving agent MUST provide some certificate retrieval mechanism.
Receiving and sending agents SHOULD also provide a mechanism to allow a user to "store and protect" certificates
S/MIME - Certificates
Public key certificates are required to protect the authenticity and integrity of public keys, thus protecting against man-in-the-middle attack.
S/MIME - Certificates
In practice, certificate chains are short and seldom verified for trustworthiness. Also, the concept of cross-certification is of low practical value and seldom used between certification service providers.
S/MIME - Certificates
Key generation: MUST be capable of generating separate DiffieHellman and DSS key pairs.
SHOULD be capable of generating RSA key pairs. good source of non-deterministic random. protected in a secure fashion.
Registration: A user's public key must be registered with a certification authority in order to receive an X.509 public-key certificate.
Certificate storage and retrieval: access to a local list of certificates in order to verify incoming signatures and encrypt outgoing messages. maintained by the user local administrative entity on behalf of number of users.
S-MIME -Attacks
Certificate Management in S/MIME:
CA-centered.
CA certificates come with the client software. An ordinary user is not aware of the CAs that he/she trusts. Certificates are sent along with the signed messages.
S-MIME -Attacks
Certificates classes (common practice by most CAs) Class 1 Tighter identity Easier to Class 2 validation issue Class 3 CA certification policies ID-control practices Class 1: only email address Class 2: against third party database Class 3: apply in person and submit picture IDs and/or hard documentation
S-MIME -Attacks
Attack 1: Class 1 Certificate Attack No identity check during registration.
Binding between public key and e-mail address. It is possible to enroll under a different name.
- Name spoofing is possible in signed messages
S-MIME -Attacks
Attack 1: Class 1 Certificate Attack
Step 1: Get an e-mail address that implies the person you want to imitate. Step 2: Register for a certificate with that bogus name and e-mail address.
Step 3: Step up an outgoing e-mail account at your favorite e-mail client software with that bogus name. Step 4: Send bogus signed messages
S/MIME- Attacks
Step 2- Registration
S/MIME- Attacks
S/MIME- Attacks
S/MIME- Attacks
shlomo@hotmail.com
S/MIME- Attacks
S/MIME-Attacks
S/MIME-Attacks
Step 3 Setup local account
S/MIME-Attacks
Step 4 Send signed but bogus msgs.
S/MIME-Attacks
Consequences: Loose control for Class 1 certificates.
S/MIME-Attacks
Attack 2: Use ones certificate to send emails under another name. Step 1: Set up another e-mail account at local client. Same e-mail address But a different name Step 2: Send bogus signed messages
S/MIME- Attacks
Step 1- setup another account
S/MIME- Attacks
Step 2- Send bogus signed msg.
S/MIME-Attacks
Consequences: During verification, e-mail client does not match the name in certificate with the name in e-mail.
Only e-mail addresses are matched (as mentioned
S/MIME-Attacks
Attack 3: Forging the header The scope of a S/MIME signature does not include the e-mail header.
from, to, cc, subject, date
Indeed, the mail header is modified without changing the verification status.
S/MIME-Attacks
What should be done?
Class 1 certificates should be discontinued. E-mail clients must be aware of certificate classes and issue appropriate warnings to the verifiers. It is up to you whether to believe a digital signature is valid or not Use your reasoning, not your e-mail clients. Try to identify people by their e-mail addresses.
S/MIME-Attacks
What should be done (2)?
S/MIME - Summery
In summary, S/MIME provides a thoroughly designed and widely deployed technological approach to provide basic message protection services for the Internet.
S/MIME - Summery
In contrast to PGP S/MIME cannot be used by user agent which don't support MIME. There are problems in the stiches (certificate handling). With the release of S/MIME v3, standardization activities have slowed down.