International Journal of Computer Trends and Technology- March to April Issue 2011

Transcription

1 SECURITY PROTOCOL Sunny gill 1, Gaurav Rupnar 1, Vaibhav Ramteke 1,PROF. Dipti Patil 2, Vijay M.Wadhai 3 1 Computer Engineering Department, MIT College of Engineering,Pune 2 Assistant Professor, MITCOE, Pune INDIA 3 Professor and Principle of MIT college of engineering,pune INDIA Abstract: We all receive and send s and are very much familiar to the term but what we need is that the s which we are sending or receiving are very much secure or not. They are received by the intended person or not, or is not being misused in the way. So despite the widespread perception that security is of critical importance. Numerous solutions to the problem of securing have been developed and standardized but these have proved difficult to deploy and use[1]. One of the main reasons for this difficulty is that each piece of the required technology has been developed independently as a generic platform on which security solutions may be built. As a consequence the user is left an unacceptably complex configuration problem. This paper proposes a means of providing transparent security out the need for additional configuration based on existing security standards. Index Terms Protocols, PEM, S/MIME. I. INTRODUCTION [2], is simply the shortened form of electronic mail, a protocol for receiving, sending, and storing electronic messages. has gained popularity the spread of the Internet. In many cases, has become the preferred method of communication. There is a but of uncertainty when was invented because messages could only be sent between users when they are connected to the same computer, American Ray Tomlinson is called the father of modern versions. Even once computers were networked, messages could not be targeted to a particular individual. Tomlinson devised a way to address to certain users, and thus was credited for one of the most important communication inventions in the 20th century. The basic principles of were established more than thirty years ago when the Internet, then called ARPANET, was an emerging technology[3]. Trust was a basic principle of the Internet back then. Back then there wasn't a need for authentication of who actually sent the message because only a limited number of people could gain access to the networks over which the messages were traveling. When networks began connecting to each other, security became more important. Users realized that they needed verification of who was sending the message to make sure no one has changed the message during transit, and, in some cases, they realized they needed to secure that information against prying eyes. II. How Is Sent and Received? is transmitted as plain text across networks around the world using the SMTP protocol (Simple Mail Transfer Protocol)[4]. It has been extended to add further authentication and error reporting/messaging to satisfy the growing demands of modern . Mail transfer agents, or MTAs, work in the background transferring from server to server allowing s to be sent all over the world. You may have come across such MTA software such as Sendmail, Postfix, Fetch mail, Exim, or Qmail. SMTP allows each computer that the passes through to forward it in the right direction to the final destination. When you consider the millions of servers across the world, you have to marvel at how simple it all seems. Here is a simple example of how is successfully processed and sent to its destination: 1. sunny@infosys.org composes and sends an message to gaurav@l&tinfotech.org. 2. The MTA at infosys.org receives sunny's and queues it for delivery behind any other messages that are also waiting to go out. 3.The MTA at infosys.org contacts the MTA at l&tinfotech.org on port 24. After infosys.org acknowledges the connection, the MTA at ISSN: IJCTT

2 l&tinfotech.org sends the mail message. After infosys.org accepts and acknowledges receipt of the message, the connection is closed. 4.The MTA at l&tinfotech.org places the mail message into gaurav's incoming mailbox; gaurav is notified that he has new mail the next time he logs on. Ii is developed by IETF[5], to add encryption, source authentication & integrity protection to . It allows both public & secret longterm keys.the Message key used in the process is always symmetric and specifies a detailed certification hierarchy MIME (Multipurpose Internet Mail Extensions): It is a standard for encoding arbitrary data in (images, video, etc.). S/MIME: It is very similar to MIME but the difference is that it is enhanced version of MIME as many principles of PEM is incorporated into MIME. 1. PEM PEM is supposed to be implemented in software at the sender as well as receiver. i.e. at these two ends only. As far as security is concern PEM message passes through mail servers out modified in between. Figure 1 How is processed and sent[7] PEM provides Integrity protection Encryption Of course, several things can go wrong during this process. Here are a few examples: What if gaurav does not exist at l&tinfotech.org? In this case, the MTA at l&tinfotech.org will reject the and notify the MTA at infosys.org of what the problem is. The MTA at infosys.org will then generate an message and send it to sunny@infosys.org, informing him that no gaurav exists at l&tinfotech.org What happens if l&tinfotech.org doesn't respond to infosys.org's connection attempts? (Perhaps the server is down for maintenance.) The MTA at infosys.org notifies the sender that the initial delivery attempt has failed. Further attempts will be made at intervals decided by the server administrator until the deadline is reached, and the sender will be notified that the mail is undeliverable. Now as for the security related issues, protocols have been designed for the secure transfer of our messages. III. Security Protocols PEM (Privacy Enhanced Mail) 1.1 PEM Message Content PEM flags them as separate, treated blocks. Ordinary, unsecured data Integrity protected, unmodified data Integrity protected encoded data Encoded = safe to transmit through all mailers Integrity protected, encoded, and encrypted data Establishing keys Per message key (random number) Interchange key (public key) To encrypt message key. 1.2 Structure of a PEM Message Marker: BEGIN PRIVACY ENHANCED MESSAGE PEM header, inc. protection type (MIC CLEAR etc.) IV for DESCBC (for ENCRYPTED only) Chain of certificates, from sender to IPRA ISSN: IJCTT

3 MIC Encrypted message key (for ENCRYPTED only) Message Marker: END PRIVACYENHANCED MESSAGE PEM[6] marks its pieces a text string before and after the piece as:...<data>... The different types of pieces PEM can combine into a message are: 1. Ordinary, unsecured data. 2. Integrityprotected unmodified data (MIC CLEAR). 3. Integrityprotected encoded data (MICONLY). 4. Encoded encrypted integrityprotected data (ENCRYPTED). Not only these types of data be combined in a message, but they can be nested inside one another. E.g., sunny might enclose MICCLEAR message from Fred in an ENCRYPTED message to vaibhav. Example: Dear vaibhav: I would like to invite you to give a event notification next spring, if you accept, let us talk about the details. sunny The above message may be sent in one following 3 forms: A. MICCLEAR BEGIN PRIVACY ENHANCED MESSAGE ProcType: 4, MICCLEAR ContentType: RFC822 OriginatorIDAsymmetric: <certificate MICInfo: RSAMD5, RSA, <encoded MIC> Dear vaibhav: This is to notify you that next week our college is organizing technical event, if you are interested in taking participation then contact sunny B. MICONLY ProcType: 4, MICONLY ContentType: RFC822 OriginatorIDAsymmetric: <certificate MICInfo: RSAMD5, RSA, <encoded MIC> <encoded message> C. ENCRYPTED ProcType: 4, ENCRYPTED ContentType: RFC822 DEKInfo: DESCBC, IV OriginatorIDAsymmetric: <Originator certificate originator public key> MICInfo: RSAMD5, RSA, <encoded encrypted MIC> RecipientIDAsymmetric: <Recipient certificate recipient public key> <encoded encrypted message using DESCBC> For CC purposes and if message is returned to sender due to some error the message must also be send to the originator An encrypted message can also be send to multiple recipients Encrypt the message key once for each recipient: ISSN: IJCTT

4 RecipientIDAsymmetric: <Recipient1 certificate recipient1 public key> RecipientIDAsymmetric: <Recipient2 certificate recipient2 public key>... RecipientIDAsymmetric: <Recipientn certificate recipientn public key> PEM Encoding: It is base64 encoding, i.e., each 6 bits is encoded as 8bit character in the set {AZ,az,09,+,/} When PEM sees a line that begins it is replaced " ". Thus the string in the text: would appear as: END PRIVACY ENHANCED MESSAGE Forwarding & Enclosure: Only MICCLEAR and MICONLY messages can be forwarded. For ENCRYPTED messages, it must be decrypted and then reencrypted. Unprotected Information: To protect the header information, it should be included in the text. Secret Key Variant: PEM can be used for both publickey and secretkey Infrastructure. A secret key between sunny and vaibhav can be established using Outofband mechanism (e.g., phone, Kerberos). There is no much interest in secret key based PEM. 2. S/MIME It is Secure/MIME, a version of the MIME protocol which supports encryption of messages. It is based on RSA's publickey encryption technology [9]. S/MIME[10] provides the following cryptographic security services for electronic messaging applications: Authentication, Message integrity Nonrepudiation of origin (using digital signatures) Privacy and data security (using encryption). S/MIME specifies the MIME type application/pkcs7 mime (smimetype "envelopeddata") for data enveloping (encrypting) where the whole (prepared) MIME entity to be enveloped is encrypted and packed into an object which subsequently is inserted into an application/pkcs7mime MIME entity. Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's inhouse certificate authority (CA) or from a public CA IV. S/MIME vs. PEM Incorporated into MIME; no other encoding[8]. Any sequence of sign & encrypt is supported (each as a recursive MIME encapsulation) Has more options than PEM ASN.1 header encoding No prescribed certification hierarchy boundary=boundary marker boundary marker...<content>... boundary marker V. Conclusion Internet has changed and has been changing greatly over the years, and this has made our concern about the security more today, particularly for those who are transmitting their personal and sensitive data over the internet. PEM and S/MIME will provide users a more secure connection when sending messages over networks and over the Internet. Depending on which standard you wish to have, your setup may vary. But the end result will always be the same: you will be more secure and your information will be lesser risk to interception. References [1] rusable_ .pdf ISSN: IJCTT

5 [2] [3] E Mail Security for the 21 st Century f [4] pensource/ /ch24lev1sec1.html [5] [6] S.D. Siriskar Networks & information security pg 243 [7] [8] [9] [10] ISSN: IJCTT