IMPLEMENTATION OF A SECURE MESSAGING APPLICATION USING ELLIPTIC CURVE CRYPTOGRAPHY

Transcription

1 IMPLEMENTATION OF A SECURE MESSAGING APPLICATION USING ELLIPTIC CURVE CRYPTOGRAPHY By Abdul-Rahman Mahmood Thesis Submitted to Sir Syed University of Engineering and Technology in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE IN COMPUTER ENGINEERING March, 2004

2 ABSTRACT In this thesis, an implementation of a secure messaging system based on a hybrid cryptographic scheme is presented. The system is hybrid because it employs public key cryptographic scheme for key exchange and symmetric key cryptographic scheme for encryption. In public key cryptographic scheme, Elliptic Curve Cryptography (ECC) is used. Elliptic curve cryptography provides a methodology for obtaining high-speed, efficient, and scalable implementations of a messaging system. In this research thesis, we have described in detail the working and implementation of elliptic curve cryptographic technique, and the results of our implementation of the elliptic curve cryptography and finally we have compared our results with the rival of ECC i.e., RSA. Elliptic curve cryptosystems were first proposed independently by Victor Miller and Neal Koblitz in 1985 [8]. Elliptic curve cryptography is an emerging public key cryptosystem which provides the same degree of security as used in Secure Socket Layers (SSL) today with approximately one-eighth the key size [7]. This results in bandwidth savings, efficient implementation and compactness in silicon without any effect on security as compared to its rival, RSA. With such attributes, the technology becomes especially useful for mobile devices and other small devices that are limited in the power, CPU performance, memory or bandwidth. Internet is a huge inter-connected network of computers. There are many people with either ill-intension or fun are keen to intercept your messaging. That s why we need a secure messaging system. Secure messaging allows a company to safely and securely control the flow of incoming and outgoing information via over the internet. The thesis entails development of cryptographically secure messaging using ECC. The results generated are indicating that ECC is highly computation intensive as compared with RSA. Moreover we have observed that data size that RSA can process is much lower than ECC. Further to the results it was observed that key the generation time of ECC is almost equal or relatively efficient then RSA. i

3 TABLE OF CONTENTS ABSTRACT TABLE OF CONTENTS LIST OF FIGURES LIST OF TABLES ACKNOWLEDGMENTS i ii v vi vii Chapter 1 INTRODUCTION Background to Research Significance of a secure messaging application Problem description Objective Methodology Thesis Description with Technical details 04 Chapter 2 CRYPTOGRAPHY AND SECURITY CONCEPTS Introduction Classical Cryptography Classical Cryptographic Techniques Transpositions Caesar Substitution Monoalphabetic Substitution Key-based Encryption Cryptographic services User Authentication Data authentication Data integrity Data origin authentication Non-repudiation of origin Data confidentiality Cryptographic primitives Encryption primitives Symmetric ciphers Stream ciphers and block ciphers Asymmetric ciphers Symmetric versus asymmetric ciphers Authentication primitives One-way functions and hash codes Digital signature Hash functions versus digital signatures Rivest Shamir Adleman (RSA) RSA Example Details of PGP 17 ii

4 Chapter 3 PROTOCOLS AND ENCODING protocols SMTP SMTP COMMUNICATION MODEL A Typical SMTP Transaction Scenario Post Office Protocol version 3 (POP3) POP3 Basic Operation POP3 Security Considerations Example POP3 Session Encoding and decoding mail messages Requirement of encoding Transfer Encoding UUEncode and UUDecode Overview Need of UUEncode UUEncode Message format 28 Chapter 4 MATHEMATICAL BACKGROUND OF ECC Elliptic curve Group The group Z n Additive Inverses Other operations The group Z p * Multiplicative Inverses Abelian Groups Field The field F p m The field F Polynomial Representation Addition Subtraction Multiplication Exponentiation Multiplicative Inversion Example - F 4 2 with Polynomial Representation Multiplicative Inversion Use of Elliptic Curve 37 Chapter 5 THE SECURE MESSAGING APPLICATION Key Generation ECC Encryption Process ECC Decryption Process Importance of compression before encryption 40 Chapter 6 IMPLEMENTATION DETAILS Libraries used 42 iii

5 6.2 System Requirements Source Code OnButtonGenerateKyes function Calculation of Execution time OnButtonEncrypt function OnButtonDecrypt function RSA implementation of Crypto++ 53 Chapter 7 THE FRONT END TO ECC AND RSA The ECC GUI The RSA GUI Opening the attachment in outlook 56 Chapter 8 RESULTS AND OBSERVATIONS ECC results RSA results Comparison of ECC and RSA Relative cost of equivalent key sizes in RSA and ECC Important considerations 65 Chapter 9 CONCLUSION AND FUTURE EXTENSIONS Conclusion Proposed Future extensions of the application 67 Appendix A TOOLS AND LIBRARIES 68 Appendix B ACRONYMS USED 70 References 72 iv

6 LIST OF FIGURES Figure 1.1: Secret/Symmetric Key Cryptosystem [26] Figure 1.2: Public/Asymmetric Key Cryptosystem [26] Figure 1.3: Pictorial representation of Secure Messaging System Figure 2.1: Ancient Egyptians cipher [29] Figure 2.2: Data integrity [10] Figure 2.3: Data origin authentication [10] Figure 2.4: Non-repudiation of origin [10] Figure 2.5: Data confidentiality [10] Figure 2.6: How PGP encryption works [26] Figure 2.7: How PGP decryption works [26] Figure 3.1: SMTP communication model [19] Figure 3.2: SMTP and POP3 in action [20] Figure 3.3: Transfer encoding [30] Figure 5.1: ECC key generation and exchange of public keys Figure 5.2: ECC encryption Figure 5.3: ECC decryption Figure 7.1: ECC application s main dialog box Figure 7.2: The ECC dialog box Figure 7.3: RSA application s main dialog box Figure 7.4: RSA Key generation Figure 7.5: RSA encryption - decryption Figure 7.6: in Outlook Figure 8.1: ECC key generation, encryption and decryption cost Figure 8.2: RSA encryption and decryption cost Figure 8.3: RSA key generation cost Figure 8.4: RSA key generation cost Figure 8.5: ECC 160 bit vs. RSA 1024 bit Figure 8.6: Time to break ECC and RSA [18] Figure A.1: Microsoft Visual C IDE v

7 LIST OF TABLES Table 4.1: 16 vectors for F 4 2 [24]... Table 8.1: ECC key generation, encryption and decryption cost... Table 8.2: RSA encryption and decryption cost... Table 8.3: Comparison of RSA key generation cost... Table 8.4: ECC key generation, encryption and decryption cost (22 bytes)... Table 8.5: RSA key generation, encryption and decryption cost (22 bytes)... Table 8.6: Relative cost equivalent key sizes in RSA and ECC [16] vi

8 ACKNOWLEDGEMENTS First of all, I would like to acknowledge Allah and his mercy in every area of my life. I would like to express my gratitude to my supervisor, Dr. Nassar Ikram who has given me invaluable encouragement and support throughout the course of the research, and his assistance in writing proposal, draft and this thesis. A very special thanks goes out to most knowledgeable teacher Mr. Athar Mehboob, whose expertise, understanding, and patience, added considerably to my graduate experience. I appreciate his vast knowledge and skill in areas such as (networks, security, cryptography etc.). I must also acknowledge Mr. Anwar Amjad at SSUET who helped and support me in various aspects. Appreciation also goes out to Mr. Aleem Khalid Alvi for his suggestions, and advice at times of critical need. I would also like to thank my family for the support they provided me through my entire life and in particular, I must acknowledge my parents because without their love and encouragement, I would not have finished this thesis. vii

9 Chapter 1. Introduction Chapter 1 INTRODUCTION 1.1 Background to Research In practice two types of cryptographic techniques are used namely secret key cryptography (e.g., DES) and public key cryptography (e.g., RSA). In secret key cryptosystems, see Figure 1.1, message is encoded and decoded using same key. Sender and recipient both must share this secret key to encrypt or decrypt information. In case of secret key cryptography, the transmission of key through public or insecure channels (untrusted couriers or network) to the recipient(s) may compromise the overall security of the system. Figure 1.1 Secret/Symmetric Key Cryptosystem In public key cryptosystems, see Figure 1.2, sender encrypts the information with receiver s public key so that only receiver can decrypt the ciphertext with his private key. Public key cryptography is more secure as it resolves the problem of key distribution over insecure channel as faced in private key cryptosystems. 2

10 Chapter 1. Introduction Figure 1.2 Public/Asymmetric Key Cryptosystem Elliptic Curve cryptography is an emerging public key cryptosystem which provides the same degree of security as systems used in SSL [7] today with approximately one-eighth the key size. This results in bandwidth savings, efficient implementation and compactness in silicon without any effect on security as compared to its rival, RSA [5]. With such attributes, the technology i.e., Elliptic Curve Cryptography becomes especially useful for mobile devices and other small devices that are limited in the power, CPU performance, memory or bandwidth. Elliptic curve cryptosystems were first proposed independently by Victor Miller and Neal Koblitz in 1985 [8]. Since internet is a huge inter-connected network of computer, there are many irresponsible people who are happy to intercept your messaging. That s why we need a secure messaging system. Secure messaging allows a company to safely and securely control the flow of information coming in and going out via and the Web. The research entails development of cryptographically secure messaging using Elliptic Curve Cryptography. The application developed will provide security for standards based messaging systems. 1.2 Significance of a Secure Messaging Application a) The implementation of a secure messaging system using ECC is highly significant because of its merits. Pakistan is following unprecedented pace of IT development under which IT infrastructure is fast developing. New 3

11 Chapter 1. Introduction companies are emerging and more foreign companies are diverting towards it. This is resulting in setting up of more WANs/LANs. With this comes the necessity of securing the infrastructure/lans/wans against malicious designs. Secure messaging system although not a new concept, will provide the means of securing the transmission lines of any company/organization operating its LAN/WAN. This is the essential first step to designing further crypto applications and as such has its importance. b) The application developed is in line with the current trends in the world and needs. Various companies are developing secure messaging systems of different various kinds from to wireless e-commerce. Information about these can be retrieved from websites of RSA [25] or PGP [26]. 1.3 Problem description messaging is one of the oldest applications of internet, and it is still being used by internet users today. Phil Zimmerman [6] added a new dimension to messaging by enabling a secure message transmission via public key cryptography. PGP is the most widely used secure application today using RSA. RSA is very secure if the key length is higher. ECC's advantages in comparison to RSA are convincing: less memory requirement and computation time. Key lengths of 160 Bit as in ECC ensure the security of a RSA key of 1024 Bit, which is used as a standard today [9]. With greater key lengths, the advantages of ECC compared to RSA increase intensively. While RSA would have to double its key lengths, ECC only needs a few bits to achieve the same level of security. The RSA procedure currently changes its key length to 2048 Bit. As a result, ECC algorithms only have to increase its key length to 192 Bit. 1.4 Objective Goal of this thesis is to study the working of PGP, implement a secure messaging system based on ECC, and finally generate results that indicate comparative analysis of the RSA and ECC. 4

12 Chapter 1. Introduction 1.5 Methodology The development methodology is as under: a) Software based development of system offering the features appropriate to the secure messaging system. These functions are then integrated and results are analyzed primarily for the offered speed and security. b) The system developed is then followed by trials and release of beta version. c) The implementation has been done using a host of available tools and libraries that were easily available meeting the prime requirement of ease of use. 1.6 Thesis Description with Technical details Thesis entails study and development of cryptographically secure /messaging system. At the heart is an encryption algorithm, which would ensure complete security of data. The GUI is user friendly, which would give options of a range of security classifications and other relevant features. Initially messaging system is implemented and then it may be extended to instant messaging platform. A pictorial representation of the system is given in the Figure 1.3. The application developed will provide security for standards based messaging systems. Public Keys Graphical User Interface (GUI) Scanned File (TWAIN) OCR Encrypted File Outgoing SMTP Core Encryption / Decryption Engine. Private Files Incoming POP Outgoing instant message Incoming Instant Message Figure 1.3 Pictorial representation of Secure Messaging System 5

13 Chapter 1. Introduction In the following section, a layout of the chapters is given which shows how chapters are distributed and which chapter deals with what. Chapter 1 describes the objective of the thesis, the methodology that is used in developing the application and also describes the overall working of the application in brief. In Chapter 2, user is introduced by cryptography and basic security concepts. This chapter starts with the history of cryptography where the classical cryptography is explained. Digital signatures and hash functions are also explained and in the end a detailed description of RSA and PGP is given. Simple Mail Transfer Protocol (SMTP) and Post Office Protocol (POP) are explained in Chapter 3, so that user can get familiar with the protocols and encoding concepts. Mathematical concepts of Elliptic Curves are briefly explained in Chapter 4 so that reader can get a very basic understanding of the mathematics involved. In this chapter mostly concepts like Groups, Fields and mathematical equations about Elliptic Curves are explained with very simple examples. In Chapter 5, the overview of the secure messaging application is presented so that reader can get familiar with important processes of the application that is developed during this research such as Key Generation, Encryption and Decryption. Chapter 6 is all about the implementation details and partial source code of the application is also presented over here. The C++ source code is also commented where necessary to help the programmer understand the underlying logic. The Graphical User Interface (GUI) of the applications that were developed is explained in Chapter 7. Different dialog boxes in the application are explained and the usage of application is also described in detail. In Chapter 8 which is very important chapter, results and observations are presented based on the analysis of the generated data during the simulation of the applications that were developed. Also the comparative analysis of the ECC and RSA is presented In Chapter 9 final conclusion and some future suggestions and extensions to the ECC application are given. Conclusion is based on the actual data generated by simulation. 6

14 Chapter 2.Cryptography and security concepts Chapter 2 CRYPTOGRAPHY AND SECURITY CONCEPTS 2.1 Introduction Cryptography is the practice and study of encryption and decryption i.e., encoding data so that it can only be decoded by specific/intended individuals only. A system for encrypting and decrypting data is a cryptosystem. This usually involves an algorithm for combining the original data ("plaintext") with one or more "keys" i.e., numbers or strings of characters known only to the sender and/or recipient. The resulting output is known as "ciphertext". The origin of the word cryptology lies in ancient Greek. The word cryptology is made up of two components: "kryptos", which means hidden and "logos" which means word. Cryptology is as old as writing itself, and has been used for thousands of years to safeguard military and diplomatic communications. For example, the famous Roman emperor Julius Caesar used a cipher to protect the messages to his troops. Within the field of cryptology one can see two separate divisions: cryptography and cryptanalysis. The cryptographer seeks methods to ensure the safety and security of conversations while the cryptanalyst tries to undo the former's work by breaking his systems [10]. The main goals of modern cryptography can be seen as: user authentication, data authentication (data integrity and data origin authentication), non-repudiation of origin, and data confidentiality. In the following section we will elaborate more on these services. Subsequently we will explain how these services can be realized using cryptographic primitives. These are mainly two categories of cryptography: a) Classical cryptography. b) Key based cryptography. 7

15 Chapter 2.Cryptography and security concepts 2.2 Classical Cryptography Classical cryptography is the oldest branch of cryptography. It has a history of at least 4000 years [29]. Ancient Egyptians enciphered some of their pictogram writing on monuments as shown in the Figure 2.1: Figure 2.1 Ancient Egyptians cipher. 2.3 Classical Cryptographic Techniques There are two basic components of classical ciphers: substitution and transposition. In substitution ciphers letters are replaced by other letters and in transposition ciphers the letters are arranged in a different order, these ciphers may be: monoalphabetic - only one substitution / transposition is used, or polyalphabetic - where several substitutions / transpositions are used. Several such ciphers may be concatenated together to form a product cipher Transpositions Transposition is not really a full-fledged method of cipher in its own, but it can form and usually is used in a stage of more complex cryptosystems (such as in applying key-based encryption). Transposition is simply moving the relative positions of letters within a message. We will discuss a columnar transposition below, so called because the text is arranged into columns and the columns are transposed. When performing a columnar transposition, a keyword is first needed. The message is then written into rows beneath the keyword. The example message which we'll use will be "SECRET MESSAGES". e n c r y p t S E C R E T M E S S A G E S Adding some numbers beneath the keyword, the numbers refer to the relative positions of the keyword letters in the alphabet. Having formed the table we can read 8

16 Chapter 2.Cryptography and security concepts back the message in the order of the keyword letters. This message becomes CSETRME SESEASG. The spaces have been included for clarity, although in practice this will not happen. Transpositions are often used as part of a more complex system. If a transposition is used in conjunction with a monoalphabetic substitution then the transposition as above may be solved, after having first worked out the plaintext letters of the substitution by looking at letter frequencies Caesar Substitution The Caesar Cipher is one of the simplest monoalphabetic substitutions one may use, and it is also one of the easiest to break. It is said that Julius Caesar wrote to his friends using a simple substitution cipher, where the plaintext letter was replaced by the ciphertext three places down the alphabet, so that the letter M is replaced by P and so on. The Caesar cipher may be summarized in a table, shown below. It is now the case that any cipher whose cipher alphabet consists of the letters in their normal order is called a Caesar cipher. PLAINTEXT abcdefghijklmnopqrstuvwxyz CIPHERTEXT DEFGHIJKLMNOPQRSTUVWXYZABC As there are only 26 Caesar alphabets it is trivial to solve a Caesar cipher by exhaustive search. This is can be done by listing the alphabet under each letter of a section of the ciphertext. The line which contains legible plaintext is the correct one. PLAINTEXT this is a simple cipher CIPHERTEXT vjku ku c ukorng ekrjgt v j k u k u c u k o r n g e k r j g t v j k u k u c u k o r n g e k r j g t u i j t j t b t j n q m p d j q i f s t h i s i s a s i m p l e c i p h e r Monoalphabetic Substitution A monoalphabetic substitution is one where a letter of plaintext always produces the same letter of ciphertext. The operation is very similar to the Caesar Cipher, with the exception that the cipher alphabet does not have the order which it 9

17 Chapter 2.Cryptography and security concepts had in the previous examples (which are just special cases of monoalphabetic substitutions). An example of a monoalphabetic substitution is shown below. PLAINTEXT abcdefghijklmnopqrstuvwxyz CIPHERTEXT QRSKOWEIPLTUYACZMNVDHFGXJB One may naturally think that this cipher is secure, after all there are 26! different cipher alphabets ( 4 x ) to choose from, however the letter frequencies and underlying patterns will be unchanged - and as such the cipher can be solved by pen and paper techniques. The best way to see how the cryptanalysis is performed is by doing some analysis. These more advanced techniques include looking systematically at the position of letters in words in order to identify vowels, pattern words, and looking at the letter frequencies, though common pairings (TH, HE etc.) may come up. The most common English letters are ETNROAIS (these are the letters in descending order) is highly likely that in any ciphertext, we have some matches - though it is not a certainty. It should also be noted that the most common trigraph (three letter sequence) in English is 'THE'. Of course the analysis may be done automatically by a computer program which observes letter positions and frequencies etc. 2.4 Key-based Encryption Keys are the fundamental essential element in generating modern ciphertext. A string of bits used widely in cryptography, allowing people to encrypt and decrypt data; a key can be used to perform other mathematical operations as well. Given a cipher, a key determines the mapping of the plaintext to the ciphertext. The key to a particular cryptosystem is some value which, when applied to ciphertext, allows the encrypted message to be decrypted and when applied to plaintext encrypts it. It is important to note that in the study of cryptography one talks about the lengths of keys in terms of bits. Messages, too, can be encrypted in 'n-bit blocks'. The longer a key is the more difficult it is to break the encrypted message. The most common method of breaking ciphers is by a brute-force attack. This sort of attack involves running through possible combinations of keys and applying them to the cryptosystem until the message is decrypted. It is the same as trying to guess a PIN for someone's ATM card by going through all the possible combinations of 10

18 Chapter 2.Cryptography and security concepts numbers. It is said that any university with computer science major would have enough computer power available to be able to break most 56-bit key cryptosystems in less than one week. 2.5 Cryptographic services User Authentication If you log to a computer system there must (or at least should) be some way that you can convince it of your identity. Once it knows your identity, it can verify whether you are entitled to enter the system. The other principal applies when one person tries to communicate with another: as a first step you want to verify that you are communicating with the right person. Therefore there must be some way in which you can prove your identity. This process is called user authentication [10]. In general, one also requires that the computer authenticates itself to the person logging on. If both parties are authenticated to each other, we use the term mutual authentication Data authentication Data authentication consists of two components: the fact that data has not been modified (data integrity) and the fact that you know who the sender is (data origin authentication) Data integrity A data integrity service guarantees that the content of the message, that was sent, has not been tampered with. Data integrity by itself is not meaningful: it does not help you to know that the data you have received has not been modified, unless you know it has been sent directly to you by the right person. Therefore it should always be combined with data origin authentication [10]. Alice Bob Intruder Figure 2.2 Data integrity. 11

19 Chapter 2.Cryptography and security concepts Data origin authentication Here one wants to make sure that the person who is claiming to be the sender of the message really is the one from whom it originates. In Figure 2.3, if A sends a message to B, but the enemy intercepts it and sends it to B, claiming A has sent it, how can B be sure of the real origin of this data? A variation on this theme is: the enemy could send a message to B claiming it A is the originator. Thanks to cryptography, there are techniques to ensure against this type of fraud [10]. Alice Block Message Bob Intruder Non-repudiation of origin Figure 2.3 Data origin authentication. Non-repudiation protects against denial by one of the entities involved in a communication of having participated in all or part of the communication [10]. Alice Bob Data confidentiality Figure 2.4 Non-repudiation of origin. This aspect of data security has an analogy of a letter that was written in a recognizable handwriting, with a seal and a signature. Confidentiality protection is very important in the medical world and also in the banking sector. World-wide there are several million transactions each day and all of these have to be passed from one financial institution to another. If there were no ways to protect confidentiality, everybody would be able to see who had purchased what, who has made what kind of withdrawal, and so on [10]. Bob 12

20 Chapter 2.Cryptography and security concepts Clearly this would violate individuals and companies rights to privacy. In order to provide confidentiality, it is necessary to transform the message with a cipher. Alice Bob Intruder 2.6 Cryptographic primitives Figure 2.5 Data confidentiality. The cryptographic services can be realized by several cryptographic primitives: we distinguish between primitives for encryption, primitives for authentication, and cryptographic protocols. Encryption primitives can be used to provide confidentiality, authentication primitives can be used to provide data authentication [10]. 2.7 Encryption primitives In cryptography one often makes use of encryption. With encryption we transform the clear text (or plaintext) into ciphertext. To get back to the original text, we apply the inverse transformation, called decryption [10]. These transformations themselves are public: this makes it possible to analyze these algorithms and to develop efficient implementations. However they use a secret parameter: the keys which are known only by the sender and/or the receiver. This key is the only thing one needs to know in order to encipher or decipher. Thus it is really important to manage one's keys and keep them secret where necessary. We discuss two types of encryption primitives, symmetric or conventional ciphers and asymmetric or public key ciphers Symmetric ciphers Traditional encryption techniques rely on both the sender and the receiver of a message knowing a particular secret key. The sender encrypts the message with a particular cryptosystem using the secret key and the receiver decrypts the message 13

21 Chapter 2.Cryptography and security concepts with the same key. This method of encryption is called private key, or symmetric, encryption [10]. It relies on no one else being able to find out what the private key is. This is fine if encrypted files are only stored on the hard disk (in which case only the encryptor needs to know the key) or if one is sending data to someone close by, say in the same office, in which case one can let the key be known personally. If the receiver is not close by, however, then the key must somehow be sent. It could be sent by courier or told over the telephone or even sent separately to the actual message. All these methods involve trusting a third party not to divulge the secret key. Furthermore, the receiver of the message must also be trusted, as they could decrypt any message sent using the same key. Symmetric ciphers are generally faster than public key ciphers. Some symmetric ciphers, such as DES, can be implemented in hardware. This makes them very fast. Disadvantages include: a) For use in anything other than private encryption of files, one could not determine the authenticity of the originator of the data. This lack of protection does not allow this method to verify electronic orders and financial transactions. b) The private key used now has to be transmitted in a very secure channel. Spontaneous secure transmission may not be feasible. c) When used across a network of users, there may have to be a large number of keys to facilitate one-to-one communication between each user. In a network of n users, the total number of keys are n*(n - 1)/ Stream ciphers and block ciphers There are two types of symmetric encryption algorithms: stream ciphers and block ciphers. A stream cipher is one that encrypts a digital data stream one bit at a time [1]. Whereas block ciphers encrypt multiple bits of data (normally 64 bits) called a block Asymmetric ciphers Public key encryption is also known as asymmetric key encryption. It uses different keys to encrypt and decrypt a message. Under this system everyone gets a pair of keys: a public key which is published for all to see and use, and a private key 14

22 Chapter 2.Cryptography and security concepts which is to be kept secret. The public key could then be used to encrypt a message, which only the holder of the corresponding private key, could decrypt and read [10]. The private key never gets transmitted, so there are no problems associated with asymmetric key encryption. Furthermore, public key encryption can be used for authentication via the digital signature [4] mechanism. In this sense, asymmetric key is particularly strong in authentication. Message is not only protected in terms of secrecy, but also in integrity. Public key, or asymmetric key encryption, ciphers generally require longer keys than symmetric ciphers to achieve the same level of security Symmetric versus asymmetric ciphers The biggest drawback of the asymmetric systems until now has been the relative low performance compared to the symmetric ones. DES is typically 1000 times faster than the RSA-scheme [10]. Public key systems provide significant benefits in terms of key management: if every user generates his own key, only an authentic channel is required, eliminating (expensive) secret channels like couriers. In systems without a central trusted server, the number of keys can be reduced. Indeed, suppose we have a network of n users each of whom wanting to communicate with the others. Since each communication requires a secret key, the total number of keys required equals n*(n-1)/2. In the public key system each user only needs a personal public/secret key pair, making a total of only 2n keys. 2.8 Authentication primitives One-way functions and hash codes A one-way function is defined as a function f such that for every x in the domain of f, f(x) is easy to compute; but for virtually all y in the range of f, it is computationally infeasible to find an x such that y=f(x) [10]. One-way functions are used to protect passwords: one will store a one-way image of the password in the computer rather than the password itself. One applies then the one-way function to the input of the user and verifies whether the outcome agrees with the value stored in the table. 15

23 Chapter 2.Cryptography and security concepts A hash function is a function which maps an input of arbitrary length into a fixed number of output bits [10]. In order to be useful for cryptographic applications, a hash function has to satisfy some additional requirements. One can distinguish two types of hash functions. A MAC (Message Authentication Code) that uses a secret key, and an MDC (Manipulation Detection Code) that works without a key. For a MAC one requires that it should be impossible to compute the MAC without knowledge of the secret key. For an MDC one requires that it is a one-way function, and - in most cases - that it is collision resistant, which means that it should be hard to find two arguments hashing to the same result Digital signature Public key techniques can also be used for other purposes than for enciphering information. If Alice adds some redundancy to her message and transforms the result using her secret key, anyone who knows Alice's public key can verify that this message was sent by Alice (by verifying the redundancy). In this way one can create a digital signature, which is the equivalent of the hand-written signature on a document. Assume Bob has received from Alice a digitally signed message. If Alice subsequently denies having sent the message, Bob can go to a third party (e.g., a judge), who will be able to obtain Alice's public key. Subsequently he can verify the validity of the signature. In this way a digital signature can provide non-repudiation of origin [10]. It is easy to see that it provides in addition data authentication, i.e., data integrity and data origin authentication Hash functions versus digital signatures Hash functions can only be used in a situation where the parties mutually trust each other: they cannot be used to resolve a dispute (unless one uses, in addition tamper resistant hardware). As in the case of encryption, hash functions tend to be three orders of magnitude faster than digital signatures [10]. This explains why in general one will first compute the hash code of the message with a fast hash function and subsequently apply the digital signature to this short hash code. This provides digital signatures which are not only faster and shorter, but also more secure. 16

24 Chapter 2.Cryptography and security concepts 2.9 Rivest Shamir Adleman (RSA) RSA is a public key cryptosystem for both encryption and authentication. It was invented in 1977 [11]. It is an encryption algorithm that uses very large prime numbers to generate the public key and the private key. RSA is typically used in conjunction with a secret key cryptosystem such as DES. DES would be used to encrypt the message as a whole and then use RSA to encrypt the secret key. Thus, RSA provides a digital envelope for the message. RSA is in wide use today, it is possibly the most commonly used public key algorithm used. Because of this it has undergone a lot of public scrutiny and there is much empirical evidence of its security. It can be used for both encryption and signing. Although it would be possible to factor out the public key to get the private key (2 prime factors must be found out), the numbers are so large as to make it very impractical to do so. The encryption algorithm itself is very slow, which makes it impractical to use RSA to encrypt large data sets. In PGP (and most other RSA-based encryption programs), a symmetrical key is encrypted using the public key, then the remainder of the data is encrypted with a faster algorithm using the symmetrical key. The symmetrical key itself is randomly generated, so that the only way to get it would be by using the private key to decrypt the RSA-encrypted symmetrical key. At the labs of MIT, in 1976, Rivest, Shamir, and Adleman made a new algorithm for key exchange named as RSA, after the initials of its three inventors. RSA was based on the Diffie-Hellman paper "New Directions in Cryptography." RSA satisfied the original Diffie-Hellman description of "multi-user cryptography" because it does not require two active participants when performing both the encryption and decryption RSA Example An Example of the RSA Algorithm is given below [12]: P = 61 first prime number (destroy this after computing E and D) Q = 53 second prime number (destroy this after computing E and D) PQ = 3233 modulus (give this to others) E = 17 public exponent (give this to others) D = 2753 private exponent (keep this secret!) Your public key is (E,PQ). Your private key is D. 17

25 Chapter 2.Cryptography and security concepts The encryption function is: encrypt(t) = (T E ) mod PQ = (T 17 ) mod 3233 The decryption function is: decrypt(c) = (C D ) mod PQ = (C 2753 ) mod 3233 To encrypt the plaintext value 123, do this: encrypt(123) = ( ) mod 3233 = mod 3233 = 855 To decrypt the ciphertext value 855, do this: decrypt(855) = ( ) mod 3233 = Details of PGP PGP combines some of the best features of both conventional and public key cryptography. PGP is a hybrid cryptosystem [26]. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security. Most cryptanalysis techniques exploit patterns found in the plaintext to crack the cipher. PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient. 18

26 Chapter 2.Cryptography and security concepts Figure 2.6 How PGP encryption works. Decryption works in the reverse. The recipient's copy of PGP uses his or her private key to recover the temporary session key, which PGP then uses to decrypt the conventionally-encrypted ciphertext. Figure 2.7 How PGP decryption works. The combination of the two encryption methods combines the convenience of public key cryptography to solve key distribution problem with the speed of conventional encryption. Conventional encryption is about 1,000 times faster than public key encryption. Public key encryption in turn provides a solution to key distribution and data transmission issues. Used together, performance and key distribution are improved in PGP. 19

27 Chapter 3. protocols and encoding Chapter 3 PROTOCOLS AND ENCODING 3.1 protocols Electronic mail, also called , is a computer based method of sending messages from one computer user to another. These messages usually consist of individual pieces of text which you can send to another computer user even if the other user is not logged in (i.e. using the computer) at the time you send your message. The message can then be read at a later time. This procedure is analogous to sending and receiving a letter. Originally, messages were restricted to simple text, but now many systems can handle more complicated formats, such as graphics and word processed documents. When mail is received on a computer system, it is usually stored in an electronic mailbox for the recipient to read later. Electronic mailboxes are usually special files on a computer which can be accessed using various commands. Each user normally has their individual mailbox. Today almost every server supports Simple Mail Transfer Protocol (SMTP) and Post Office Protocol version 3 (POP3). These are the protocols which are widely used for messaging. 3.2 SMTP SMTP transfers mail with consistency. SMTP [3] does not depend on the any network and needs only a consistent data channel to transmit s. SMTP can also relay mail across transport service environments. A transport service provides an Inter Process Communication Environment (IPCE). An IPCE may cover one network, several networks, or a subset of a network. It is important to realize that transport systems (or IPCEs) are not one-to-one with networks. Mail can be communicated between processes in different IPCEs by relaying through a process connected to two (or more) IPCEs. More specifically, mail can be relayed between hosts on different transport systems. 20

28 Chapter 3. protocols and encoding SMTP COMMUNICATION MODEL In SMTP communication model [19], is transmitted from sender-smtp to receiver-smtp. The receiver-smtp may be destination or an in-between receiver SMTP. SMTP commands are generated by the sender-smtp and sent to the receiver- SMTP. SMTP replies are sent from the receiver-smtp to the sender-smtp in response to the commands. Note that it is not necessary that user is also present at the receiving end and the message resides on the File system in the absence of the recipient. User File System Sender SMTP SMTP Commands SMTP Replies Receiver SMTP File System Figure 3.1 SMTP communication model. The communication sequence is as follows [19]: a) User sends a mail request to the sender-smtp. b) As the result of a user mail request, the sender-smtp establishes a two-way transmission channel to a receiver-smtp. c) Once the transmission channel is established, the SMTP-sender sends a MAIL command indicating the sender of the mail. d) If the SMTP-receiver can accept mail it responds with an OK reply. e) Then SMTP-sender then sends a RCPT command identifying a recipient of the mail. f) If the SMTP-receiver can accept mail for that recipient it responds with an OK reply; if not, it responds with a reply rejecting that recipient (but not the whole mail transaction). g) The SMTP-sender and SMTP-receiver may negotiate several recipients. h) When the recipients have been negotiated the SMTP-sender sends the mail data, terminating with a special sequence. If the SMTP-receiver successfully processes the mail data it responds with an OK reply. 21

29 Chapter 3. protocols and encoding A Typical SMTP Transaction Scenario Following SMTP transaction scenario shows mail sent by Nassar at host PNEC-ISIF, to AbdulRahman, Athar, and Kamran at host SSUET-UNIX. Suppose that in this case host PNEC-ISIF contacts host SSUET-UNIX directly. The mail is accepted for AbdulRahman and Kamran. Athar does not have a mailbox at host SSUET-UNIX. R: receiver SMTP S: sender SMTP R: 220 SSUET-UNIX.ARPA Simple Mail Transfer Service Ready S: HELO PNEC-ISIF.ARPA R: 250 SSUET-UNIX.ARPA S: MAIL FROM:<Nassar@PNEC-ISIF.ARPA> R: 250 OK S: RCPT TO:<AbdulRahman@SSUET-UNIX.ARPA> R: 250 OK S: RCPT TO:<Athar@SSUET-UNIX.ARPA> R: 550 No such user here S: RCPT TO:<Kamran@SSUET-UNIX.ARPA> R: 250 OK S: DATA R: 354 Start mail input; end with <CRLF>.<CRLF> S: begin 0666 cipher-without-uue.txt S: MBM;.7E5QS1T:Q3K3(J&+90"A`#BIR;LKWB;X;!1]LQ6%:<L31M,S=/ZBG6 S: M<,3O8N.75W+.Q2Z7^Y"NK/M/!@LJ`P3%\PA]5%SV0K0Q#9>4OQ#M<R*- S: M""02^99+Q]J%WSN?]_OY@?OAN0`$H'.\0<,+78B\1(51W41@RUJP)I.MSZ! S: MIQ'?O;I.$94DMC:H)5-%"(!UU#&:_YZZ%2N*O]2&(AAH&9:F$OB.Y<?HX' 22

30 Chapter 3. protocols and encoding S: S:.. S: end S:. R: 250 OK S: QUIT R: 221 SSUET-UNIX.ARPA Service closing transmission channel 3.3 Post Office Protocol version 3 (POP3) On certain types of smaller nodes in the Internet it is often not practical to maintain a message transport system (MTS). Similarly, it may be expensive (or impossible) to keep a personal computer interconnected to an IP-style network for long amounts of time. Despite this, it is often very useful to be able to manage mail on these smaller nodes, and they often support a user agent (UA) to aid the tasks of mail handling. To solve this problem, a node which can support an MTS entity offers a maildrop service to these inefficient nodes. The Post Office Protocol - Version 3 (POP3) is intended to permit a workstation to dynamically access a maildrop on a server host in a useful fashion [20]. Usually, this means that the POP3 protocol is used to allow a workstation to retrieve mail that the server is holding for it. POP3 is not intended to provide extensive manipulation operations of mail on the server; normally, mail is downloaded and then deleted. In the context of POP3, client host refers to a host making use of the POP3 service, while the term server host refers to a host which offers the POP3 service POP3 Basic Operation Initially, the server host starts the POP3 service by listening on TCP port 110. When a client host wishes to make use of the service, it establishes a TCP connection with the server host. When the connection is established, the POP3 server sends a greeting. The client and POP3 server then exchange commands and responses (respectively) until the connection is closed or aborted. Commands in the POP3 consist of a case-insensitive keyword, possibly followed by one or more arguments. All commands are terminated by a CRLF pair. 23

31 Chapter 3. protocols and encoding Keywords and arguments consist of printable ASCII characters. Keywords and arguments are each separated by a single SPACE character. Keywords are three or four characters long. Each argument may be up to 40 characters long. Responses in the POP3 consist of a status indicator and a keyword possibly followed by additional information. All responses are terminated by a CRLF pair. Responses may be up to 512 characters long, including the terminating CRLF. There are currently two status indicators: positive ("+OK") and negative ("-ERR"). Servers MUST send the "+OK" and "-ERR" in upper case. Responses to certain commands are multi-line. In these cases, which are clearly indicated below, after sending the first line of the response and a CRLF, any additional lines are sent, each terminated by a CRLF pair. When all lines of the response have been sent, a final line is sent, consisting of a termination octet (decimal code 046, ".") and a CRLF pair. "CRLF.CRLF". A POP3 session progresses through a number of states during its lifetime. Once the TCP connection has been opened and the POP3 server has sent the greeting, the session enters the AUTHORIZATION state. In this state, the client must identify itself to the POP3 server. Once the client has successfully done this, the server acquires resources associated with the client's maildrop, and the session enters the TRANSACTION state. In this state, the client requests actions on the part of the POP3 server. When the client has issued the QUIT command, the session enters the UPDATE state. In this state, the POP3 server releases any resources acquired during the TRANSACTION state and says goodbye. The TCP connection is then closed. A server MUST respond to an unrecognized, unimplemented, or syntactically invalid command by responding with a negative status indicator. A server MUST respond to a command issued when the session is in an incorrect state by responding with a negative status indicator. A POP3 server MAY have an inactivity auto logout timer. Such a timer MUST be of at least 10 minutes'duration. The receipt of any command from the client during that interval should suffice to reset the auto logout timer. When the timer expires, the session does NOT enter the UPDATE state--the server should close the TCP connection without removing any messages or sending any response to the client. 24

32 Chapter 3. protocols and encoding POP3 Security Considerations It is conjectured that use of the APOP command provides origin identification and replay protection for a POP3 session. Accordingly, a POP3 server which implements both the PASS and APOP commands must not allow both methods of access for a given user; that is, for a given "USER name" either the PASS or APOP command is allowed, but not both. Further, note that as the length of the shared secret increases, so does the difficulty of deriving it. Servers that answer -ERR to the USER command are giving potential attackers clues about which names are valid. Use of the PASS command sends passwords in the clear over the network. Use of the RETR and TOP commands sends mail in the clear over the network. Otherwise, security issues are not discussed in this memo Example POP3 Session In the following example, assume that S=Server POP3 host and C=Client POP3 host. S: <wait for connection on TCP port 110> C: <open connection> S: +OK POP3 server ready < @ssuet.edu.pk> C: APOP mrose c4c9334bac560ecc979e58001b3e22fb (authentication APOP cmd.) S: +OK mrose's maildrop has 2 messages (320 octets) C: STAT S: +OK C: LIST S: +OK 2 messages (320 octets) S: S: S:. C: RETR 1 S: +OK 120 octets S: <the POP3 server sends message 1> S:. 25