Email Cryptosystems

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> We've discussed IPSec sub protocols,
00:00
and now we're going to focus on Email Cryptosystems.
00:00
We're going to talk about the ways that
00:00
we get privacy, authenticity,
00:00
integrity, and non-repudiation for our email messages.
00:00
There are two main ways, two main tools that we
00:00
can use to protect our messages,
00:00
and the first is through the use
00:00
of a proprietary application
00:00
called PGP and that stands for Pretty Good Privacy.
00:00
Pretty Good Privacy,
00:00
not really aiming for the moon there,
00:00
but turns out it is
00:00
Pretty Good Privacy is pretty done good privacy.
00:00
This was a proprietary application,
00:00
which means you would need to download the software
00:00
and you would need to be communicating with
00:00
somebody else who has the software.
00:00
It's not standards-based.
00:00
S/MIME, however, is standards-based.
00:00
It takes advantage of
00:00
X.509 version 4 certificates
00:00
like we talked about earlier,
00:00
and it uses the standards-based methodologies
00:00
to protect our e-mail messages.
00:00
Let's look at S/MIME first.
00:00
If we look at S/MIME, once again,
00:00
we know we want privacy,
00:00
authenticity, integrity, and non-repudiation.
00:00
We talked about traditionally,
00:00
if I want privacy,
00:00
I need the receiver's public key.
00:00
If I want authenticity,
00:00
I need the sender's private.
00:00
I hash to get integrity and to get non-repudiation,
00:00
I encrypt the hash with the sender's private key.
00:00
That's just a review from earlier.
00:00
What does that look like with S/MIME.
00:00
Well, all that's great, but we can't forget
00:00
the fact that for bulk communication,
00:00
I really want to use
00:00
symmetric cryptography because that what's fast.
00:00
Here's the way S/MIME does it.
00:00
S/MIME creates something called a digital envelope.
00:00
We start out right in the middle of
00:00
our little illustration here with the message contents.
00:00
S/MIME encrypts the contents
00:00
of the message with a symmetric key.
00:00
Remember, we like symmetric data exchange.
00:00
Now, the problem with that is,
00:00
how do I get you the symmetric key
00:00
that I use to encrypt the contents of the message?
00:00
I'll just attach it to the message,
00:00
I'll just put it on the side of the message.
00:00
Well, that's a problem because anybody that
00:00
intercepts the message would know the symmetric key.
00:00
Not so fast.
00:00
I'm going to encrypt the symmetric key
00:00
with the receiver's public key.
00:00
If the symmetric encrypted
00:00
with the receiver's public key,
00:00
what's the only thing that will decrypt?
00:00
The receiver's private,
00:00
which only the appropriate receiver will have.
00:00
What have I done?
00:00
I've encrypted the symmetric key
00:00
>> with an asymmetric key.
00:00
>> I've done asymmetric key exchange so that I can
00:00
do symmetric data exchange for the message contents.
00:00
How smart is that. But to continue with protection,
00:00
I need integrity, so I'm going to
00:00
hash the contents of the message.
00:00
Then, so that you know the message came from me,
00:00
I'm going to encrypt that hash with me,
00:00
my, the sender,
00:00
with my private key.
00:00
By encrypting the hash with my private key,
00:00
you know the hash had to have come from me.
00:00
That is a digital signature.
00:00
Once again, message is encrypted with
00:00
the symmetric key that's added to the message,
00:00
that symmetric key is
00:00
encrypted with the receiver's public,
00:00
document gets hashed,
00:00
hash gets encrypted with
00:00
the sender's private key for non-repudiation.
00:00
Got a lot going on here.
00:00
But this completely secures the e-mail message.
00:00
Don't forget, not every time you
00:00
send a message does this happen.
00:00
You have the options to select.
00:00
If you think about Outlook,
00:00
you can select to encrypt the message,
00:00
to digitally sign the message,
00:00
and when you choose both of those options,
00:00
what S/MIME is doing,
00:00
is creating this digital envelope.
00:00
Now, because PGP is proprietary,
00:00
the same process isn't going to work.
00:00
This idea of verifying keys through
00:00
certificates that would need to be lined up
00:00
with as part of the workings of S/MIME,
00:00
PGP doesn't use it.
00:00
It doesn't use the standard certificates,
00:00
doesn't use standard keys,
00:00
uses something called the web of trust.
00:00
With PGP, the web of trust,
00:00
essentially, you have people vouch for you,
00:00
>> so to speak.
00:00
>> If you trust Carl and Carl trusts me,
00:00
then you trust me.
00:00
These are non-standard certificates that I authenticate
00:00
myself by referencing somebody
00:00
else that you trust essentially.
00:00
Look, Carl says I'm Kelly,
00:00
so I must be Kelly.
00:00
That's the study of the web of trust.
00:00
The keys are exchanged and keys are stored.
00:00
With PGP they're stored in a file called the key ring.
00:00
Once I learn what your public key is,
00:00
I store that in this key ring.
00:00
It's like cash, I store what
00:00
I've learned before so that I can use it again.
00:00
But bottom line, this is a proprietary deal.
00:00
Zimmerman designed it to
00:00
thumb his nose at the government
00:00
who at the time was really
00:00
taking a heavy handed stance on cryptography
00:00
and really limiting the strength
00:00
of cryptosystems at the time.
00:00
Zimmerman said, "Look,
00:00
we'll use our own algorithms,
00:00
we'll use our own applications,
00:00
and we'll provide the security
00:00
that isn't placed by the government,
00:00
so that we can have an added assurance
00:00
that the government can't compromise our information."
00:00
Just a quick look at PGP and S/MIME.
00:00
S/MIME being standards-based, PGP being proprietary.
00:00
You're not going to need to get into detail about PGP,
00:00
but I would understand S/MIME in
00:00
the concepts of the digital envelope.
Up Next