Subject: System Web Security

Topic: Network Security

Difficulty: Low

The key components of the Internet mail architecture, which include the following.

• Message User Agent (MUA): Works on behalf of user actors and user applications.It is their representative within the e-mail service.

• Mail Submission Agent (MSA): Accepts the message submitted by a MUAand enforces the policies of the hosting domain and the requirements of Internet standards.

• Message Transfer Agent (MTA): Relays mail for one application-level hop.It is like a packet switch or IP router in that its job is to make routing assessmentsand to move the message closer to the recipients.

• Mail Delivery Agent (MDA): Responsible for transferring the message fromthe MHS to the MS.

• Message Store (MS): An MUA can employ a long-term MS. An MS can belocated on a remote server or on the same machine as the MUA.

Secure Email

• Secure email is a safe, efficient alternative to regular email, fax and post. When you hit the send button on your secureeMail, the information contained in it is encrypted, so it can only be read by your intended recipient. By contrast, regular emails can be fairly easily intercepted and read by just about anyone.

• The Secure eMail service is an important part of the process of joining up the Criminal Justice System (CJS) in England and Wales. It allows people working across the CJS who choose to participate, to send emails containing 'RESTRICTED' (i.e. sensitive data), in a secure way.

• For the first time, it's made it possible for these key groups of people to send emails securely to each other.

How does Secure eMail work?

• Criminal Justice organisations already have Secure email systems (GSI, GSX and CJX) which are part of the Government Secure Community. They can send and receive sensitive information through these systems.

• Such organisations don't have to do anything to ensure that they are connected to the Secure eMail service, as this connects directly into - and is accredited by - the Government Secure Community.

• Criminal Justice Practitioners are not a part of this secure community, it falls to the SecureeMail service to provide the technology to encrypt the contents of an email when they send it.

• This encryption ensures that the email, if intercepted, will be unreadable. Once the email reaches its destination it will be decrypted so that the intended recipient can read it.

S/MIME

• Secure/Multipurpose Internet Mail Extension (S/MIME) is a security enhancementto the MIME Internet e-mail format standard based on technology from RSA Data Security.

• Although both PGP and S/MIME are on an IETF standards track, it appears likely that S/MIME will emerge as the industry standard for commercial and organizational use, while PGP will remain the choice for personal e-mail security for many users.

RFC 5322

• RFC 5322 defines a format for text messages that are sent using electronic mail. It hasbeen the standard for Internet-based text mail messages and remains in common use.
• In the RFC 5322 context, messages are viewed as having an envelope and contents. Theenvelope contains whatever information is needed to accomplish transmission anddelivery.
• The contents compose the object to be delivered to the recipient.
• The RFC5322 standard applies only to the contents. However, the content standard includes aset of header fields that may be used by the mail system to create the envelope, and thestandard is intended to facilitate the acquisition of such information by programs.

Multipurpose Internet Mail Extension (MIME)

• Multipurpose Internet Mail Extension (MIME) is an extension to the RFC 5322 framework that is intended to address some of the problems and limitations of the use of Simple Mail Transfer Protocol (SMTP)

• Lists the following limitations of the SMTP/5322 scheme.

1. SMTP cannot transmit executable files or other binary objects

2. SMTP cannot transmit text data that includes national language characters, because these are represented by 8-bit codes with values of 128 decimal orhigher, and SMTP is limited to 7-bit ASCII.

3. SMTP servers may reject mail message over a certain size.

• MIME is intended to resolve these problems in a manner that is compatiblewith existing RFC 5322 implementations.

• The MIME specification includes the following elements.

1. Five new message header fields are defined, which may be included in an RFC 5322 header. These fields provide information about the body of the message.

2. A number of content formats are defined, thus standardizing representations that support multimedia electronic mail.

3. Transfer encodings are defined that enable the conversion of any content formatinto a form that is protected from alteration by the mail system.

• The five header fields defined in MIME are:

1. MIME-Version: Must have the parameter value 1.0. This field indicates thatthe message conforms to RFCs 2045 and 2046.
2. Content-Type: Describes the data contained in the body with sufficient detailthat the receiving user agent can pick an appropriate agent or mechanism torepresent the data to the user or otherwise deal with the data in an appropriate manner.
3. Content-Transfer-Encoding: Indicates the type of transformation that hasbeen used to represent the body of the message in a way that is acceptable for mail transport.
4. Content-ID: Used to identify MIME entities uniquely in multiple contexts.
5. Content-Description: A text description of the object with the body; this isuseful when the object is not readable (e.g., audio data).

S/MIME FUNCTIONALITY

• In terms of general functionality, S/MIME is very similar to PGP. Both offer theability to sign and/or encrypt messages.

1. Enveloped data: This consists of encrypted content of any type and encrypted content encryption keys for one or more recipients.

1. Signed data: A digital signature is formed by taking the message digest of thecontent to be signed and then encrypting that with the private key of the signer.The content plus signature are then encoded using base 64 encoding. A signeddata message can only be viewed by a recipient with S/MIME capability.

1. Clear-signed data: As with signed data, a digital signature of the content isformed. However, in this case, only the digital signature is encoded usingbase64.As a result, recipients without S/MIME capability can view the messagecontent, although they cannot verify the signature.

2. Signed and enveloped data: Signed-only and encrypted-only entities may benested, so that encrypted data may be signed and signed data or clear-signed data may be encrypted.

S/MIME – Certificates

• Public key certificates are required to protect the authenticity and integrity of public keys, thus protecting against man-in-the-middle attack.
• A certificate chain must be verified until a root CA is reached

a certificate can only be trusted if:

• Every certificate in the chain is successfully verified.
• Every CA in the certificate chain is trusted.
  • In practice, certificate chains are short and seldom verified for trustworthiness.
  • Also, the concept of cross-certification is of low practical value and seldom used between certification service providers.