Cryptography Reference
In-Depth Information
8.2 S/MIME and PGP
Pictures are for entertainment, messages should be sent by Western Union
Sam Goldwyn (born Samuel Goldfish)
(1882-1974),
American film producer
A quarter of a century ago, Internet e-mail involved little more then elemen-
tary ASCII message exchange, typically among researchers based in universities
or government centers. For these clients, security was not much of an issue.
Today, e-mail is used by tens of millions of people worldwide for sendinga
cornucopia of digital information including not only text-based data, but also
sophisticated graphics, movies, music, and much more. A substantial amount
of this traJc requires security, and much of this has been provided by a scheme
called
Secure Multipart Internet Mail Extension
(S/MIME), the initial version of
which was developed by a private consortium of vendors. This was an evolution
of the original MIME e-mail scheme, developed by IETF, which had no security
attached to it. The latest version in this evolution is S/MIMEV3, or S/MIME,
version 3, which was made an IETF standard in July 1999. S/MIMEV3 is
described in [216]-[220], which contain the followingparts: (RFC2630), cryp-
tographic message syntax; (RFC2631), DiJe-Hellman key-exchange method;
(RFC2632), certificate handling; (RFC2633), signature/encryption protocols;
and (RFC2634), some enhanced security service extensions: signed receipts; se-
curity labels; secure mailinglists; and signingcertificates. S/MIMEV3 includes
PKI attributes such as CRLs, and X.500 certificates used to bind an entity's
identification and public key for the secure operation of S/MIME and other
PKI-enabled functions. Indeed, S/MIME uses PKI to employ mechanisms for
authenticating S/MIME users, to provide digital signatures, ensure confiden-
tiality, nonrepudiation, and more.
Not only has S/MIME been proposed for providinge-mail security services,
but also for its use with PGP. There are two proposed standards, OpenPGP
and PGP/MIME, both of which are based on PGP, and the latter of which
was developed by individuals, some of whom now form PGP Inc. In 1997, the
OpenPGP WorkingGroup was formed in IETF to define a standard. OpenPGP
is now an IETF proposed standard RFC2440. It appears clear at this point
in time that S/MIME will become the industry standard for commerce, while
PGP will prevail as the choice for individuals seekingsecurity in their e-mail
transactions.
Section 8.1 looked at PGP in depth, and we saw that the scheme provides for
mechanisms involvingthe signingand encryption of data. The same is true of
S/MIME. We now look at enhancements in functionality built into S/MIMEV3.
S/MIME Functionality
We assume that Alice is sendinga message to Bob.
1.
Enveloped Data
: This function provides for SKC encryption, with a
symmetric key
k
, say, of S/MIME data,
D
, to form
k
(
D
), followed by
Search WWH ::
Custom Search