RSA Encryption for Email

1
RSA Encryption for Email
CPL Systems Ltd. Dunston Innovation Centre
Chesterfield S41 8NG Tel 0114 262 0242 Fax 0114
235 1604
2
WHY ENCRYPT EMAIL ?

• Someone may intercept your email from wi-fi links
  or isp servers or Outlook folders.
• Government agencies may legally obtain your
  sensitive information you are doing nothing
  wrong but they think you are you have to prove
  you are not.
• You accidentally email confidential data to the
  wrong person.

3
Which encryption method ?
There are only two types of encryption available,
symmetric and asymmetric. Symmetric means that
to decrypt you have to get a password to the
other end, which invalidates this type of
security for email use. Examples of symmetric
encryption systems are DES and AES. The only
available asymmetric encryption system is
RSA. All financial and credit card transactions
on the internet use RSA. The main problem with
RSA is that it normally uses 3rd party Digital
Certificates, a security weakness. Person To
Person software has been specifically developed
to not require Digital Certificates. Person To
Person still executes the function of Digital
Certificates, but it doesnt require you to
purchase 3rd party certificates.
4
Email and Wi-Fi
Wi-Fi Security A wireless connection is made
secure by using Wi-Fi Protected Access (WPA). At
configuration time a secret key is shared by the
users and access point/router which allows
encrypted transmissions over the radio
links. Wi-Fi Hotspots in public places are not
encrypted Because a user and the hotspot cannot
share a secret key, transmissions will not be
encrypted. Anyone can capture unencrypted
transmissions There is off-the-shelf plug-in
hardware and free software. Works on most PCs. A
Wi-Fi network in the home might not be
encrypted You may not have enabled security.
Visitors will not possess your routers secret
key.
5
UK Government Surveillance Powers
Regulation of Investigatory Powers Act
2000 Telecommunications data can be intercepted
under warrant for reasons of national security,
crime detection and economic well-being of the
country. It can be shared with other countries
under reciprocal agreements. It has been invoked
by local councils for trivial matters. Data
Retention (EC Directive) Regulations 2009 ISPs
must retain details of email and other
communications and disclose it to UK authorities
when asked. Moves to include message contents
have failed to date but the intention remains.
6
GCHQ Cheltenham
Official Purpose To provide the UK Government
with intelligence on terrorist, criminal and
economic activities.
7
GCHQ Technology
Computing Power One of the largest computer
complexes in Europe - Advanced surveillance
capabilities - Exceptional database
resources Links Biggest LAN in Europe - One of
the largest wide area networks on earth Has links
to Americas National Security Agency Mastering
the Internet The new name for the current
1billion project for intelligence gathering. It
was previously called the Interception
Modernisation Programme. Deep Packet
Inspection Hardware and software readily
available from vendors for the reconstruction of
application data from communications packets.
Routinely used for firewalls and diagnostics.
8
RSA Encryption How Its Done

• You obtain a key set Public Key, Private Key
• Send your Public Key to a correspondent
• The correspondent encrypts a message with your
  Public Key and sends it to you
• You decrypt using your Private Key

9
Using Digital Certificates

• Find and select a suitable certification company,
  often a complex and bewildering decision. All
  your contacts must also do this.
• Purchase a Digital Certificate from a commercial
  certification company who will then hold all your
  private details and encryption keys on their
  servers. You normally do not know who owns the
  commercial company or who has access to your
  data.
• Download and install the Digital Certificate
  which you have purchased (contains your Public
  Key) and the associated Private Key on your PC.
• Send a digitally signed email to a correspondent
  they must also register with certification
  company as above, as must all your contacts.
• Correspondent verifies signature automatically
  adds your Certificate to your contact details
  held by correspondent. Validation depends on the
  3rd party certification company.
• Correspondent chooses to encrypt a message and
  sends it to you, message is automatically
  decrypted when received by you (or whoever is at
  your PC).
• Purchase renewal of Digital Certificate annually
  (company may have changed hands).
• You rely on the certification company to validate
  that your correspondent is who they say they are
  and that your emails are decrypted by the right
  person.

10
Problems with Digital Certificates

• What if the Certification Authority (CA) loses
  its secret key ?
• What if the CA issues false certificates ?
• Digital Certificates only work for a limited time
  before they expire
• There are many CA organisations, which do you
  choose ?
• CA organisations are commercial companies
• CAs accept little or no responsibility for the
  certificates
• Most CA structures are multi-level with a
  certificate chain
• The impossibility of linking every certificate to
  an individual
• The CA can impersonate anyone on the system
• What if someone steals your identity ?
• Digital Certificates are extremely difficult to
  revoke
• Registering and using Digital Certificates is
  complex
• All your contacts have to buy and install a
  Digital Certificate
• They own and keep your personal data and
  encryption keys
• Which of their employees has access to your data
  ?
• How rigorous is their employee screening ?
• How secure are their IT systems ?

11
Person To Person No Digital Certificates

• Install Person To Person software
• Email Public Key to correspondent
• Correspondent encrypts a message and emails it to
  you
• Message is decrypted automatically for you on
  receipt THATS IT !

12
Advantages of Person To Person

• You do not buy, manage or renew Digital
  Certificates
• Public and Private keys are deployed but
  transparent
• There is no private information stored on your
  PC. Your password is not stored if it is stolen
  it is useless anyway.
• The encryption is very much stronger
• Digital signing and verification is implicit
• Your keys can be changed at any time
• Only two people are involved, you and your
  correspondent

13
RSA Encryption Explained
14
RSA History

• A British mathematician working for the UK
  intelligence agency GCHQ, described an equivalent
  system in an internal document in 1973, but given
  the relatively expensive computers needed to
  implement it at the time, it was mostly
  considered a curiosity and, as far as is publicly
  known, was never deployed. His discovery,
  however, was not revealed until 1997 due to its
  top-secret classification, and Rivest, Shamir,
  and Adleman devised RSA independently of the GCHQ
  work.
• The RSA algorithm was publicly described in 1978
  by Ron Rivest, Adi Shamir, and Leonard Adleman at
  MIT the letters RSA are the initials of their
  surnames, listed in the same order as on the
  original paper.
• MIT was granted U.S. Patent 4,405,829 for a
  "Cryptographic communications system and method"
  that used the algorithm in 1983. The patent would
  have expired in 2003, but was released to the
  public domain by RSA Security on 21 September
  2000. Since a paper describing the algorithm had
  been published in August 1977 prior to the
  December 1977 filing date of the patent
  application, regulations in much of the rest of
  the world precluded patents elsewhere and only
  the US patent was granted. Had the GCHQ work been
  publicly known, a patent in the US might not have
  been possible.

15
Simple Encryption (Symmetric)
Key 9834
In Douglas
BXTAH
HELLO
Key 9834
In Sydney
BXTAH
HELLO
To send a secret message from Douglas to Sydney
you first have to send the key. This is unsafe.
Each pair of correspondents need to share a key.
For a group of 10 this means 45 keys.
16
RSA Encryption
Sydney Public Key 8943
In Douglas
BXTAH
HELLO
Sydney Private Key 5927
In Sydney
HELLO
BXTAH
Everyone knows the Sydney Public Key because it
is not secret.
You cannot use the Public Key to decrypt the
message.
Only Sydney knows its Private Key and never sends
it anywhere.
One key set per correspondent 10 correspondents
means 10 key sets.
17
Encryption Process More Detail
Transport Key
Random Number Generator
Sydney Public Key
Public Key Encryption
Encrypted Transport Key
Send
Encrypted File
Symmetric Encryption
FILE
18
Digital Signing
In Douglas SIGN
FILE
Secure Hash Algorithm
Digest
Douglas Private Key 8725
Signature
In Sydney VERIFY
Digest
Secure Hash Algorithm
FILE
Douglas Public Key 1693
Compare
Digest
Signature
19
Why is Person To Person secure

• It uses a rigorous implementation of a published
  standard (RSA) but with much larger keys
• It has been successfully used in the field for
  over 15 years
• It only involves you and your email
  correspondent, no 3rd party Digital Certificate
  organisations are involved

20
CPL Systems Limited
Dunston Innovation Centre Dunston
Road Chesterfield S41 8NG Tel 0114 262 0242 Fax
0114 235 1604 Strong Cryptography Since 1984