A brief comparison of email encryption protocols
This message briefly reviews and compares the four major email encryption protocols under discussion: MOSS, PGP, PGP/MIME, and S/MIME. Each is capable of adequate security, but also suffers from the lack of good implementation, in the context of transparent email encryption. I will try to address issues of underlying cryptographic soundness, ease of integration with email, implementation issues, support for multimedia and Web datatypes, and backwards compatibility. An additional grave concern is key management. Contrary to some beliefs, key management is not a solved problem. All of the proposals contain some mechanism for key management, but none of them have been demonstrated to be scalable to an Internet-wide email system. My belief is that the problems with key management do not stem from the classic Web of trust/certification hierarchy split, but the nonexistence of a distributed database (with nice interfaces) for holding keys. The encryption protocols also stand in the way of such a database, with key formats that are either overly complex, inadequate, or both. In case it is not clear by now, this review will be quite subjective, in many cases representing my own beliefs rather than objective fact. I'll try to point that out where I can. Also, I do not claim to have a thorough understanding of PEM and PKCS. Much of my knowledge comes from implementing premail, a tool that acts as "glue" between mailers and encryption packages. It supports PGP, MOSS (using the TIS/MOSS 7.1 implementation), and a draft of PGP/MIME, in addition to a wide range of anonymous remailer services. While usable, premail has many limitations, and certainly does not represent the "holy grail" of transparent email/crypto integration. Thus, my participation in the Internet Mail Consortium Secuirty Workshop (http://www.imc.org/security-workshop.html). I apologize for the wide distribution, and ask that followups be trimmed. PGP --- PGP (Pretty Good Privacy) is, of course, the de facto standard for email encryption on the Internet. PGP's underlying cryptography is quite sound - RSA (up to 2048 bits with the most recent implementation), IDEA with a 128 bit key, and MD5. PGP is entirely in accordance with the recent recommendations on minimum keylength (http://www.bsa.org/bsa/cryptologists.html), and in fact does not include a mode of operation in violation of those recommendations. This makes PGP (and, by extension, PGP/MIME) unique among the encryption protocols. PGP is packaged in a single application (i.e. a single binary) which performs encryption, decryption, signing, verification, and key management. It does not depend on the existence of great deal of infrastructure. These factors have, in my opinion, been decisive in PGP's popularity. However, PGP is still not suitable for fully transparent email encryption. The reasons are complex, and I will only touch on them here. The main missing feature is the lack of MIME integration. Thus, PGP is not suitable for multimedia types other than US-ASCII text. PGP does contain some support for 8-bit charsets, but at cross-purposes with MIME. Signature checking of non-US-ASCII data is simply not reliable. To give an idea of this problem, the most recent international version (2.6.3i) tries several different character set conversions when verifying signatures, to see if any of them will work. However, since a large fraction of email _is_ US-ASCII text, this feature alone probably does not explain the lack of deployment. PGP contains a number of implementation flaws (including silly things like not locking files, so that concurrent invocations fail). In addition, key management has some problems. Mostly, key management is hard to learn, time consuming, and requires a great deal of manual intervention. The "Web of trust" is supposed to fix this, by providing transitive trust of key authenticity. However, in practice the Web of trust has not delivered. In my experience (with many dozen correspondents), I have only had one or two keys transitively trusted. A standard PGP-signed message consists of a "-----BEGIN PGP SIGNED MESSAGE-----" line, the signed text (subject to some canonicalization rules), a "----BEGIN PGP SIGNATURE-----" line, a version line, the PGP signature itself, and an "-----END PGP SIGNATURE-----" line. All this is in the message body. The headers indicate that the message is a standard 7-bit, us-ascii, text/plain message. Thus, mailers have to parse the message contents to identify the message as PGP signed, or to extract the signed parts. This is at cross-purposes with MIME. Mailer implementors are reluctant to include such ad-hoc extensions. Existing extensibility mechanisms, based on MIME, cannot be used. PGP encrypted messages are similar - the identification as an encrypted message can only be made by parsing the message body. One technical problem with PGP is its inability to support single-pass processing, because the data format includes a size field. PGP/MIME -------- PGP/MIME is an effort to integrate MIME and PGP. There is a workable draft based on the MIME security multiparts, but the PGP/MIME mailing list is divided. Some particpants are happy with the existing draft, while others feel that other points in the design space (for the most part, labelling existing PGP message formats with appropriate MIME types) would be better. The design space is large and complex, with many constraints on efficiency, simplicity, backwards compatibility, and functionality. It is not clear that a consensus will develop at all. There are two implementations of the PGP/MIME draft: premail, and the PGPMIME reference implementation by Michael Elkins. For more information about the PGP/MIME draft, see http://www.c2.org/~raph/pgpmime.html . PGP 3.0 ------- Many people are hoping that PGP 3.0 will somehow come along and solve all their problems. PGP 3.0 is only an evolutionary improvement over the existing implementations (MIT PGP 2.6.2 and PGP 2.6.3i). For the most part, it will support only the existing message formats. There may be support for decoding draft PGP/MIME signed messages, but this is still being negotiated. The main advance in PGP 3.0 is a cleaned up implemenation. The PGP 2.6.2 code is disgusting, and should not be integrated directly into any mailer application. The 3.0 code will be modular and based on published interfaces. Furthermore, the 3.0 development team plans to release the code as both a stand-alone application and as a library. It is difficult to predict when the public release will happen. Based on what I've seen, fall of 1996 seems the most likely. MOSS ---- MOSS (MIME Object Security Services) is an attempt at an email encryption protocol in accordance with MIME. It is currently an Internet RFC. There is a reference implementation (TIS/MOSS 7.1). MOSS is mostly cryptographically sound. However, the choice of symmetric encryption algorithm (and key size) is left unspecified. Thus, it cannot be said that MOSS is in accordance with the recommendations for minimum keysize. In fact, the only public implementation, TIS/MOSS 7.1, uses 56-bit DES, which is in direct violation of these standards. The TIS/MOSS implementation has a number of other problems. It is big and complex, probably due to its TIS/PEM ancestry. For more information about TIS/MOSS, see http://www.tis.com/docs/Products/tismoss.html . MOSS supports two modes of key management: X.509, and completely manual key management. In this way, it is a dramatic advance over PEM, which only supported X.509, but life for implementors remains hard. One feature which I believe is sorely lacking is a cryptographic hash of the public key as the basic unit of manual key management. Thus, people either have to trust the mechanism by which the key was delivered, or examine the base-64 representation of the entire key. I consider this to be a serious usability problem. For an example of how hashes of keys have been done right, see Netscape 2.0's handling of untrusted certificates. S/MIME ------ S/MIME is an attempt to graft MIME support onto underlying PEM standards. See http://www.rsa.com/rsa/S-MIME/ for more info. I feel compelled to deal harshly with RSA's S/MIME FAQ (http://www.rsa.com/rsa/S-MIME/smimeqa.htm). It suggests that MOSS has interoperability problems because of multiple implementations, while S/MIME presumably doesn't. I take strong exception to this statement. There is no technical basis for it. I consider the possibility of admitting multiple implementations as a _requirement_ for an Internet email standard. However, because S/MIME is documented, it hopefully will be possible to create independent implementations, in spite of what RSA says. The only symmetric encryption algorithm mandated by S/MIME is 40-bit RC2. Thus, S/MIME is in violation of the key size recommendations. Further, RC2 has not been confirmed to be publicly known. If RC2 is not known, then an independent implementation of S/MIME is impossible. Fortunately, source code for an alleged implementation of RC2 has recently been posted to the Internet, resolving this problem, if it is authentic. If not, then my reservations remain. S/MIME also recommends 56-bit DES CBC and (either 112 or 168 bit) DES EDE3-CBC. This is good; any S/MIME implementation in accordance with the recommendations will conform to the keysize recommendations as well. S/MIME remains firmly grounded in the X.509 certification hierarchy, although the FAQ claims that the guidelines for hierarchies are "more flexible" than in PEM. One cryptographic weakness of S/MIME is that eavesdroppers can distinguish between encrypted and signed-and-encrypted messages. This violates the principle of disclosing a minimum amount of information. PGP, PGP/MIME, and MOSS do not have this problem. Probably the most controversial aspect of S/MIME is its signature format. An S/MIME signed message is a MIME multipart in which the first part is the data to be signed, and the second part is a complete PKCS #7 (section 10) signed message. This protects quite well against munging by mail transport, but has two problems. First, the size of the message is doubled. Second, the fact that the two singed messages are identical is not enforced (if it were, mailer munging would cause too many signatures to fail). Thus, Eve can send Alice and Bob a message (M1, (M2, Signature(M2))). Alice, not having an S/MIME implementation, would see only M1. Bob, having an S/MIME implementation, would see only M2, for which the signature would check. Alice, being suspicious, might call Bob up on the telephone and ask whether the signature was really valid. Bob would of course say yes. Unless they compared notes on the contents, they would not notice the discrepancy. To my mind, this counts as protocol failure, and thus it is not possible to claim that S/MIME conforms to best cryptographic practice. I would expect that doubling the message body will create performance problems in a Web environment. For example, if the first message is used for display, then it becomes necessary to compare the two messages. If, instead, the second message is used, then the first message will be responsible for significant added latency. Integration with mailers ------------------------ Integration with mailers is quite difficult. In general, the mailer implementor will need to add specific features to support cryptography. Because of the restrictiveness of ITAR regulations, such an approach may not be practical for US developers, at least while supporting strong cryptography. Perhaps the biggest feature required in the mailer is integration of key management and the "address book". If this feature is not implemented in the mailer, then two address books are required - one to select email addresses, and another to map email addresses to keys. This approach is used by premail, and is the source of many usability problems. It would be nice if a database existed which could map email addresses to public keys without manual intervention, but none of the proposals on the table are capable of it. Such a database would certainly improve usability, as well as making it considerably easier to Another feature that is required for fully transparent integration is caching of decrypted session keys. If not implemented, then the user interface delays in navigating a mail folder become unacceptable. To my knowledge, no implementation supports this feature. One dimension in the design space is whether the cryptographic engine is tightly integrated with the mailer (i.e. shares an address space), or is a separate process that communicates with the mailer. Both approaches have been implemented. Both approaches are subject to numerous pitfalls, which have unfortunately not been entirely avoided. These issues have more to do with implementation than with the encryption protocol, but I thought I'd mention them here, so that they are not actively thwarted. Conclusion ---------- All of the proposals described here can be used for secure email. None of them will be widely deployed in this capacity unless they are implemented well. I have concerns that both MOSS and S/MIME are susceptible to political pressure which will restrict key sizes insecurely in practice. I would like to see consensus develop around one of the proposals, so that energies used for implementation can be more focussed and effective. It is my hope that this conference will move in that direction. Raph Levien
Raph, your summary is very useful! I would like to make a few comments and suggest a model for breaking down an email encryption system into four components: the trust model, the key/certificate distribution system, the on-the-wire certificate data structure and the on-the-wire transport data structure. The comments: At 12:49 PM 2/14/96, Raph Levien wrote:
.... An additional grave concern is key management. Contrary to some beliefs, key management is not a solved problem. All of the proposals contain some mechanism for key management, but none of them have been demonstrated to be scalable to an Internet-wide email system. My belief is that the problems with key management do not stem from the classic Web of trust/certification hierarchy split, but the nonexistence of a distributed database (with nice interfaces) for holding keys. The encryption protocols also stand in the way of such a database, with key formats that are either overly complex, inadequate, or both.
Here here! agreed!
S/MIME remains firmly grounded in the X.509 certification hierarchy, although the FAQ claims that the guidelines for hierarchies are "more flexible" than in PEM.
X.509 v3 explicitly does allow for more flexibility. To quote from section 12.4.1: g) Complete flexibility in trust models is required. A strict hierarchical model which is adequate for a single organization is not adequate when considering the needs of multiple interconnected enterprises. Flexibility is required in the selection of the first trusted CA in a certification path. In particular, it should be possible to require that the certification path start in the local security domain of the public-key user system.
Probably the most controversial aspect of S/MIME is its signature format. An S/MIME signed message is a MIME multipart in which the first part is the data to be signed, and the second part is a complete PKCS #7 (section 10) signed message.
It is certainly technically possible to use the multipart/signed format from RFC-1847 (also used in PGP/MIME) with PKCS #7. It certainly seems superior is almost every way to the multipart/alternative in the current S/MIME draft. Also Steve D. pointed out that the multipart/alternative format is not the primary signature format. Going back to breaking things down into four parts, these are some points I know about. Please correct me if I say something wrong and pardon some of the details most of us already know: The Trust Model --------------- Any fully implemented system will have to choose some form of a trust model. Some possibilities are: * web of trust * strict hierarchy * web of hierarchies or some other hybrid The important thing here is that there are many trust models that are valid and useful and it may be useful for other components of the system to be neutral to the trust model as is clearly the case with MOSS. The Key Distribution System --------------------------- A lot of components may go into this (protocols, client/server architectures, local key stores) and it is probably the most complicated part of any system. Some options are: * distribution of keys manually via e-mail * automatic non-interactive lookup of keys from a server * interactive browsing of a key store for keys * revocation lists or none * online certificate verification via a secure channel * certificate caching Probably the best thing to say, is that there's a lot of work to do here. The Certificate format ---------------------- It seems possible to pick a certificate format independent of the other issues. Doing so would allow us to leverage components like we do with other data objects like MIME. There probably only two major contenders: * X.509 v3 + broadly supported by standard bodies + supported by several industries (e.g., banking) + very rich and flexible + ASN.1 - ASN.1 (tough for a student to get an ASN.1 compiler) - complicated * PGP keys + widely deployed + simple to write code for - difficult to lookup (linear search on key id required) - too simple to support many trust models and distribution systems Note that both use the RSA algorithms, so they are interchangeable at some very basic level. The Transport of Content format ------------------------------- This is the format of the actual message that is sent from one user to the next. I'm going to discard anything that doesn't handle MIME because I don't think they are important any more. Raph described a lot of this so I'll just mention a few considerations explicitly about transport formats. * PGP/MIME From a data structure format this is a compact binary format. It seems reasonable to implement, is documented and requires no special tools. There is a performance problem with key look ups for signed message because a linear search is required unless the key or other data is always included with the message. * S/MIME (PKCS + MIME) Uses PKCS format with some MIME formatting. The main problems here are the multipart/alternative format for signatures and the ASN.1 requirement. An ASN.1 compiler is required to implement this. PKCS has actually been around for a while and has been used for a number of cryptographic systems. * MOSS MOSS is perhaps the easiest to implement and the most flexible since it is an ASCII text protocol like other Internet protocols and because it explicitly supports several trust models. I think the most important observation is that PGP/MIME and MOSS share the security multiparts structure from RFC 1847. It is also possible to use the security multiparts format with PKCS #7 and thus S/MIME could be changed to support it. If this happened we'd have something in common for all formats and it would make life much easier for all e-mail client authors. An added bonus is that RFC-1847 support allows an e-mail client to support encryption and signing of full MIME entities with an external program that can be configured like MIME content viewers are with something like the mailcap facility. It can be something as simple as a UNIX pipe to a command like pgp. Laurence Lundblade <lgl@qualcomm.com> QUALCOMM Inc. 619-658-3584
participants (2)
-
Laurence Lundblade -
Raph Levien