Thursday, December 15, 2011

Carrier IQ Subverts HTTPS Protections

There have been many recent news articles describing Carrier IQ. Carrier IQ is a piece of software that runs on mobile phones and collects information about user behaviors. According to the software manufacturer Carrier IQ does not collect sensitive data. Some have labelled Carrier IQ a "rootkit" because of its stealthy behavior ad level of access.

While watching the original demonstration of Carrier IQ, I noticed that many things were being written to the system log including web URLs (the author notes this as well). The collection of URLs may include those that use the HTTPS protocol (encrypted web traffic). The URLs may also include GET parameters (words after the question mark). GET parameters act as variables and are sent to the web server as a way to customize the resulting web page for the user. For example the following URL could be used to authenticate someone to a web service (think bank): 

https://secure.foobar.com/baz?username=foo&password=bar

The intention of the HTTPS protocol is to provide transport-layer end-to-end encryption. The end points are supposed to be the web browser and the web server. HTTPS uses SSL/TLS to provide the encryption. Transport-layer encryption by nature does not protect the privacy of the source and destination ip addresses. It protects the privacy of everything in the application layer which includes GET parameters and all other HTTP data (web page contents, HTTP headers, POST parameters, etc). Once my HTTP request leaves my browser it is supposed to be encrypted until it is decrypted on the server (end-to-end!).

However, because Carrier IQ writes the URL, including parameters to the system log file they break the end-to-end encryption. This caught my attention. This is not a small matter. Now that the data is in the system log it is available to all other software on the phone! Not good.

I spent about one hour creating a proof of concept Android application that scrapes the system log and sends all HTTPS URLs, including parameters, to another computer connected to the Internet. My application also grabs the device ID and sends it along with the URL (for the demo below I used the Android emulator which has all zeros for its device ID).

The application had to request the Android "READ_LOGS" and "INTERNET" permissions. These permissions are very common. The "READ_LOGS" permission is often used by developers so that end users can send log files with bug reports. The "INTERNET" permission is used by all apps which need network access (many).

My app uses a giant user interface button to perform the log scraping. But imagine that the application ran as a service and ran without the user knowing (it is an easy change). The end result would be a hidden application that could be secretly spying on you. It could be installed as part of another seemingly legitimate application. Of course the private data being leaked isn't limited to HTTPS traffic, HTTPS is just the case that caught my attention.

I captured a screencast of my application scraping data from the logs and dumping it to an external server. This is not rocket science. For anyone with Android app development experience it would be trivial to write. My point wasn't to show off my mad hacking skills but to try to further emphasize the seriousness of this problem.

Note: I do not have a Carrier IQ plagued device. I injected similar log entries for testing my proof of concept application. I based my formatting of the log entries on the original demonstration.

Note: Quite surprisingly my log file had other HTTPS urls in it which were written by other applications. At least those applications were only leaking their own application information. For example I now have a Facebook developer key that I easily extracted from the log file. Not sure who the key belongs to. I don't think that I am supposed to have it. Come on developers, you are supposed to remove your debug messages before distributing your app!

Posted by at 12:50 PM 6 comments
Labels:

Friday, April 9, 2010

Why the iPad is Good for Security

A few weeks ago a rather chatty fellow sat next to me at the coffee shop where I was working and said: "How do you like your Mac?" I replied. He then said "I hate Macs." I told him that I think people should use whatever computer operating system they find useful. I mentioned my area of research, computer security, which piqued his interest. He said "I don't have any antivirus software on my Windows PC and I don't have any viruses." He assumed that he had no viruses because there was no evidence (nothing crashed or disappeared). He went on to report that his computer runs pretty slowly (which I found quite humorous). I told him that he didn't have *a* virus, that he actually had *many* viruses. I explained a little about botnet zombies to which he replied "I just want to read email and watch videos." He didn't seem to care in the least bit that his privacy may be at stake or that his computer may be participating in computer crime.

A research project that I am part of, Poly^2, investigates the idea of increased security through the use of specialized operating systems. In short, the idea is that we could tailor make OS's for specific tasks. The idea isn't as simple as merely turning off unused network services (though that is a good idea in general). It goes further. It tries to restrict the primitive functions of the OS (such as memory access) to the bare minimum needed to carry out the specific task. Those who have studied information security may recognize this as the "principle of least privilege". General purpose OS's defy the principle of least privilege, especially in the context of consumer-grade computers.

The iPad isn't necessarily a realization of the full Poly^2 ideology. However, I think they are related. If Joe Blow just wants to "read email and watch videos." what options does he have? He could buy a standard PC (from here forward PC refers generally to personal computers, no OS is implied) and patch it every six days. However, the act of patching a computer is distinctly not reading email or watching videos. Should Joe be able to read email and watch videos without additional responsibilities? It seems like a reasonable desire to me. Joe isn't required to patch his car even though it likely uses a microprocessor.

Botnets are a huge problem. Some botnets, like Confickr, control millions of zombie PCs. The zombies are made up of unpatched PCs. Many of them are likely owned by people like Joe who just want to consume information. If all of those people, who don't require a general purpose OS, were to buy media consumption devices (MCDs) such as the iPad, instead of PCs then we would likely see a dramatic reduction in botnet zombies.

Most of the criticisms I have seen of the iPad revolve around the assumption that it is a PC. It is not a PC. If you are comparing it to a PC, then yes you will likely be disappointed. I heard someone say that they didn't like it because it wouldn't run MatLab. If you want to run MatLab or Photoshop you should not buy an iPad. Some have criticized the iPad and iPhone because of their closed nature. I haven't developed for either, I prefer Android myself, so I don't know first hand what is required. However, as far as I can tell their APIs are available and they allow you to program in open standards programming languages. Will the iPad have security vulnerabilities? Of course! However by carefully controlling what applications can be created with and how they can be distributed, Apple can strongly influence and remedy future vulnerabilities.

Is the iPad for me. Probably not, I am not Joe. It may however be a good media consumption device for my wife.

Posted by at 12:14 PM 13 comments

Saturday, September 5, 2009

OS X Bug : Problems connecting to WPA Enterprise with 10.5.8

I have recently had trouble connecting to Purdue's wifi network named PAL2.0 (which requires WPA Enterprise/TTLS/MSCHAPv2/PEAP). Purdue's technical support (ITAP) attempted to help me but was unsuccessful (it isn't their fault). I found my own fix and wanted to share it with others who may be having the same problem. Basically the problem was introduced by Apple with Mac OS X, update 10.5.8.

The problem:
- Can't connect to PAL2.0 (sporadic)

Symptoms:
- Repeatedly tries to perform MSCHAPv2 authentication, never gets IP address. I have captured a screencast demonstrating the problem.

Setup:
- Macbook Pro (maybe other models? mine is a 2007 model) running OS X 10.5.8

Fix:
- Revert to the wifi firmware to pre-10.5.8 version. I followed these instructions (proceed at your own risk)
- If you have the right model of mac (I did not), you may be able to apply this patch from Apple.

Posted by at 11:41 AM 5 comments

Friday, July 10, 2009

OS X Bug : 802.1x TTLS defaults to CHAP even if changed to PAP

While configuring freeradius I uncovered a nasty Mac OS X bug. My goal is/was to authenticate Mac OS X (leopard) to WPA2 using RADIUS configured to authenticate to LDAP (over EAP+TTLS+PAP).

Scenario #1 (broken)

When I get within range of a WPA2 EAP+TTLS+PAP WIFI connection I am prompted to login. If I try my login, it will fail because I have not configured 802.1x to use TTLS+PAP which is expected. If I then try to configure TTLS to use PAP using the 802.1x configuration dialogs, it will display "PAP" in the configuration dialog but it will not actually use PAP, it will continue to try to use its default CHAP authentication inside of TTLS. I am then never able to connect to this access point without deleting it and starting over (as below).

Scenario #2 (working)

However, if, with my wireless card turned off, I configure 802.1x authentication profile in advance of connecting to the same access point. Then turn on my wireless card. Then instead of entering my user/pass when prompted select "Join Other Network" and manually assign the new and correct 802.1x profile to the new wifi connection. It works as expected. It was nontrivial to track down this problem. I am using freeradius and found that despite having PAP listed under TTLS the following was logged: 
MS-CHAP-Challenge = 0x...
MS-CHAP2-Response = 0x...
I have deliberately not enabled CHAP in my freeradius configuration so I knew something was up. After I finally got it working (using scenario #2), those two MS-CHAP log entries disappeared. A few of the freeradius log messages that were symptoms of the problem are as follows (in hopes that others may find this post): 
pap No clear-text password in the request. Not performing PAP.
...
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Posted by at 11:01 AM 0 comments

Thursday, June 4, 2009

Apache mod_rewrite and the HTTP Host Header

I am involved with a web project that bases some application logic on the hostname of the server. During the development phase we wanted to test host-specific logic without modifying hostname resolution (through /etc/hosts or DNS) or modifying the code with specific development hostname conditionals. To accomplish this task, I crafted some handy Apache mod_rewrite rules:

<VirtualHost>
...
# requires mod_rewrite and mod_headers
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/set_site.html$
RewriteCond %{HTTP_COOKIE} ^.*choose_site=([^;]*).*$
RewriteRule ^(.*)$ $1 [E=SET_SITE:%1]
RequestHeader set Host %{SET_SITE}e
...
</VirtualHost>

The first condition matches anything but the form used to set the site cookie (choose_site). I am not entirely sure why, but if this conditional is omitted an infinite redirect happens. To keep the application code base clean I used mod_alias to alias this form to a location outside of the DOCUMENT_ROOT.

The second condition extracts the hostname from the cookie and places it in magic variable %1. The rule just passes through all requests and sets the apache environmental variable SET_SITE. This step is necessary because mod_headers can't use the mod_rewrite generated %1 variable.

Finally the last directive sets the Host header of the request, which if you're lucky, will get passed up to your scripting language for use in the logic.

Posted by at 7:57 AM 0 comments

Friday, May 29, 2009

Apple Address Book and IM Values

I have recently been working on centralized authentication using OpenLDAP. Beyond authentication, LDAP-based directories can be used as a shared address book. Most desktops being used by our organization are Apple computers. The system address book, known as "Address Book" may be configured to access an LDAP directory. Bingo! Unfortunately, the Address Book is only interested in a subset of attributes that are stored in the LDAP directory. Using wireshark, I found that it asks for the following attributes:

givenName
sn
cn
mail
telephoneNumber
facsimileTelephoneNumber
o
title
ou
buildingName
street
l
st
postalCode
c
jpegPhoto
mobile
co
pager
destinationIndicator
labeledURI
IMHandle

The Address Book works as expected with one exception. The last field it requests, and it receives from LDAP, is IMHandle. It would be nice if IMHandle was *actually* supported by the Address Book, however no matter how much brute force I used, I could not get IMHandle to show up in the Address Book. The application appears to receive the value for IMHandle but discards it. By the way, getting the Apple LDAP schema (which enables the storage of IMHandle) to cooperate with our other LDAP schemas was kind of ugly.

The solution? I figured out that we could use the labeledURI field to store IM information. Both Jabber and AIM have a protocol specification that works with the Mac and Firefox (and likely other software). The format is as follows:

Jabber (such as Google Talk)
im:ACCOUNT_NAME@gmail.com
AOL Instant Messenger
aim:goim?screenname=ACCOUNT_NAME

The Address Book then shows the first (and only the first) labeledURI. So if we set the first value of labeledURI to the user primary IM URI, it shows up in the Address Book and is even "clickable".

Hey Apple Developers, how about supporting IMHandle in Address Book? Or at least show multiple labeledURI values.

Posted by at 11:55 AM 0 comments

Saturday, April 21, 2007

Comparative Analysis of OpenPGP and S/MIME

About

Both S/MIME and OpenPGP are end to end security mechanisms that facilitate secure email transmission. S/MIME and OpenPGP are competing technologies that operate in much the same way. This document aims to analyze the difference between the two technologies, and to describe the costs and benefits of each.

PGP is the common name for a security methodology first introduced by Philip Zimmermann. PGP is an acronym for "Pretty Good Privacy". The IETF standard for this methodology is referred to as OpenPGP. OpenPGP is described by RFC 2440.

S/MIME is short for Secure/Multipurpose Internet Mail Extensions. It was first developed by RSA Data Security, Inc. The S/MIME standard is described by RFC 3851. Not all versions of the technology are part of the standard.

History

OpenPGP

PGP was first developed by Philip Zimmermann in 1991. The source code of the project was distributed with the program and a team of developers emerged around the project. In 1996, Philip and his team formed PGP Inc. PGP Inc. created versions three, four and five of PGP.

In 1997, the technology branched in two directions. First, in July, amidst growing concerns over algorithms with licensing difficulties, Philip and a subset of the team proposed an "Unencumbered PGP" to the IETF for standards consideration [WIKIP-OP]. The proposal was accepted and given the formal name OpenPGP..

In December of 1997, PGP Inc. was aquired by Network Associates, Inc (NAI). Philip left NAI in 2001 to join Hush Communications, an OpenPGP based mail service provider. In 2002, NAI sold PGP assets to a group of original PGP team members excluding Philip [WIKIP-OP]. The newly formed company was named PGP Corporation, and it is still in business selling PGP based technolgogies. Philip serves in an advisory role for the company.

OpenPGP is still on the standards track (as of this writing), and is being actively developed. One primary implementation of the standard has emerged from the GNU project, named GNU Privacy Guard (GnuPG).

S/MIME

S/MIME was first developed by the RSA Data Security Inc. in collaboration with other private organizations [IMC]. Early versions of the technology were not part of the standards track, primarily due to patent restrictions on the RSA encryption algorithm used in the technology. Version three of the technology was the first to be part of a standard in 1999. However it was defined by RFC 2633 which has since been obsoleted by S/MIME version 3.1 described by RFC 3851. RFC 3851 is the current standard and the topic of this document.

One Distinct Difference

OpenPGP is a general purpose encryption methodology. As stated by the OpenPGP RFC it is "data integrity services for messages and data files." S/MIME is specifically designed for MIME-encapsulated data. Generally this means email, but technically it could mean any technology supporting MIME encoding. From the S/MIME RFC, "S/MIME provides a consistent way to send and receive secure MIME data."

This is an important distinction. OpenPGP can and does have practical application outside of the context of Internet messaging. For example:

  • A user may choose to encrypt their entire home directory to protect data on disk. All documents stored inside the directory would be encrypted and only accesible with the corresponding private key.
  • A user could encrypt a single file, then use delivery mechanisms other than email, such as FTP, to transfer the file to its destination.

Products exist for both the commerical PGP specification and the OpenPGP specification. Additionally GnuPG can be used as a library by third party programs to enable encryption and decryption for many different scenerios.

Similarities

Both OpenPGP and S/MIME function in much the same way. We will ignore the fact, for now, that OpenPGP has use outside of email and focus on its merits as an email encryption methodology. Both OpenPGP and S/MIME are end-to-end encryption methodologies. In other words, the data is encrypted at the origination site, transmitted in a standard networking envelope (the traffic patterns are not protected) and decrypted at the destination site. Additionally, both use public-private key type encryption.

Process

The following list describes the common path taken by an email message transformed by either technology:

  1. Compose message
  2. Encrypt/sign message with private key
    • Sign message
    • Encrypt data (requires recipients public key)
    • Sign message and encrypt data (requires recipients public key)
  3. Transmit message
  4. Decrypt/verify message with senders public key
    • Verify signed message
    • Decrypt data (requires recipients private key)
    • Verify message and decrypt data (requires recipients private key)
  5. Read message

Encryption and Signing Process

There are many details involved in describing the encryption and signing process. For the purposes of this document we will explore where they are different in the process. For simplicity, we will compare S/MIME to OpenPGP, not OpenPGP/MIME (see below), and we will show situations where encyption and signing are occuring.

OpenPGP Encryption & Signing

  1. Plaintext message created (M)
  2. M hashed (H)
  3. H encrypted (EH)
  4. EH and M concatenated (EHM)
  5. EHM compressed (Z)
  6. Z symettrically encrypted with session key (ZS)
  7. Session key encrypted with recipient's public key (SP)
  8. ZS and SP concatenated (EM)
  9. Encrypted and signed message, EM, complete

S/MIME Encryption & Signing

OpenPGP is assembled as shown with a couple of concatenations of parts. S/MIME divides these parts into separate subtype MIME entities. These separate entities can encapsulate each other and be applied in any order because they all result in MIME encapuslated output. Following is a listing of the relevant "Content Types" according to the RFC:

  1. Data
  2. SignedData
  3. EnvelopedData
  4. CompressedData

S/MIME prior to version 3.1 did not provide compression. Compression was added to 3.1 as a MIME type. It is not clear how well current S/MIME client programs support compression . The prevailing community information indicates that compression is not well supported. Presumably, if compression were implemented, OpenPGP and S/MIME would map roughly in the following way:

OpenPGP StepS/MIME Content Type
  • Plaintext message created (M)
 Data
  • M hashed (H)
  • H encrypted (EH)
  • EH and M concatenated (EHM)
 SignedData
  • EHM compressed (Z)
 CompressedData (see above)
  • Z symettrically encrypted with session key (ZS)
  • Session key encrypted with recipient's public key (SP)
  • ZS and SP concatenated (EM)
  • Encrypted and signed message, EM, complete
 EnvelopedData

Transmission Format

OpenPGP has two message formats: OpenPGP and OpenPGP/MIME. OpenPGP, by default, offers a non-mime-encapsulated message transmission. In other words it is equivalent to a standard plain text email without any attachements. OpenPGP/MIME is similar in formatting to S/MIME. Both use MIME encapsulation for the transmission of data and signtures. Following are actual transmissions of encrypted and signed data (just signed or just encrypted would have similar characteristics):

OpenPGP - Signed & Encrypted



From: sender@555.com
To: recipient@555.com
Subject: Test Sign and Enc
Content-Type: text/plain;
 charset="iso-8859-1"

-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

hQIOA1D+V4G4ChJkEAf/Q9gyX3nshwfjJiwBZVoZ/RcRRDeDmZC1czezhw2IHERT
CUEPlOvis/s7X7iv/6Fs3ycdOEB0/B74oTeIOIK7hdHGkDXg5LL1fPj9eBm46ETa
fN1unMpzdXrk94R6eg+s0Pz1/+cR4Dv45BX2pqZJBTSg4WrC0TBT5U9uKWS4lXYQ
QMTRlvSl+K6ZlM5VCeB8FpRcKGqFs6mTIUNo/l+oTGFaDE/iWd4cd07WXbBekiNZ
...[segment snipped for readability]...
2f30QgYMWXnyAZAh//dapq7yg+UFIaiZinF4pYOIR5U2VmctEygXIm8+a433UypG
Ot0RErIE+gwUGyfkGG5aXrG1plcvrPuvR3pFkwvf19jpatlL4pMARr+eGHIG/rQN
HuE1M2OUOsIr7pKkpbZ423gcgE1MYoGo8YWGRRBwNTbsRdwaLGfJ1IjYCCRT5eap
os8XHKH2SITlYazz6gpG7htkSFDhj8a+UeoezXmyYnuYA13VLQHDKQ/eYMvQOpum
1sh9VmHjGp1jypC1pcY=3D
=3D1HFW
-----END PGP MESSAGE-----

OpenPGP/MIME - Signed & Encrypted


From: sender@555.com
To:  recipient@555.com
Subject: test PGP/MIME
Content-Type: multipart/encrypted;
 protocol="application/pgp-encrypted";
 boundary="------------enig371AFEE0FF01CE1E773B775E"

This is an OpenPGP/MIME encrypted message (RFC 2440 and 3156)
--------------enig371AFEE0FF01CE1E773B775E
Content-Type: application/pgp-encrypted
Content-Description: PGP/MIME version identification

Version: 1

--------------enig371AFEE0FF01CE1E773B775E
Content-Type: application/octet-stream; name="encrypted.asc"
Content-Description: OpenPGP encrypted message
Content-Disposition: inline; filename="encrypted.asc"

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

hQIOA1D+V4G4ChJkEAf/R5yUQuWvLQY1XBdi9I3qCLIzKFCMv+XzOx1HUvs4kbGL
0FrQulEBzCtkNR9E6iflWkrlxZoPyrZ2Jec3wPidvVX6FxAoKFVdr/WW2pKd5iyW
KfKztEl35PjInwlqsT/XS9JXFL2yy83uzCr/R9K0KgRUUa0evr0IdhI7xCEXQoIj
5rYAoG8lxQzzkaMb+l3V/HwBiKu9unmQcrcTF9VU3IG9FqMkex9eiqbSjefoWOmm
...[segment snipped for readability]...
WAdF3IxeZbxLMDBlQCuvc8Kug6jXaKeONYrhva7rzaBHvdILECJeJXznd4hyPsuk
CCN3momgnC2y2RFWVosl0JxJiIjd2a8JALK2N07DVX7Z3qd4rw/Ra1fpnhcCX0ob
Nbs+ahvAccTegkfOeisUYQOGrrNz7uxDhSlM1JVd4dQd2mB9VA9eQwpHtIM7QOA1
pfNprvFq7vVP3GZ0Nbo71I2BgMklhnuVl919vyOXQjpkTaxh4i/6lztTV4ay+4yb
smiF0cgByg==
=1wu6
-----END PGP MESSAGE-----

--------------enig371AFEE0FF01CE1E773B775E--

S/MIME - Signed & Encrypted


From: sender@555.com
To: recipient@555.com
Subject: Testing S/MIME Enc
Content-Type: application/x-pkcs7-mime; name="smime.p7m"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7m"
Content-Description: S/MIME Encrypted Message

MIAGCSqGSIb3DQEHA6CAMIACAQAxggMkMIIBjgIBADB2MGIxCzAJBgNVBAYTAlpBMSUwIwYD
VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQTSqaMaVxLd7IQrJvKRr4vjANBgkqhkiG9w0B
AQEFAASCAQAFYfRWKLZvmLlehIFYRNb153/H07aveQvVpWIMB7IDVnJvuMfANSFFnn2Dr8CP
...[segment snipped for readability]...
RSfYf9wEj40OMZGWDHfHbwNPCIz0usiD4xhUdqEUmmQMb8JtZ+NNf72Lepla/l57n3YSoLUf
LX+RqhtCX56MI2ynbXRHIAC1519NDFVwJArF225km6lic3A7/GoxvQDMPHocMJUf7OW6Fs5T
mWj/DriO18fsdbDZbAM2FgTyaszWi8QhEglcSw5bDSfQPdYtU8HyBaA6lxrZcTjshp5vt8Or
UcaGG0NQINx/KQYxkksREExI3mnSPTaxapyl2JjXSAQIpNuen07JarwAAAAAAAAAAAAA

Algorithms

Both technologies share a number of algorithms. The following table represents each function and its corresponding set of technologies as described by their respective RFCs (shared algorithms have added emphasis):

FunctionOpenPGPS/MIME
Public Key RSA, Diffie-Hellman, DSA, Elgamal, Elliptic Curve, ECDSA RSA, Diffie-Hellman, DSA
Symmetric Key AES, Triple-DES, IDEA, CAST5, Blowfish, SAFER-SK128, DES/SK, AES, Triple-DES, RC2
Compression ZLIB, ZIP ZLIB (as described in related RFC 3274)
Hash MD5, SHA-1, RIPE-MD/160, Double-Width SHA, MD2, TIGER, HAVAL MD5, SHA-1

Web of Trust and Public Key Infrastructure

OpenPGP and S/MIME both provide mechanisms for authenticating parties. OpenPGP relies on a concept called a "Web of Trust." It is essentially a distributed peer validating service. The concept was introduced by Philip Zimmermann. It works much like social networking. Person A, Alice, sends her public key to person B, Bob. Bob adds Alice's public key to his key ring and optionally indicates his level of trust in Alice's key. Over time the trust endorsements are calculated and the net effect is a decentralized "web of trust."

S/MIME relies on Certificate Authorities (CA) to authenticate parties. This is similar in nature to the way SSL certificates are issued for serving secure web sites. Various models are used by CA's to authenticate a person. Generally it is similar to authenticating with a government agency. A person must provide several forms of identification.

Both OpenPGP and S/MIME allow you to use them relatively untrusted. In other words, you may generate or obtain valid private and public keys that are useable but are "untrusted". This is a good thing for getting started quickly with each technology. For example if one wanted to communicate securely with someone who had never used either technology the recipient could quickly be up and running enabling them to communicate in a timely manner.

The primary difference between a Web of Trust and a Public Key Infrastructure is a matter of trust. Do you trust a decentralized peer group or a centralized organization?

Implementation

Both OpenPGP and S/MIME are well supported across many platforms and applications. For the purposes of this document, a test was conducted on the following platforms and applications:

Linux
OpenPGP
S/MIME
Mac OS X
OpenPGP
S/MIME
Windows
OpenPGP
S/MIME

Evolution, Mail.app and Outlook were considered, for the purposes of this paper, to be the most entrenched mail applications on each platform. This is not a completely fair assertion for the Linux platform as many good email clients exist for that platform. However, Evolution is very similar to Outlook which increase its likely usage in business settings.

All tested software listed above were fairly easily installed and configured. It is worth noting that all tested Mail User Agent's (MUA) support S/MIME by default and all MUA's required a plugin to support OpenPGP. With the exception of Evolution which came preconfigured for both technologies.

Problems only occurred with one tested program, Gpg4win's Outlook plugin. Specifically, Outlook with Gpg4win could not encrypt plaintext formatted email messages. Working from a bug report found online it was discovered that by composing HTML formatted email messages worked as expected. For Outlook PGP integration PGP.com's PGP Desktop may be a better choice.

A few notes from the tested products:

  • S/MIME integration was very easy for all mail clients
  • Enigmail makes OpenPGP integration very easy for Thunderbird.
  • Evolution could use an integrated GPG key management window. External applications exist for this purpose but an integrated window, similar to Enigmail, would improve usability.
  • Similar criticism applies to Mail.app. An integrated key management window would improve usability.
  • The easiest configuration was S/MIME for Mail.app. Though most S/MIME configurations were simple, Mail.app was completely configured by adding the S/MIME key to the system keyring, simply by double-clicking the key file.
  • Thunderbird should be noted. It was the only cross platform mail application. Additionally it was easily configured to use both OpenPGP and S/MIME. Certainly Enigmail makes it the easiest OpenGPG implementation.

Summary

The largest difference between OpenPGP and S/MIME is the ability for OpenPGP to encrypt a variety of data types not limited to MIME encoded data types. This gives OpenPGP a decided edge over S/MIME in the way of versatility.

For large data streams, OpenPGP provides more efficient compression. Though compression is available in the S/MIME specification it is implemented as an MIME container. In other words, the contents to be compressed have already been encoded per the MIME specification, usually Base64. Base64 actually grows the data by about 137% [WIKIP-B64]. In contrast, OpenPGP compresses the original plaintext, and optionally the signature prior to encryption or any type of encoding.

Both OpenPGP and S/MIME use industry standard encryption algorithms. Neither technology is more secure than the other, barring esoteric arguments. Some would rank each technology based on the trust model used. However, the security aspect of each trust model is subjective.

The trust models used for each technology are very different in philosophy. In practice, neither method is more difficult to use than the other. It is arguable that S/MIME is more attractive due to its similarities to SSL certificate distribution, a model already trusted by most web users implicitly.

S/MIME has an advantage when it comes to implementation. All mail clients tested came with S/MIME support built in. As a result, the barriers to entry for a new user are lower. Generating an S/MIME certificate required a bit more effort than OpenPGP. So the time commitment for setting up each initially is similar. However the zero-footprint install may be attractive to those managing many workstations.

How would one choose between the two technologies? Many factors play a part in this decision. The following table provides a visual representation of the pros and cons of each technology:

FunctionOpenPGPS/MIME
Versatility + -
Space Efficiency + -
Security + +
Trust Model + +
Implementation - +

References

[WIKIP-OP] - Wikipedia:Pretty Good Privacy
http://en.wikipedia.org/wiki/Openpgp
[WIKIP-B64] - Wikipedia:Base64
http://en.wikipedia.org/wiki/Base64
[IMC] - S/MIME and OpenPGP
http://www.imc.org/smime-pgpmime.html
RFC 2440 - OpenPGP Message Format
http://www.ietf.org/rfc/rfc2440.txt
RFC 3851 - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification
http://www.ietf.org/rfc/rfc3851.txt
RFC 2633 - S/MIME Version 3 Message Specification
http://www.ietf.org/rfc/rfc2633.txt
RFC 3274 - Compressed Data Content Type for Cryptographic Message Syntax (CMS)
http://www.ietf.org/rfc/rfc3274.txt
Posted by at 4:23 PM 0 comments
Subscribe to: Posts (Atom)