COMPARISON OF PGP AND S/MIME SECURITY STANDARDS FOR APPLICATION TO A LARGE ENTERPRISE

Transcription

1 COMPARISON OF PGP AND S/MIME SECURITY STANDARDS FOR APPLICATION TO A LARGE ENTERPRISE TOM KRAMLIK ECE 590:003 MAY 1, 1999

2 TABLE OF CONTENTS SECTION PAGE NUMBER 1. INTRODUCTION PURPOSE SCOPE DOCUMENT ORGANIZATION PGP OVERVIEW CIPHERS AND ALGORITHMS USED PGP PUBLIC KEY CERTIFICATION HIERARCHY IMPLEMENTATIONS OF PGP STRENGTHS AND WEAKNESSES OF PGP OpenPGP Incorporation of X.509 Certificates Use of Non-proprietary Ciphers and Algorithms Compatibility with MIME Export and Import of PGP Free PGP S/MIME OVERVIEW CIPHERS AND ALGORITHMS USED S/MIME PUBLIC KEY CERTIFICATION HIERARCHY IMPLEMENTATIONS OF S/MIME STRENGTHS AND WEAKNESSES OF S/MIME Use of Non-proprietary Standards Compatibility with MIME Incorporation in Commercial Communications Software Costs of Public Key Infrastructure APPLICATION TO CORPORATE ORGANIZATIONS APPLICATION TO LESS THAN 100 USERS APPLICATION TO 1,000 USERS APPLICATION TO 5,000 TO 20,000 USERS CONCLUSIONS ii

3 SECTION 1 INTRODUCTION Competing standards are vying for dominance among users of electronic mail ( ). Today, proponents of secure multipurpose internet mail extension (S/MIME) and pretty good privacy (PGP) are evolving these competing standards to capture a majority share of the corporate market for products. This report provides a summary view of the competition and addresses which standard will likely win. 1.1 PURPOSE This report provides a concise summation of the technical and market strengths and weaknesses of PGP and S/MIME that enables the reader to make an informed choice on which standard will become the defacto option. Further, the report can assist a reader who wishes to choose the best standard for an organization of specific size. 1.2 SCOPE This report considers the strengths and weaknesses of PGP and S/MIME for organizations ranging in size from under 100 users to 20,000 users. The specific ciphers, digital signatures, and certification schemes used are considered. Also, an overview of products using the competing standards are included. 1.3 DOCUMENT ORGANIZATION The report contains 5 sections, including this one. Section 2 provides details on the PGP standard and implementations. Section 3 provides details on the S/MIME standard and implementations. Section 4 provides a comparison of the standards when applied to various size organizations. Section 5 contains conclusions about the potential for each standard. 1

4 SECTION 2 PGP OVERVIEW Pretty good privacy (PGP) exists in several versions and has been evolving to meet the needs of larger organizations. Some industry experts are cited as estimating that percent of all encrypted messages are encrypted with PGP. Pre-existing versions, including PGP 2.6.x which has many variations, and PGP 5.x, also referred to as PGP3, have been used for several years. A new standard, OpenPGP, is based on the PGP version 5.x and is being promoted for widespread use. This section provides an overview of PGP with particular emphasis on the OpenPGP standard. The ciphers, digital signature algorithms, and hierarchy of public key certificates are discussed. Also, particular strengths and weaknesses of the standard are identified. Finally, products using the PGP standard are identified, along with the software market representation of PGP. 2.1 CIPHERS AND ALGORITHMS USED BY PGP OpenPGP uses three key (168-bit total) triple DES (DES EDE3) using the ciphertext feedback (CFB) mode. PGP also includes options for use of IDEA or CAST-128 with 128-bit keys. The movement in development of OpenPGP to triple DES is intended to free the standard from patent issues associated with the use of CAST-128. OpenPGP provides for compression of messages to speed transmission. Messages are compressed before encryption using the ZIP algorithm. This reduces the number of bits and the redundancy in the message, and makes it more difficult to cryptanalyze the message than encrypting alone. Message length is reduced by 50 percent using the ZIP algorithm. OpenPGP uses the hash algorithm SHA-1 and the DSS signature algorithm for generating digital signatures. Older versions of PGP used the MD5 hash algorithm and RSA for signing, but as with CAST-128 this involved patent issues that the proponents of Open PGP are attempting to avoid in promoting the new standard. Table 2-1: Ciphers and Algorithms Used in OpenPGP Algorithm Mandatory Optional Digest Algorithm SHA-1 MD5 Signature Algorithm DSS RSA Session Key Encryption Diffie-Hellman (ElGamal) RSA Content Encryption Triple-DES (CFB-mode) IDEA, CAST-128 Message Authentication Codes HMAC with SHA-1 None Message formats are driven by compatibility with older versions of PGP. The intention, as with many standards enhancements, is to provide backwards compatibility with older PGP products. Also, many systems restrict messages to ASCII characters. Thus, messages secured by PGP undergo Radix-64 conversion to convert to all ASCII characters. This increases the compressed message length by 33 percent. 2

5 2.2 PUBLIC KEY CERTIFICATION HIERARCHY Originally PGP determined the legitimacy of public keys based on a system of trust, referred to as a web of trust, rather than using a standardized and formal system using certification authorities. Three areas are rated according to trust: the legitimacy of the key, the legitimacy of a signature certifying a given key, and the credibility of a particular key owner to attest to the legitimacy of a third party s key. Users can allow others that they trust to vouch for the legitimacy of keys from third parties, and thus build up a set of public key users whom they are confident interacting with. The approach is sensible and, by not involving a centralized certification authority, in keeping with the motivations behind PGP: putting strong cryptographic capabilities in citizens hands and insulating it from interference or weakening by government or industry. PGP public keys owners revoke their key by issuing a signed certificate to all parties they communicate with, and these parties are then responsible for updating their public key rings. It is possible that the person who compromised the key could issue such a revocation, but the current assumption for PGP is that it would be of no benefit to the adversary to do so and only highlights the fact that the key has been compromised. As OpenPGP attempts to gain acceptance, incorporation of X.509 standardized public key certificates is being pursued in products. Network Associates has introduced its Enterprise Security 3.0 suite of applications incorporating X.509 certificates for assessing the legitimacy of other user s public keys. Company representatives cite the need to appeal to a broader market, including large enterprises, as the reason for incorporating use of these certificates with the version 3.0 release. 2.3 IMPLEMENTATIONS OF PGP PGP was originally distributed as free encryption software. PGP s creator, Phil Zimmerman, was motivated by a desire to ensure that ordinary citizens had access to state-ofthe-art cryptographic capabilities for encrypting electronic messages. The creation of PGP was strictly outside of the influence of government to protect it from being weakened to suit its interests. Commercial offerings of PGP are available, and the Enterprise Security software from Network Associates is a good example. The software incorporates the use of X.509 public key certificates, as noted in the previous section. This modification allows the suite to be scaled to whatever size organization may wish to use it; instead of requiring users to maintain their own lists of trusted keys and users, or developing their own enterprise-wide system for administering a list of trusted keys, X.509 certificates can be imported. Thus, the need for a sophisticated corporate effort to certify the keys of other entities is greatly reduced. Table 2-1 provides summary cost information on the Enterprise Security software. 3

6 Table 2-1: Annual Cost For Enterprise-wide PGP Security Software Company Product Price per Enterprise Costs Node 25 Users 100 Users 500 Users 1,000 Users 5,000 Users Network Associates Enterprise Security 3.0 $26 $84 $2,100 $8,400 $13,000 $26,000 $26,000 $130,000 PGP software for security interoperates with software from multiple vendors. Table 2-2 identifies software that can be used as plug-ins with PGP. Table 2-2: Products Compatible with PGP Product Platforms Claris er Macintosh Microsoft Exchange Windows 95 Windows NT 4.0 Microsoft Outlook Windows 95 Windows NT 4.0 Novell Group Wise Windows Lotus Notes Windows Qualcomm Eudora Windows 95 Windows NT 4.0 Macintosh Older commercial implementations of PGP also exist in ViaCrypt PGP software versions 2.7.1, and COMMERCIAL STRENGHTS AND WEAKNESSES OF PGP OpenPGP has been positioned to address several of the major concerns that existed with previous versions. The mandated use of proprietary technologies and other issues have been addressed as discussed in this section. The primary hurdle for PGP at this point appears to be that it lags in the corporate market, and this may be driven by older versions of PGP not being as scalable as the new OpenPGP standard. Hence, the installed base of corporate systems that use PGP appears to be small, as estimated from the lack of major applications that incorporate it PGP Incorporation of X.509 Certificates The primary weakness of older versions of PGP when applied to large organizations was the inability to use X.509 certificates for public keys, as would be generated from a centralized certification authority. Thus, organizations could be faced with a complex challenge of tracking the validity of thousands of keys and the trustworthiness of their users. Such an endeavor could have considerable administrative impacts. 4

7 The original motivation for PGP focused on the individual user. Thus, a system that relied on the trustworthiness of users known to one s self, and the trustworthiness of those these individuals could vouch for was reasonable. Newer PGP implementations and the OpenPGP standard appear to be embracing the use of X.509 certificates, clearing the way to implementations that can scale to large organizations without extensive in-house administrative effort to track public keys of outside organizations and their personnel. Further, a PGP certificate server can still be maintained for keys used within the corporation, or for interaction with others who use PGP Use of Non-proprietary Ciphers and Algorithms PGP uses strong cryptographic techniques, and the OpenPGP standard is free from any patent restrictions associated with particular ciphers. Only publicly available ciphers and hash and signature algorithms are mandated by the OpenPGP standard however, additional ciphers and algorithms may be included as options, or to support compatibility with older implementations. Backwards compatibility for PGP, as with many other technology products, presents a dual challenge: to continue serving existing PGP clients new products must incorporate some of the proprietary technologies used in older versions, or simply give new versions to these users for free. At the same time, to free themselves from patent restrictions, vendors may favor developing PGP products without proprietary technologies, and may consider other security standards if the challenges with developing backwards compatible PGP products are too great Compatibility with MIME OpenPGP is compatible with MIME formats, broadening its appeal. Details are specified in RFC 2015 issued in October This compatibility is important to PGP s potential success in competition with S/MIME, and its ability to add security to MIME messages. Messages consist of an encrypted MIME message content and a digital signature. The signature is generated from both the message content and its headers. Encryption of the MIME message content follows generation of the signature Export and Import of PGP United States export laws limit the extent to which cryptographic products can be distributed to entities and nationals in other countries, even in the cases where such cryptographic information and tools already exists in both places. Further, the import laws of some countries restrict the strength of cryptographic technology that can be imported. Special implementations of PGP security software exist for sale in international markets Free PGP Finally, while commercial PGP products are priced consistent with other computer utilities, PGP for individual users is available in free versions. This could have some appeal for a small segment of corporate decision makers who want to be able to occasionally do some work from home and secure it to it to colleagues at the office. 5

8 SECTION 3 S/MIME OVERVIEW This section provides an overview of S/MIME, with a particular focus placed on version 3 of the standard. The ciphers, digital signature algorithms, and hierarchy of public key certificates are discussed. Also, particular strengths and weaknesses of the standard are identified. Finally, products using the S/MIME standard are identified, along with the software market representation of S/MIME. 3.1 CIPHERS AND ALGORITHMS USED BY S/MIME S/MIME version 3 incorporates triple-des in the ciphertext block chaining mode of operation to encrypt message content. The S/MIME standard is a security addition to the multipurpose internet mail extension (MIME) standard for . S/MIME uses the SHA-1 hash algorithm and the DSA for generating digital signatures. Table 3-1 provides summary information on the mandatory and optional components of S/MIME. Table 3-1: Ciphers and Algorithms Used in S/MIME Version 3 Algorithm Mandatory Optional Digest Algorithm SHA-1 MD5 Signature Algorithm DSS RSA Session Key Encryption Diffie Hellman (ElGamal) RSA Content Encryption Triple-DES (CBC-mode) RC2 (CBC-mode) Message Authentication Codes HMAC with SHA-1 None A MIME message plus information identifying security algorithms used and certificate information is secured with S/MIME to produce a public key cryptography standard (PKCS) object. Appropriate MIME headers are then added to the PKCS object and the whole message is then encoded into base64 for transmission. In creating a signed message, S/MIME computes the hash value of the message content and encrypts with the signer s private key. A block of information is prepared that identifies the hash algorithm used, the public key certificate, an identifier of the content encryption algorithm, and the encrypted message digest. 3.2 PUBLIC KEY CERTIFICATION HIERARCHY FOR S/MIME S/MIME relies on the use of X.509 certificates for ensuring the validity of public keys of other parties. This makes administration easy because the effort involved with verifying these keys is handled by a third party. Users are still responsible for maintaining local copies of the certificates they need to validate the keys of those they communicate with, and they need to ensure that their copies of certificates are up to date. 6

9 S/MIME attempts to automate the use of certificate revocation lists. The S/MIME version 3 standard states that use of CRLs should be consistent with RFC 2459, which provides specific guidance on the format and use of certificates and CRLs. The S/MIME standard implies that incoming certificates and CRLs should be cached to ease their use in validating signing chains, and that they should be used every time a message is sent or received, even in cases where the certificate was recently verified. 3.3 IMPLEMENTATIONS OF S/MIME S/MIME is a security addition to the MIME standard. Rigorous testing of products is performed by RSA s interoperability center to ensure product compatibility with S/MIME. Some products are available for the international markets that use S/MIME, including NEL s Mahobin. Also noteworthy is Worldtalk s WorldSecure server firewall that provides security for all in-coming and outgoing traffic. It works with a Windows NT platform, and enterprise prices start at $10,000. Table 3-2 identifies the vendors and products that include S/MIME security. Table 3-2: S/MIME Product Implementations Vendor Product Baltimore Technologies MailSecure Microsoft Outlook 98 Microsoft Outlook Express 4.0 Netscape Communicator OpenSoft ExpressMail SSE TrustedMIME 1.0 VeriSign Digital ID Entrust Technologies Entrust Express 4.0 NEL Mohobin Worldtalk WorldSecure Server RSA BSAFE S/MIME-C STRENGTHS AND WEAKNESSES OF S/MIME S/MIME is used within several of the dominant software communications applications, as noted in section 3.3. While this does not guarantee success for the standard, it does add a considerable momentum to its acceptance. Whether or not it is the superior standard, it can benefit from the same process that enabled VHS to beat Betamax in the market, and that enabled Microsoft products to become standard-issue in many applications. According to research supporting this paper, only S/MIME is supported by Netscape Communicator, one of the most commonly used internet communications application in the United States. Also, Microsoft communications products incorporate S/MIME, resulting in far reaching use of the standard. 7

10 3.4.1 Use of Non-proprietary Standards As with OpenPGP, S/MIME version 3 mandated technologies are publicly available and free from patent restrictions. However, RSA appears to be a big proponent of the standard, and may have a vested interest in its success because backwards compatible products will incorporate some of their patented technologies. However, RSA s patent on their public key algorithm expires in the year 2000, and so this may not present a significant licensing challenge Compatibility with MIME From its genesis as a security enhancement to MIME, S/MIME has been built for compatibility. S/MIME allows for several different message types to be sent: signed data, clear signing (message sent in the clear with a signature attached), registration requests (sent to certification authorities), and public key-certificate messages. There are no incompatibility issues that were revealed through the research Incorporation in Commercial Communications Software S/MIME is the incumbent commercial security offering, and benefits from promotion by RSA Security. It is also incorporated in several commercial internet communications applications ( , web-browsing, etc.). Thus, while PGP and other commercial applications can work together as plug-ins, S/MIME benefits from the perception of being part of the applications and from the distribution of them. Thus, it has an advantage in the commercial market versus PGP, and benefits from the extensive distribution influence of Netscape and Microsoft Costs of Public Key Infrastructure Use of S/MIME requires use of public key certificates for groups to communicate and use binding digital signatures. When applied at the applications level, this can have substantial costs. Table 3-3 provides summary data, courtesy of Worldtalk, on the costs associated with using a provider of public key infrastructure (PKI). PKI system costs is a one-time charge and includes either Entrust or Verisign certification authority software and secure software. Installation and maintenance costs listed are for supporting the specified number of nodes, and total support costs are the ongoing costs of providing CA services to the organization during a five-year period. The five-year total is a sum of all costs. 8

11 Table 3-3: Costs for Using Public Key Infrastructure Organization 5,000 Users 20,000 Users Entrust Verisign Entrust Verisign PKI System $587,000 $551,000 $1.8 M $1.44 M Installation $60,00 $82,000 $184,000 $180,000 Maintenance $529,000 $353,000 $1.6 M $924,000 Total Support $1.5 M $2.8 M $4.2 M $9.8 M 5-Year Total $2.755 M $3.791 M $7.915 M $12 M Cost per user per year $110 $151 $79 $124 In order to avoid the substantial costs that are incurred from applications level use of encryption, particularly in regard to PKI costs, a server level solution can be employed, such as Worldtalk s WorldSecure product. However, employing security at the server level versus the desk-top has implications. Security between users on the company s intranet is not provided by such an approach. Thus, this approach has limits for protecting against intruders within the company, or protecting against disgruntled employees. Also, digital signatures are supported only for the server, so those other entities that communicate with the company will have a signature that applies to the whole company and not an individual. This may present challenges for those that need to be able to affix legally binding signatures; they may be better served by a desktop solution that can associate a digital signature with a specific signer. 9

12 SECTION 4 APPLICATION OF S/MIME AND PGP TO LARGE ORGANIZATIONS Both OpenPGP and S/MIME have features which make them useful for providing security for individual users. However, implementation and use of them in large organizations, and their ultimate success in the market depends on performance, ease of administration and scalability, interoperability with other commonly used applications, and cost. This section provides analysis of 3 different scenarios based on number of users within an organization. 4.1 SMALL ENTERPRISE OF LESS THAN 100 USERS The case of a small enterprise presents some interesting considerations when comparing PGP and S/MIME. Because of its origins as free software intended for use by individuals and small groups, PGP may be very appropriate with an organization of fewer than 100 users. Among the considerations a corporate information technology manager would need to make in such a situation are: How many will use the security software Will the security program be formal or informal How many different entities/users will the organization communicate with on a regular basis Can the organization effectively manage a web of trust that includes all those that it will communicate with on a regular basis (alternatively, can individuals manage a web of trust for that subset they communicate with) How much effort will be exerted at what cost per hour to accomplish administration of the web of trust What is the legal liability/exposure for using PGP without obtaining a commercial package. If a full time employee at the corporation earns on average $50,000 per year plus benefits, for total compensation of approximately $75,000 in cost to the company, the time spent on web of trust administration can grow quickly. Table 4-1 provides examples for a generic company where individuals maintain webs of trust with others outside the company that they communicate with regularly. Full time employees using PGP Table 4-1: Examples Assuming Individuals Maintaining Personal Webs of Trust at Generalized Company Estimated web of trust maintenance per week in hours Total Maintenance per year Total work Hours per year (50 weeks x 40 hours) Percentage of time spent on web of trust maintenance Annual Cost , $ , $9, , $23, , $93,

13 Comparing the results of this simple example with the costs quoted by Network Associates for their Enterprise Security software, it is clear that for even 10 users it is more economical to use a commercial PGP solution (price of less than $2,100 per year). Further, and as important, the security is likely to be more consistent than 10 individual haphazard efforts. For 100 users the commercial PGP solution would cost up to $8,400 for one year (see Table 2-1). For the WorldSecure S/MIME security option, the costs start at $10,000. Hence, on a cost basis commercial PGP appears to be the winner for this example. 4.2 MID-SIZE ENTERPRISE OF 1000 USERS For mid-sized enterprises and larger, management of public keys by a centralized authority, whether internal to the company or via a trusted third party, is essential. OpenPGP accepts X.509 version 3 certificates as maintained by certification authorities such as VeriSign, but this is a relatively recent extension to the original PGP method of using a web-of-trust. The use of X.509 certificates are integral to S/MIME, and so version 3 and older versions of S/MIME are suitable for corporate use. On a price basis, costs are comparable for implementations based on the two standards. This is typical in a competitive industry, and so corporate IS managers are likely to decide on an approach based on interoperability with other applications they are already using. Network Associates provision of a centralized certificate server in their Enterprise Security product eliminates duplication of effort associated with maintaining copies of valid certificates across a company. Provided that a company is communicating with others using PGP, the mid-size market may hold potential for PGP. 4.3 LARGE ENTERPRISE OF 5,000 20,000 USERS In a large enterprise, a central source for certificates is essential, as has been established. Costs for using PKI can be high if desktop-level security implementations are pursued, and Tables 4-2 and 4-3 provide summaries. The biggest PGP and S/MIME products available to economize by encrypting at the socket-level or proxy-level (Network Associates Enterprise Security and Worldtalk s WorldSecure ) both use commercial products as plug-ins. Hence, the PGP and S/MIME offerings are similar from the users perspective in that they need separate products for communicating and encrypting. They work with a similar set of commercial products, with the exception that Netscape products only support S/MIME. All else being equal, that difference could have major impacts for the future of PGP. Until Netscape products work with PGP, Netscape customers may be predisposed to favoring S/MIME, and Netscape represents a significant part of the internet communications product market. Purely on cost per node, WorldSecure appears to hold a slight advantage. From Tables 4-2 and 4-3, we can see that Worldtalk s solution costs $11-20 per node, while Network Associates solution costs about $26 per node for a large number of users. 11

14 Table 4-2: Cost Comparison of Proxy-level and Desktop-level Encryption for 5,000 Users Organization 5,000 Users Worldtalk Entrust Verisign PKI System $63,000 $587,000 $551,000 Installation $15,000 $60,00 $82,000 Maintenance $63,000 $529,000 $353,000 Total Support $350,000 $1.5 M $2.8 M 5-Year Total $490,000 $2.755 M $3.791 M Cost per user per year $20 $110 $151 Table 4-3: Cost Comparison of Proxy-level and Desktop-level Encryption for 20,000 Users Organization 20,000 Users Worldtalk Entrust Verisign PKI System $188,000 $1.8 M $1.44 M Installation $30,000 $184,000 $180,000 Maintenance $188,000 $1.6 M $924,000 Total Support $700,000 $4.2 M $9.8 M 5-Year Total $1.116 M $7.915 M $12 M Cost per user per year $11 $79 $124 12

15 SECTION 5 CONCLUSIONS OpenPGP and S/MIME version 3 use the same cryptographic technology, but work differently in selecting parts of the message to be encrypted and in creating digital signatures. As competition between the two standards has increased, both have attempted to addressed their weaknesses relative to the competitor by incorporating the same or similar approaches to performing functions that the competing standard uses. This contributes to why the two standards are so similar. The struggle between PGP and S/MIME is not over, but S/MIME appears to have a pronounced advantage for desktop/applications level encryption. This advantage is largely based on its incorporation in commercial internet communications packages that are widely used, including the dominant products from Microsoft and Netscape. All else being equal, if Netscape continues its dominance of internet communications applications and chooses to build exclusively for compatibility with S/MIME, the question of whether or not S/MIME becomes the defacto standard may be largely answered. Use of applications level security solutions has high PKI costs. If a company were intent on minimizing these, Worldtalk s proxy level encryption products are useful, but these also have the limitations of Network Associates PGP solutions that function as plug-ins with commercial applications from Netscape, Microsoft, and others. Thus, if security competition focuses mostly on encryption of content, with less emphasis on digital signatures as may be needed for legally binding transactions, then competition is likely to be mainly among products that offer socketlayer security, like Enterprise Security and Worldsecure. The advantage S/MIME has as an integrated part of commercial communications packages will thus be blunted, and if costs for both approaches remain close, the field is wide open at the socket level. 13

16 APPENDIX A REFERENCES 1. Joel Snyder, WorldSecure Server s Firewall Guard s all Traffic, Networking, August 4, Rutrell Yasin, Pretty Good Privacy Gets To Business, Internet Week, 9/4/ Michael Elkins, RFC 2015: MIME Security with Pretty Good Privacy, October William Stallings, Cryptography and Network Security Principles and Practice, Prentice Hall, 1999, p PGP Enterprise Security Suite Confidentiality and Integrity: Desktop or Proxy Level Encryption?,