Current location - Quotes Website - Personality signature - How to ensure the security of e-mail?
How to ensure the security of e-mail?
PGP(Pretty Good Privacy) was developed by Zimmermann at 199 1 to provide security and authentication services for e-mail and file storage. PGP provides free downloads, including multiple versions running on different platforms (Dos/Windows, Unix, Macintosh, etc.). ). The basic algorithms used by PGP are generally recognized as safe algorithms, such as public key RSA algorithm, DSS algorithm, Diffie-Hellman key exchange algorithm, symmetric cipher CAST- 128, IDEA, AES- 128, AES- 192, AES-256, etc. PGP has a wide range of applications. After modification and improvement, it gradually matured and formed RFC4880 and RFC3 156.

PGP's security service PGP provides e-mail security by combining public key and symmetric key. Because it is difficult for users to directly remember long and irregular private keys, PGP uses cryptographic mechanism to protect users' private keys.

PGP mainly provides five services: digital signature, message encryption, data compression, e-mail compatibility and data segmentation:

digital signature

Assuming that the sender user needs to sign the message M, firstly, the user inputs the correct password, and after the password is acted by the hash function, the output value is used as the key of the symmetric encryption algorithm to decrypt the encrypted user private key taken out from the private key ring file and recover the user private key; Then, PGP uses hash function to generate message digest H of message M, and then signs H with the sender's private key; Finally, the message M and the signature value are compressed and sent to the receiver. The process of digital signature by PGP is shown in the figure.

The receiver first decompresses the received message, and then takes out the sender's public key from the public key ring file to verify the signature. The verification process of PGP digital signature is shown in the figure.

Message encryption

Assuming that the sender user needs to encrypt the message M, the message M is compressed at first; PGP random number generator generates one-time session key, and encrypts the compressed message with symmetric algorithm to generate ciphertext. At the same time, PGP takes out the public key of the receiver user from the public key ring file according to the identification information of the receiver, and encrypts the session key with this public key; Finally, PGP sends the encrypted session key and ciphertext to the receiver. The process of PGP encrypting messages is shown in the figure.

After receiving the encrypted mail, the receiver divides the received message into two parts, one is the session key encrypted by public key algorithm, and the other is the message encrypted by session key. PGP requires the user to enter a password, and the password entered by the user is processed by a hash function to obtain a decryption key, which is used to decrypt the encrypted user private key taken out of the private key ring file. After decrypting the user's private key, decrypt the first part of the received message with this private key to obtain the session key; Then decrypt the second part of the received message with the session key and decompress it, and finally get the original message. The decryption process of PGP after receiving ciphertext mail is shown in the figure.

In the above process, the distribution of the session key is completed by the public key encryption algorithm, and the session key bound to the encrypted message can only be recovered after the receiver provides the correct password. Because of the store-and-forward characteristics of e-mail, it is unrealistic to use the handshake protocol negotiated by both parties to allocate session keys. Moreover, the session key is disposable, in other words, the ciphertext obtained by encrypting the same file twice is different, which further improves the security strength of PGP system.

When the user wants to send the same email to multiple recipients in an encrypted way, PGP randomly generates a session key, and then takes out the public keys of all recipients from the public key ring file, and encrypts the session keys with them respectively to obtain multiple encrypted session keys. After receiving the encrypted e-mail, each recipient enters his own correct password to obtain his own private key, then decrypts it to obtain the session key, and then decrypts it to obtain the original e-mail.

data compression

By default, PGP compresses messages after digital signature and before message encryption. On the one hand, data compression helps to save space for mail transmission and file storage; On the other hand, compressed messages have less redundancy than the original plaintext and are more resistant to plaintext attacks. The compression algorithms supported by the new PGP software are: Bzip2, ZLIB, zip.

Email compatibility

When PGP is used, the transmission message is usually partially encrypted, and the encrypted message consists of any 8-bit byte stream. However, many e-mail systems only allow the use of blocks composed of ASCII characters. In order to adapt to this limitation, PGP provides the function of converting the original 8-bit binary stream into printable ASCII characters. Therefore, PGP adopts Radix-64 conversion scheme. In this scheme, every three binary data groups are mapped into four ASCII characters, and CRC (Cyclic Redundancy Check) is also used to detect transmission errors. Using Radix-64 will increase the message length by 33%. Fortunately, compression can compensate for the expansion of Radix-64.

Data segmentation

E-mail facilities are usually limited by the maximum message length (50000) of eight bytes. Beyond this value, the message will be divided into smaller message segments, and each message segment will be sent separately. Segmentation is done after all other processing (including radix-64 conversion) is completed, so the session key and signature only appear once at the beginning of the first message segment. At the receiving end, PGP must strip all email headers and reassemble them into the original complete data packet.