Computers 81 Security, 11 (1992) 707-710

X.400 Security Judith King Marinade L.&l, 404 Butlea Wharj 36 Shad 77wnes, London SE1 2yE, UK

X.400 is part of the Open Systems Interconnect (OSI) reference model defined by the International Standards Organization (ISO). OS1 is gradually becoming the universal standard by which data is ex- changed between computers and networks. X.400 is a backbone technology connecting smaller networks into a larger unified net- work, offering extensive messaging capabilities on a store- and-forward basis.

There are three entities involved in the message handling process; the user, the originator or recipient of the message; the User Agent &IA), the liaison between the user and the message handling system for preparation, sending and receipt of messages; and the Message Transfer Agent (MTA). The interconnec- tion of several Message Transfer Agents makes up the Message Transfer System (MTS) for the routing of messages to the final UA.

The content of a message will be compiled by the user, transferred to the UA where a header is added to the content of the message. The UA message is then transferred to the MTA where a new header is

added; this header includes the ad- dresses of the UA’s receiver and originator, message priority, level of urgency etc. The message is then routed to the final UA via the MTS.

The CCITT (The International Consultative Committee on Tele- phony and Telegraphy) first published X.400 recommenda- tions for Message Handling Systems in 1984, making it the first internationally recognized stand- ard at the application layer of the OS1 model.The purpose was to allow different and otherwise in- compatible messaging applications to exchange messages by defining a wide range of standard messaging features such as multi-destination, grades of service, notification of message delivery or non-delivery, support of binary files etc.

These recommendations were then revised in 1988, introducing a set of advanced and generic se- curity features. These features provide for the encryption of data, verification of message sequence integrity, authentication of the message recipient and authentica- tion of the delivered message contents. The 1988 version of

X.400 also allows the sender to specify the latest time by which a message should be delivered. Should the message not be de- livered within the specified time a notification ofnon-delivery will be received by the originator.

Security issues

The main security issues that need to be addressed by X.400 are those of authentication, non-repudiation and confidentiality. Within the X.400 security recommendations there is a definition of the required properties for encryption methods, protocol elements for exchanging keys and operating them and examples of suitable algorithms. Any encryption mechanism can be used as long as it meets with these requirements.

Authentication of the users, can be carried out on two levels, end-to- end i.e. from the originator to the recipient by the use ofsigned mess- ages; and between MHS components, such as a User Agent and a Message Transfer Agent (MTA). This second level ensures that no unauthorized user can mas-

0167~4046/92/$5.00 0 1992 Elsevier Science Publishers Ltd 707

Judith King/x. 400 Security

querade as a genuine one, by either stealing or redirecting messages.

The security protocol between the Message Transfer Service and the MTS provider known as MTS- Bind can involve a simple authentication procedure, estab- lishing the sender’s credentials with just a password or use what is known as a ‘strong’ authentication sequence with a digital signature and certification.

X.400 also has rules defining se- curity labels controlling who should have access to a certain message. There are three types of label, classification, the privacy mark and the security category. Classification marks the level of security of the message ranging from unmarked to top-secret, whilst the privacy mark is shown on the document marking it to be ‘in confidence’and the security ca- tegory defines types ofinformation to which only certain users may have access.

Central to the end-to-end authen- ticity functions within the X.400 messaging system is the digital sig- nature. The digital signature is essentially a string of characters representing, in a coded form, the contents of the signed message and its author. The string of characters is sent together with the message for which it vouches.

The concept of the digital signa- ture is based on the system of cryptography, taking a message in clear and applying a conversion method with an agreed but secret key,so that it results in an encrypted

message, which can only be read by someone with access to the secret key. If an encrypted message is re- ceived and by application of your key to this message you get an intelligible version in return, it is certain that the encrypted message was sent by somebody also having access to the correct key If you are certain that only two people, your- self and your correspondent, have such access, then you know exactly where the message came from.

This system is known as the con- ventional symmetric crypt0 system, and a problem may arise in using this, in that it is not possible to prove to a third party that you did not make up the message your- self. This is because the same key is use both for encryption and de- cryption. In order to overcome this potential problem an asymmetric crypt0 system is used, whereby a message encrypted by one key can only be decrypted with another key The best known asymmetric systems are those based on the so- called RSA algorithm. This makes use of any very large number, which is the product of two large primes.

Knowing only the product it would be a very time-consuming task to find the original primes. In this type of system, a user can generate two related keys, keep one secret and make the other public. If he now always uses the secret key to encrypt messages, then every- body can establish that he is the sender of this message. This is be- cause only the use of this particular secret key will produce a message which can be decrypted into

something intelligible by the pub- lic key.

Unfortunately, the processing in- volved in encrypting or decrypting a complete message using an asym- metric system is quite time consuming, because the prime numbers involved must be very large in order to make the system secure. Since in most cases it is not necessary to keep the message se- cret and all that needs to be achieved is authenticity, a so-called hashing algorithm is used.

A hashing algorithm describes a one-way process, which, using an agreed cryptographic key, provides a sort of ‘checksum’ of the contents of the message. This is somewhat similar to calculating the seventh (control) digit of a container num- ber. The result of the process is a fixed-length character string which represents the contents of the original message, so that, if any character in the original message were to be changed, added or deleted, the same hash-sum char- acter string would no longer be produced. By using the same algo- rithm with the agreed key, the recipient of a message with a hash- sum character string attached can check that the original message has not been altered. These algorithms execute very quickly

Therefore, the practical way of im- plementing a digital signature is first to produce a hash-sum charac- ter string offixed (short) length and then digitally to sign this string. This requires relatively little pm- cessor time, but still produces the desired functions of message inte-

708

Computers & Security, Vol. I I, No. 8

grity and certain establishment of the sender’s identity

Time stamps and message se- quence numbering, prevent a message being sent more than once or enables recognition of the fact that the message has already been sent previously This system also allows the non-arrival of messages for whatever reason to be detected, adding further security to the sys- tem.

X.509 and public key certification

Related to the X.400 security issues to ensure that the correct public key is being used by the sender, and therefore that the sen- der is who he claims to be, certification authorities need to issue and guarantee keys. Recom- mendations for these services are defined under the X.500 directory services guidelines. X.509 is the recommendation for providing user authentication using a 1,2 or 3 way ‘handshake’ and public key certificates. The ‘handshake’ is the procedure whereby two corre- sponding systems identify each other, i.e. it is a procedure for es- tablishing the authenticity of the communication. In a l-way hand- shake, the called application gets evidence of the genuineness of the calling application; with a 2-way handshake both calling and called applications are positively identi- fied; and the 3-way handshake further secures the authenticity of the exchange, by making replay of previous handshake sequences im- practicable.

2 and 3-way handshakes require interactive communications, and as previously stated X.400 messaging is based on a store-and-forward system. Therefore, only the 1 way handshake protocols are possible. The l-way handshake is used to prove identification of the user by verifying that a user is registered with a certain set of credentials and a public key. If, in the handshake procedure, the receiving applica- tion by applying the known public key of the ostensible sender can decrypt a certain character string, it will know that the sending appli- cation has access to the correct secret key and therefore presum- ably is what it claims to be.

Suppose that a f?audster were to generate a secret/public key pair and publicize the public one under a bona fide trader’s name. It could be that, before the bona fide trader has discovered what is happening and has taken steps to disassociate itself from the fraudulent key, the fraudster could have gained finan- cial advantage through pretending to be the bona fide trader and ‘proving’ this using digital signa- tures. Clearly, it is important that traders can rely on the authenticity of public keys.

The way envisaged within X.509 is for specific organizations to act as certification authorities. These could be organizations which are well known and highly respected, either existing ones or new organ- izations specifically set up for this purpose, maybe under inspection by government. The certification authority will register the public keys ofthose sending and receiving

messages and check their authen- ticity. On demand, the authority will then send out an electronic certificate which consists of the required public key, signed digitally by the certification authority. The requesting trader can now check the authenticity of the public key by checking the digital signature of the certification authority, which of course involves having access to its public key. A fiaudster could at this stage pretend to be a certifica- tion authority and publish its own public key, however X.509 recog- nizes this problem and has introduced the possibility of certi- fications up to three levels.

Non-repudiation services

In multiple networks the concept of non-repudiation is especially es- sential, so that the sender of a message cannot at a later stage dis- pute the sending or receipt of a message. This can be achieved through the use of the private key system described above, but also through confirmation of delivery Proof of submission of a message to the Message Transfer System is as- sured by requesting and receiving a signed response from the reci- pient of the message to the originator in the form of a De- livery Notification. This message is a hashed version of the original message, together with a record of the delivery time and the message identified, so that the originator can be sure that the recipient in- deed received the message, and that the message was still intact when received.

709

Judith King/3(. 400 Security

Confidentiality

Confidentiality of the message is best covered by encryption at all levels, methods for which are de- scribed above. Also described above is the method by which X.400 provides for the labelling of the message showing the level of security and confidentiality with which it should be treated.

Conclusion

The security features defined under the 1988 version of the X.400 recommendations, whilst wide, do not fully cover all security issues on all levels,for example they do not deal with internal security horn the User Agent to the final user himself, nor do they cover the destruction of messages, although

Letter to the Editor Ross Anderson University Computer Laboratory, Pembroke Street, Cambdge CBZ 3QC, UK

In Rotraut Laun’s article ‘Asymme- tric User Identification’ (VII p 173-183), she presents a protocol with an elementary error. In it, Alice wants to check Bob’s identity, and so she sends him a random number encrypted under his public key, which he must decrypt and return.

When the encryption algorithm is RSA (which seems to be implied), this protocol works as follows. Let

Bob’s public and secret exponents be E and D respectively, and let all the arithmetic be done with respect to his public modulus. Alice chaos

!? a random number r, forms

R = r , and sends it to him. He is expected to grove his identity by calculating R , which is equal to r,

and sending it back to her.

If he does this, however, he lays himself open to fraud. Alice can abuse the protocol by sending him

X.400 can help to identify that a message has gone astray. The X.400 security features must be im- plemented as part of an overall security messaging policy, as con- formance to X.400 in itself does not provide any guarantees for se- curity.

a series ofdetective values vi, where vi = RiPI for random Ri = riE and Pi is the ith prime nsmber.Jhen once he s nds her m

% - r& , she

knows Pi and can respond cor- rectly to any challenge she can factor. Even more seriously, if he uses the same secret key for digital signatures, she can easily construct messages which are products of the primes Pi and forge his signature on these.

710