S/MIME and OpenPGP

Security services can be added to each communication link along a path, or it can be wrapped around the data being sent, so that it is independent of the communication mechanism. This latter approach is often called "end-to-end" security and it has become a very important topic for users.

The two basic features of this type of security are privacy (only the intended recipient can read the message) and authentication (the recipient can be assured of the identity of the sender). The technical capabilities for these functions has been known for many years, but they have only been applied to Internet mail recently.

There are currently two actively proposed methods for providing these security services: S/MIME and PGP (both in its early incarnation as PGP/MIME, and as the new OpenPGP standard). Other protocols have been proposed in the past (most notably PEM and MOSS), but they did not garner much interest in the market. However, many major Internet mail vendors have begun to ship products using S/MIME, PGP/MIME, and OpenPGP.

About the Protocols

These services typically include authentication of the originator and privacy for the data. They can also provide a signed receipt from the recipient. At the core of these capabilities is the use of public key technology and large-scale use of public keys requires a method of certifying that a given key belongs to a given user.

Although they offer similar services to users, the two protocols have very different formats. Further, and more important to corporate users, they have different formats for their certificates. This means that not only can users of one protocol not communicate with the users of the other, they also cannot share authentication certificates. The difference between the two protocols is similar to the differences between GIF and JPEG files: they both do basically the same thing for end users, but thir formats are very different.

S/MIME was originally developed by RSA Data Security, Inc. It is based on the PKCS #7 data format for the messages, and the X.509v3 format for certificates. PKCS #7, in turn, is based on the ASN.1 DER format for data.

PGP/MIME is based on PGP, which was developed by many individuals, some of whom have now joined together as PGP, Inc. The message and certificate formats were created from scratch, and use simple binary encoding. OpenPGP is also based on PGP.

S/MIME, PGP/MIME, and OpenPGP use MIME to structure their messages. They rely on the multipart/signed MIME type that is described in RFC 1847 for moving signed messages over the Internet. A single mail client could conceivably accept and send both formats.

Current Status

There has been a great deal of confusion in the press (and even within the IETF) about the status of S/MIME v2, S/MIME v3, PGP/MIME, and OpenPGP. People outside the IETF seem to get particularly concerned with the IETF process and the status of a technology in the IETF, even though IETF participants are quite used to having things be a bit nebulous in the IETF.

Status of S/MIME

S/MIME's initial version developed by a private consortium of vendors. S/MIME v2 had achieved wide adoption throughout the Internet mail industry. Most implementors have created their software using various drafts of the S/MIME v2 protocol that have been circulated in the IETF. The parts of the S/MIME v2 protocol are:

S/MIME Version 2 Message Specification (RFC 2311)
S/MIME Version 2 Certificate Handling (RFC 2312)
PKCS #1: RSA Encryption Version 1.5 (RFC 2313)
PKCS #10: Certification Request Syntax Version 1.5 (RFC 2314)
PKCS #7: Cryptographic Message Syntax Version 1.5 (RFC 2315)
Description of the RC2 Encryption Algorithm (RFC 2268)

All of these RFCs are informational RFCs. It is important to note that S/MIME v2 is not an IETF standard. S/MIME v2 requires the use of RSA key exchange, which was previously encumbered by U.S. patents held by RSA Data Security, Inc.; further, S/MIME v2 requires the use of weak cryptography (40-bit keys). Both of these issues have prevented the protocol from being accepted as an IETF standard as well.

The current work on S/MIME is being done in the IETF's S/MIME Working Group. S/MIME v3 was made a standard in July, 1999. The charter for the S/MIME WG describes the current work being done. The S/MIME WG has a web page hosted by IMC.

The S/MIME v3 standard consists of five parts:

Cryptographic Message Syntax (RFC 3852)
Cryptographic Message Syntax (CMS) Algorithms (RFC 3370)
S/MIME Version 3.1 Message Specification (RFC 3851)
S/MIME Version 3.1 Certificate Handling (RFC 3850)
Diffie-Hellman Key Agreement Method (RFC 2631)

An additional protocol, Enhanced Security Services for S/MIME (RFC 2634), is a set of extensions to S/MIME to allow signed receipts, security labels, and secure mailing lists. The first two of these extensions will work with either S/MIME v2 or S/MIME v3; secure mailing lists will only work with S/MIME v3.

A freeware S/MIME v3 toolkit is now available in pre-release form. See the toolkit home page for more information.

The S/MIME certificate structure is based on work being done in the IETF's PKIX Working Group. S/MIME developers should probably be familiar with the work being done in that Working Group.

Status of PGP/MIME and OpenPGP

Earlier versions of PGP have been deployed and used since the early 1990s. PGP/MIME has been adopted by some important players in the Internet mail industry. Implementations of PGP/MIME are based on two RFCs:

The current work on PGP/MIME is being done in the IETF's OpenPGP Working Group. The charter for the OpenPGP WG states clearly that the purpose of the group is to create protocols based on PGP that can become IETF standards. The OpenPGP protocol, which is on the IETF standards track, is described in OpenPGP Message Format, RFC 2440, which is being revised by draft-ietf-openpgp-rfc2440bis. The MIME wrapping for OpenPGP is described in MIME Security with Pretty Good Privacy, RFC 3156. The OpenPGP WG has a web page hosted by IMC.

Differences and Commonalities Between S/MIME v3 and OpenPGP

S/MIME v3 and OpenPGP are both protocols for adding authentication and privacy to messages. However, they differ in many ways, and are not designed to be interoperable. Some cryptography algorithms are the same between the two protocols, but others differ. The following chart is a comparison of many relevant features of the two protocols, showing where they differ and where they are the same.

Mandatory features S/MIME v3 OpenPGP
Message format Binary, based on CMS Binary, based on previous PGP
Certificate format Binary, based on X.509v3 Binary, based on previous PGP
Symmetric encryption algorithm TripleDES (DES EDE3 CBC) TripleDES (DES EDE3 Eccentric CFB)
Signature algorithm Diffie-Hellman (X9.42) with DSS or RSA ElGamal with DSS
Hash algorithm SHA-1 SHA-1
MIME encapsulation of signed data Choice of multipart/signed or CMS format multipart/signed with ASCII armor
MIME encapsulation of encrypted data application/pkcs7-mime multipart/encrypted

Mandatory features	S/MIME v3	OpenPGP
Message format	Binary, based on CMS	Binary, based on previous PGP
Certificate format	Binary, based on X.509v3	Binary, based on previous PGP
Symmetric encryption algorithm	TripleDES (DES EDE3 CBC)	TripleDES (DES EDE3 Eccentric CFB)
Signature algorithm	Diffie-Hellman (X9.42) with DSS or RSA	ElGamal with DSS
Hash algorithm	SHA-1	SHA-1
MIME encapsulation of signed data	Choice of multipart/signed or CMS format	multipart/signed with ASCII armor
MIME encapsulation of encrypted data	application/pkcs7-mime	multipart/encrypted