| |
07.04.2016 - You've got mail
The user pressed the "Get e-mail" button.
What happens next?
The mail server is a name, the network talks in numbers.
The DNS will a call, and tells the number for the name.
The TCP connection gets established, data split into packets encoded into frames turned into electric signals... There be dragons for another raid.
Over that TCP connection, a plain text hello is sent.
The other side replies with a matching set of algorithms.
It sends a certificate and an invitation.
The certificate is a blob of data in the DER subformat of ASN.1 - type, size, data, type, size, data. In there hides the public key and the signature.
SHA-256 is the hashing algorithm. It takes as many bytes as you have and turns them into a 32 byte string.
We compute it over the certificate.
We then fetch the public key of the authority which granted it and take the signature to it's Dth power modulo N.
The answer is PCKS#1 - a padded SHA256 hash of the certificate.
The two match. Good, the server is genuine!
Now we send our shared secret to it, taken to the Eth power modulo N of it's public key.
The shared secret is a random string.
To get the encryption and hashing keys, we mix the words 'master secret' with the set of random numbers exchanged previously in the hello and invitation.
Just hash is unsecure, and so HMAC was invented after a battle lost and won decades ago.
The mix is the key to HMAC, taken over a recursive set of MD5 and SHA1 hashes to produce a string of bytes.
The string is split into two pairs of 20 bytes for the MAC, then 2x16 bytes for the crypto key and 2x16 more bytes of the initial vectors.
All the prior messages were saved, with the SHA1 and MD5 hashes being taken over them.
Now, we signal the server to begin the coded exchange.
As a confirmation we send the hash above, the 'client finished' string fed to the PRF function with the hash as a key, padded in the PCKS#1, and encoded with the keys above by AES.
Add the protocol version, or someone will fake us into talking on an older, insecure one. Every weird step have a history. A battle lost or won.
The server will reply with the same courtesy, only the 'server finished' line is used.
After the niceties are done, in comes the actual data.
The application data - blocks of AES containing the whatever apps would say.
The signs of ancient battles are seen in them as well - the first block message is just random to confuse potential decoders that figured an in before.
The data follows, completed by a hash.
The MAC, a SHA256 HMAC of the number of the packets sent, the data, it's size and it's purpose.
The end is ceremonially padded, so as not to leave any predictable text that might assist the hackers.
The data goes in and out of a buffer, read and written by the layers over them engaging in further ceremonies.
Ready, says the POP3.
USER itsme
+OK i know you.
PASS buzzoff
+OK You may proceed.
Now, for the actual mail.
LIST, the client asks, +OK the server responds. RECV, RECV, RECV, RECV, DELE, DELE, DELE, DELE...
QUIT
+OK bye.
The client sends a coded ALERT to make the server know not to wait for it at dinner and breaks the TCP connection.
We now have the dumps of data made out of lines with tag: value in them, then the data terminated by two new lines.
What do it say? Where did it came from?
The mess is indescribable, the standards lax, a guess after guess on standard named fields containing data in a free-for-all format.
Americans say Feb 02 2016, the europeans - 02 02 16. Some say +0400, some say PST and EDT.
And that's just the date.
The subject line can be some text. Can be =?UTF-8?B?SGVsbG8ga2l0dHkhCg==?=, can be something even worse. All this must be decoded.
Every language have it's code page, which may not even be provided. We have to guess, to try them all and look for meaning.
The message itself, you might expect, is only text?
Nope, it's MIME. A set of parts, separated by whatever-i-want lines.
In there is a recursive mix of HTML, text versions of it, the files being attached, some signatures, some stuff embedded and some missed never to be seen.
BASE64, QP code, "plain" text in myriads of codepages.
As this final mess is waded through, the status bar approaches 100%...
You've got mail.
Share:
| |
|
| |
Comments:
I love it!
30.06.2016 04:39 - ed |
Comments disabled for lack of purpose and excess of spam.
If you have a comment on some project, ping me on the corresponding forum.
|
|
|
