Privacy-Enhanced Mail (PEM)

Michael A. Gurski

Tue Oct 24 13:59:54 EDT 1995


On the Internet, the notions of privacy and security are practically non-existent. In order to provide some level of security and privacy in electronic mail messages, the Privacy and Security Research Group (PSRG) of the Internet Research Task Force (IRTF) and the Privacy-Enhanced Electronic Mail Working Group (PEM WG) of the Internet Engineering Task Force (IETF), through a series of meetings, came up with a series of message authentication and encryption procedures known as Privacy-Enhanced Mail (PEM), and standardized in Internet RFC 1421 [1], RFC 1422 [2], RFC 1423 [3], and RFC 1424 [4].

What is PEM?

Privacy-Enhanced Mail (PEM) is an Internet standard that provides for secure exchange of electronic mail. PEM employs a range of cryptographic techniques to allow for confidentiality, sender authentication, and message integrity. The message integrity aspects allow the user to ensure that a message hasn't been modified during transport from the sender. The sender authentication allows a user to verify that the PEM message that they have received is truly from the person who claims to have sent it. The confidentiality feature allows a message to be kept secret from people to whom the message was not addressed.

Where can I get PEM?

There are at least two different implementations of PEM available. Riordan's Internet Privacy Enhanced Mail (RIPEM), written by Mark Riordan, is available from [5]. To get a copy, ftp there, cd to /pub/crypt, and read the file GETTING_ACCESS. This is currently not a complete implementation of PEM, but it is still useful. Most of the code, except for the RSA routines it employs, is in the public domain. The RSA routines are in the form of the RSAREF library licensed by RSA Data Security, Inc. (RSADSI).

The other implementation of PEM was originally called TIS/PEM [6] (version 7.0) [7], written by Trusted Information Systems, Inc. However, TIS/PEM has since been succeeded by TIS/MOSSgif (version 7.1), a program which implements PEM with MIME extensions added to it. TIS has made this freely available in C source code form. TIS/MOSS also makes use of the RSAREF libraries from RSADSI. TIS/MOSS is available by anonymous ftp from in the /pub/MOSS directory. Read the file README to find out from where the archive can be down-loaded.

What does PEM do (re: security)?

PEM provides a range of security features. They include originator authentication, (optional) message confidentiality, and data integrity. Each of these will be discussed in turn.

Originator Authentication

In RFC 1422 [2] an authentication scheme for PEM is defined. It uses a hierarchical authentication framework compatible X.509, ``The Directory --- Authentication Framework.'' Central to the PEM authentication framework are certificates, which contain items such as the digital signature algorithm used to sign the certificate, the subject's Distinguished Namegif, the certificate issuer's Distinguished name, a validity period, indicating the starting and ending dates the certificate should be considered valid, the subject's public key along with the accompanying algorithm. This hierarchical authentication framework has four entities.

The first entity is a central authority called the Internet Policy Registration Authority (IPRA), acting as the root of the hierarchy and forming the foundation of all certificate validation in the hierarchy. It is responsible for certifying and reviewing the policies of the entities in the next lower level. These entities are called Policy Certification Authorities (PCAs), which are responsible for certifying the next lower level of authorities. The next lower level consists of Certification Authorities (CAs), responsible for certifying both subordinate CAs and also individual users. Individual users are on the lowest level of the hierarchy.

This hierarchical approach to certification allows one to be reasonably sure that certificates coming users, assuming one trusts the policies of the intervening CAs and PCAs and the policy of the IPRA itself, actually came from the person whose name is associated with it. This hierarchy also makes it more difficult to spoof a certificate because it is likely that few people will trust or use certificates that have untraceable certification trails, and in order to generate a false certificate one would need to subvert at least a CA, and possibly the certifying PCA and the IPRA itself.

Message Confidentiality

Message confidentiality in PEM is implemented by using standardized cryptographic algorithms. RFC 1423 [3] defines both symmetric and asymmetric encryption algorithms to be used in PEM key management and message encryption. Currently, the only standardized algorithm for message encryption is the Data Encryption Standard (DES) in Cipher Block Chaining (CBC) mode. Currently, DES in both Electronic Code Book (ECB) mode and Encrypt-Decrypt-Encrypt (EDE) mode, using a pair of 64-bit keys, are standardized for symmetric key management. For asymmetric key management, the RSA algorithm is used.

Data Integrity

In order to provide data integrity, PEM implements a concept known as a message digest. The message digests that PEM uses are known as RSA-MD2 and RSA-MD5 for both symmetric and asymmetric key management modes. Essentially both algorithms take arbitrary-length ``messages,'' which could be any message or file, and produce a 16-octetgif value. This value is then encrypted with whichever key management technique is currently in use. When the message is received, the recipient can also run the message digest on the message, and if it hasn't been modified in-transit, the recipient can be reasonably assured that the message hasn't been tampered with maliciously. The reason message digests are used is because they're relatively fast to compute, and finding two different meaningful messages that produce the same value is nearly impossible.

What can I use PEM with?

PEM (depending on which implementation you choose to use) can be used with just about any program capable of generating Internet mail and someone else who is using PEM. There are even Emacs elisp files available which simplify the usage of PEM.

What else must I use with PEM?

In order to use PEM, you'll need either RIPEM or TIS/PEM (TIS/MOSS). Then you'll need to generate a key-pair, and make it available. Depending on your preference, and availability, you might want to get your public-key certified by a Certification Authority.

Does anybody really use PEM?

In its current state, I haven't seen much evidence of PEM being used widely. There are hooks for using both PEM, specifically RIPEM although TIS/PEM should work as well, and PGPgif in the NCSA httpd [8] program for providing secure web communications with NCSA Mosaic. These hooks must be activated with a recompilation. There are also extensions to the Emacs editor which allow one to use either PGP or a PEM implementation in conjunction with mail or any other Emacs buffer. There is also a product put out by SecureWare called SecureMail [9] that implements PEM.


J. Linn. Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures. RFC 1421, DEC, Feb 1993. This RFC can be found at

S. Kent. Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management. RFC 1422, BBN, Feb 1993. This RFC can be found at

D. Balenson. Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers. RFC 1423, TIS, Feb 1993. This RFC can be found at

B. Balaski. Privacy Enhancement for Internet Electronic Mail: Part IV: Notary, Co-Issuer, CRL-Storing and CRL-Retrieving Services. RFC 1424, RSA Laboratories, Feb 1993. This RFC can be found at

Marc VanHeyningen RIPEM FAQ. WWW homepage and Usenet post, Jan 1993. This document can be found at

Trusted Information Systems Inc. Trusted Information Systems/ Privacy Enhanced Mail (TIS/PEM). WWW homepage, 1995. This World Wide Web document can be found at

Mark S. Feldman. TIS/PEM FAQ. WWW homepage and Usenet post, Jun 1993. This World Wide Web document can be found at

NCSA HTTPd Development Team NCSA httpd/Mosaic: Using PGP/PEM encryption. WWW homepage, Jun 1995. This World Wide Web document can be found at

SecureWare Inc. SecureWare's SecureMail Product. WWW homepage. This World Wide Web document can be found at

About this document ...

Privacy-Enhanced Mail (PEM)

This document was generated using the LaTeX2HTML translator Version 95.1 (Fri Jan 20 1995) Copyright © 1993, 1994, Nikos Drakos, Computer Based Learning Unit, University of Leeds.

The command line arguments were:
latex2html -split 0 cs482p1.tex.

The translation was initiated by Michael A. Gurski on Tue Oct 24 13:59:44 EDT 1995

MOSS stands for MIME Object Security Services.

An X.500 directory system concept.

An octet is also generally considered an 8-bit byte, but since not necessarily every system on the Internet uses eight bits per byte, the term octet is used to be unambiguous about the bit-count.

Another program providing some features similar to the PEM standard, although it is currently incompatible with PEM.

Michael A. Gurski
Tue Oct 24 13:59:44 EDT 1995