Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail...
Transcript of Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail...
![Page 1: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/1.jpg)
Lightweight Encryption for Email
Ben [email protected] July 2005
joint work withSusan Hohenberger and Ronald L. RivestMIT Cryptography and Information Security Group
![Page 2: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/2.jpg)
Motivation
• To Improve/Restore the Usefulness of Email
• Lightweight Trust for Email Signatures [ACHR2005]
• Can we get reasonable encryption fromsimilar simplified key management?
![Page 3: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/3.jpg)
Lightweight Signatures
• Makes forging email from [email protected] difficult as receiving Bob’s email.
• No explicit user key management
• Uses only existing infrastructure
![Page 5: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/5.jpg)
ID-based Domains
BobAlice
[email protected] [email protected]
MPKwonderland.com MPKfoo.com
wonderland.com
keyserver
MSKwonderland.com
foo.com
keyserver
MSKfoo.com
Review
![Page 6: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/6.jpg)
DNS to distributeMaster Public Keys
wonderland.com
key server
MSKwonderland.com
DNS
wonderland.com
foo.com
MPKwonderland.com
MPKfoo.com
Publish
[DomainKeys]
Review
MPKwonderland.com
![Page 7: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/7.jpg)
Email-BasedAuthentication
[Gar2003]Alice
wonderland.com
incoming
mail server
wonderland.com
keyserver
MSKwonderland.com
SK
Review
Alice
![Page 8: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/8.jpg)
Lightweight SigsReview
foo.comNetwork
Wonderland.comNetwork
wonderland.com
key server
foo.com
key server
BobAlice
PUBLISH
DNS
wonderland.com
foo.com
PUBLISH
MPKfoo
1 1
MPKwonderland
From: Alice
To: Bob
Subject: Guess?
I heard that...
I'm serious!
Signed:
Alice
3
4
MPKbank
5
6
SKA 2
![Page 9: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/9.jpg)
For Encryption?
foo.comNetwork
Wonderland.comNetwork
wonderland.com
key server
foo.com
key server
BobAlice
PUBLISH
DNS
wonderland.com
foo.com
PUBLISH
MPKfoo
1 1
MPKwonderland
From: Alice
To: Bob
Subject: Guess?
I heard that...
I'm serious!
Signed:
Alice
3
4
MPKbank
5
6
SKA 2
?
![Page 10: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/10.jpg)
Threat Model
• Assume your incoming mail serverwon’t actively spoof/attack you.
• SignaturesIf the MSK is compromised, simplychange the MSK/MPK (DNS updates).
• EncryptionDifferent story....
![Page 11: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/11.jpg)
Threat #1:MSK compromise
• all past encrypted emailsare immediately compromised.
• if the MSK compromise is discreet, thenall future encrypted emailsare also compromised.(hacking into a keyserver).
Alice
wonderland.com
MSKwonderland
![Page 12: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/12.jpg)
Splitting Keys
wonderland.com
MSKwonderland,1
wonderland.com
MSKwonderland,0
wonderland.com
MSKwonderland,2
Alice
SKAlicewonderland.com,0 SK
Alicewonderland.com,1 SK
Alicewonderland.com,2
SKAlicewonderland.com
MPKwonderland
MPKwonderland,0 MPKwonderland,1 MPKwonderland,2
![Page 13: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/13.jpg)
Threat #2:Corrupt Mail Server
• a corrupt incoming mail server can decrypt and read all secret key material.
• a passive corrupt mail server can intercept all emails.
• even MSK splitting doesn’t help.
Alice
wonderland.com
incomingmail server
wonderland.com
MSKwonderland.com
![Page 14: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/14.jpg)
Recombining Keys
Bob
foo.com
key server
DNS
foo.com
MPKfoo.com
SKBobfoo.com
MPKBob+foo.com
(MSKBob,MPKBob) SKBobBob
• Bob generates a new MPK/MSK pair
• The combined SK matches the combined MPK.
• The combined MPK provides certification and protection.
• The second MPK component needs no certification!
![Page 15: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/15.jpg)
Single Core Solution
params
MSK1
MPK1
MSK2
MPK2
SK1
SK2
CombineSecretKey SKcombined
CombineMasterKey MPKcombined
VerifySecretShareSK1
MPK1
![Page 16: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/16.jpg)
Building These Features onBoneh-Franklin and Waters
Identity-Based Encryption
![Page 17: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/17.jpg)
Bilinear MapsReview
e : G1 × G1 → G2
g, h generate G1
e(ga, hb) = e(g, h)ab
e(ug, h) = e(u, h)e(g, h)
Z = e(g, h) generates G2
G1 G2
ga
Zab
hb
e
G1, G2,both of prime order q
![Page 18: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/18.jpg)
Boneh-Franklin KeysReview
MSK = s ∈ Zq
MPK = gs∈ G1
Public Parameters: G1, G2, q, g, H
PKID = H(ID)
SKID = H(ID)s
![Page 19: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/19.jpg)
Splitting & RecombiningBoneh-Franklin Keys
MSK1 = s1 MSK2 = s2
MPK1 = gs1 MPK2 = gs2
CombineMasterKey MPK = MPK1 · MPK2 = gs1+s2
SK2 = H(ID)s2SK1 = H(ID)s1
CombineSecretKey SK = SK1 · SK2 = H(ID)s1+s2
Effective MSK = s1 + s2
[BF2000]
![Page 20: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/20.jpg)
Waters KeysReview
Public Parameters: G1, G2, q, g, h, F
MSK = hs
MPK = gs
PKID = F (ID)
SKID = (hsF (ID)r, gr)
![Page 21: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/21.jpg)
Splitting & RecombiningWaters Keys
MPK1 = gs1 MPK2 = gs2
SK2 = (hs2F (ID)r2 , gr2)SK1 = (hs1F (ID)r1 , gr1)
MSK1 = hs1 MSK2 = h
s2
CombineMasterKey MPK = MPK1 · MPK2 = gs1+s2
CombineSecretKey SK = (hs1F (ID)r1· hs2F (ID)r2 , gr1
· gr2)= (hs1+s2F (ID)r1+r2 , gr1+r2)
Effective MSK = gs1+s2
![Page 22: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/22.jpg)
Additional Details
• Malicious Share Generation:NIZK Proof of Knowledge of MSK share
• Malicious SK Distribution:k-out-n shares using Lagrange coefficients[GJKR99]
![Page 23: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/23.jpg)
Putting it All Together
foo.com
key server #1
foo.com
key server #2
Bob
SKfoo.comBob,1 SK
foo.comBob,2
3
foo.com
incoming
mail server GenerateShare
(MSKBob,MPKBob)
4
Lightweight
Cert. Server
([email protected],MPKBob)
5
CombineMasterKey
MPKfoo.com
6
DNS
foo.com
CombineMasterKey
MPKfoo.com
1 MPKfoo.com
21
2
MPKfoo.com
Alice
From: Alice
To: Bob
Subject: Secret
Encrypt
CombineSecretKey
SKBob
SKBobBob
7
![Page 24: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/24.jpg)
Alice’s Point of View
• Finding Bob’s Public Key:automatic: a lookup, a computationagainst MPK. No trust decision necessary.
• Decryption Key Management:automatic, just upgrade the mail client
• Key Revocation, etc...:automatic, with upgraded mail client
Automation!
![Page 25: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/25.jpg)
Summary• Lightweight key infrastructure
is not enough for encryption
• To protect against MSK compromise:key splitting
• To protect against mail server compromise:key recombination
• Both can be accomplished with the same trick on Boneh-Franklin and Waters keys
![Page 26: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/26.jpg)
Questions?
![Page 27: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/27.jpg)
Backup Slides
![Page 28: Lightweight Encryption for Email · Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all secret key material. • a passive corrupt mail server](https://reader030.fdocuments.in/reader030/viewer/2022041023/5ed46d2a9801056341574551/html5/thumbnails/28.jpg)
Another Solution
yahoo.com
incoming
mail server
gmail.com
incoming
mail server
Alice
SKAliceyahoo.com SK
Alicegmail.com