1 / 13

Accredited DomainKeys: A Service Architecture for Improved Email Validation

Accredited DomainKeys: A Service Architecture for Improved Email Validation. Michael Goodrich Roberto Tamassia Danfeng Yao UC Irvine Brown University Work principally supported by IAM Registry Additional funding from NSF. Overview.

benard
Download Presentation

Accredited DomainKeys: A Service Architecture for Improved Email Validation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Accredited DomainKeys: A Service Architecture for Improved Email Validation Michael Goodrich Roberto Tamassia Danfeng Yao UC Irvine Brown University Work principally supported by IAM Registry Additional funding from NSF

  2. Overview • DomainKeys signs outgoing messages using public-key cryptography (Delany 04) • Did the sender actually send this email? • Accredited DomainKeys provides assurance of sender’s public key and evidence of sender domain’s trustworthiness • Is the sender of this email trustworthy? • Two approaches of implementing Accredited DomainKeys are presented

  3. Query for public key Example.net Name Server Yahoo.com MTA Send signed email Authentication-Results: example.net from=bob@example.net; domainkeys=pass; In-coming message DomainKey-Signature: a=rsa-sha1; s=mail; d=example.net; c=simple; q=dns; b=Fg…5J Out-going message Send and Receive in DomainKeys Public key Verify signature Private key Sign mail Example.net MTA

  4. Accredited DomainKeys Architecture • Aims at establishing trust in the sender domain • Scalability, efficiency, and usability • Extends DomainKeys framework • Applicable also to Identified Internet Mail (Fenton, Thomas) • Introduces a trusted third-party: accreditation bureau • Accreditation bureau generates and updates accreditation seals for registered domains • The accreditation seal is the proof of membership • Time quantum of seal updates depends on applications

  5. Update seal at each time quantum Register public key Yahoo.com MTA Send signed email Example.net MTA Accreditation Bureau Accredited-DomainKeys: v=seal DomainKey-Signature: a=rsa-sha1; s=mail; d=example.net; c=simple; q=dns; b=Fg…5J Write mail Bob Send in Accredited DomainKeys Public key Example.net Name Server Private key Sign email

  6. Example.net Name Server Query for public key Query for accreditation seal Yahoo.com MTA Update accreditation seal at each time quantum Receive mail Authentication-Results: example.net from=bob@example.net; domainkeys=pass; accreditation=pass Accreditation Bureau Alice from Yahoo.com Receive in Accredited DomainKeys Verify signature Verify seal

  7. Seal realization: simple signature Example.net Name Server • The seal is a signature signed by the bureau on the public key of a domain • The seal is refreshed at each time quantum • The seal is verified against the public key of the accreditation bureau Update accreditation seal at each time quantum Accreditation Bureau

  8. Query Response Seal realization: STMS • The Secure Transaction Management System [Goodrich, Tamassia et al.] implements an authenticated dictionary Basis (signed) Updates t Responder A User t DS Source Answer Proof Basis (signed) Responder B DS DS

  9. Example.net Name Server (STMS Responder) Yahoo.com MTA (STMS User) Receive mail Accreditation Bureau (STMS Source) Seal realization: STMS (cont’d) Query for accreditation seal (proof-basis pair) Verify signature of basis Verify proof of domain Update proof and basis at each time quantum Obtain the bureau’s public-key

  10. Seal Realizations: Efficiency N: Number of domains registered with the accreditation bureau

  11. Summary and Future Work • Summary • Accredited DK provides assurance of sender’s public key and evidence of sender domain’s trustworthiness • Extension of DK framework • Accreditation seals issued by accreditation bureau and stored in domain name server • STMS approach is more scalable than simple signature approach • Website:http://www.accrediteddomainkeys.net • Current and Future Work • Performance tests • Accredited DKIM

  12. Related Work • SPF (Lentczner, Wong) and Sender ID Framework (Microsoft) • DomainKeys (Delany) • Identified Internet Mail (Fenton, Thomas) • Flexible Sender Validation (Levine) • Sender Authorization with RMX DNS RR (Danisch) • Reverse DNS Marking (Stumpf, Hoehne) • Project Lumos (Email Service Provider Coalition) • Authenticated data structures (Goodrich, Tamassia et al.)

  13. Acknowledgements • David Croston and IAM Registry, Inc • David Ellis, John Nuber • Eric Allman, Jon Callas, Mark Delany, and Jim Fenton • National Science Foundation

More Related