1 / 11

SELS: A S ecure E -mail L ist S ervice

SELS: A S ecure E -mail L ist S ervice. Himanshu Khurana, Adam Slagell , Rafael Bonilla NCSA, University of Illinois. Introduction to E-mail List Services. E-mail List Services (ELSs) comprise List Moderator ( LM ) – user/process that creates lists and controls list membership

lundy
Download Presentation

SELS: A S ecure E -mail L ist S ervice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SELS: A Secure E-mail List Service Himanshu Khurana, Adam Slagell, Rafael Bonilla NCSA, University of Illinois

  2. Introduction to E-mail List Services • E-mail List Services (ELSs) comprise • ListModerator (LM) – user/process that creates lists and controls list membership • ListServer (LS) – maintains list and membership information, forwards e-mails, and optionally archives them • User/subscribers – subscriber to/ unsubscribe from lists with the help of LM, and send/receive e-mails with the help of LS • Increasingly popular for exchange of both public and private content  security is an important concern • E.g., there are over 300,000 registered lists on LISTSERV while approximately 16% of them serve public content • Little or no work in providing security solutions for ELSs • We provide solutions for confidentiality, integrity, authentication, and anti-spamming

  3. PKI: Alice’s signature verification key PKA PKI: Bob’s encryption key PKB Alice Bob Base-64 encoded message Confidentiality, Integrity, and Authentication with S/MIME for TPEE Header in Plaintext Encrypt(m, Sig(m)) w/ k AES, 3DES Encrypt (k) w/ PKB RSA, El Gamal Plaintext m Sign h(m) with SKA (RSA, DSA) • Other approaches for achieving confidentiality, integrity and authentication • PEM • PGP • Identity-based encryption and Identity-based mediated RSA • Just provides confidentiality • Challenge: certificate distribution and validation

  4. Confidentiality, Integrity and Authentication for ELSs • Confidentiality • Possible Solutions • Use cryptographic hardware to do decryption/encryption • Expensive, broken in the past (e.g., CCA application on IBM 4758) • Use group key management to distribute symmetric key to list members • Members need to be online to execute operations for key update • Our solution • Use software-based proxy re-encryption at LS to transform encrypted e-mail between sender and receivers without requiring access to plaintext • Inexpensive, does not require members to be online for updates • Integrate (encryption) key distribution with user subscription • Integrity and Authentication • Authentication goal includes notion that member must be a list subscriber • Our approach: Use digital signatures with LM providing signature key validation (w.r.t. list membership) Dec, EncPKRi(m) R1 EncPKLS(m) LS S R2 DecSKRi(c) Rn Problem: Adversary can compromise LS to obtain e-mails

  5. Anti-Spamming • Many approaches proposed for TPEE; e.g., legal • Spam is a felony in VA • In CA, PA sexually explicit emails must have pre-fix: “ADV: ADLT” • Congress passed CAN SPAM act effective Jan 2004 • Appropriate labeling, opt-out options • Challenge: Tracing, enforcement, jurisdiction • Digital Signatures for TPEE • Reject e-mail if signature does not match • Challenges • Large scale certificate distribution/revocation/enrollment • Block use of e-mail for initiating communication/transactions • Making mass-mailing infeasible • Use economic or computational deterrence • Challenges • Difficult to get the masses to pay for e-mail now • Spam sent in distributed manner, computational barrier impractical

  6. Contribution: SELS; Solutions for • Confidentiality • Solution using proxy encryption techniques whereby the plaintext is not exposed at LS; instead, LS simply transforms encrypted messages • LS archives e-mails in encrypted form and provides access on-demand • User subscription process used to create and distribute keys without the need for a trusted third party • Integrity and authentication • Solution using digital signatures where signature key validation is provided by LM • Anti-spamming • Use digital signatures with LM providing key validation • Use HMACs as a cheaper alternative with LS participating actively

  7. Create Group Establish Corresponding List Key KLS LM LS Establish Corresponding Private key K’U1, HMAC Key HU1 LM, LS implicitly agree KLK = KLM + KLS is list key Establish List Key KLM Verify HMAC, transform and forward Subscribe Send signed, encrypted, and HMACd email Verify HMAC, decrypt and verify signature Establish Private key KU1 HMAC Key HU1 U3 U2 U1 SELS Overview • Assumptions • LM is an independent entity not controlled by LS • Subscription e-mails between user, LM, and LS can be secured (e.g., PGP, • passwords)

  8. Key Store: Members’ corresponding private keys K’Ui and HMAC Keys HUi Key Store: (SKA, PKA),HA Alice LS Base-64 encoded X Sig(m) w/ SKA (RSA, DSA) Key Store: (SKB, PKB), HB Bob LS Base-64 encoded Y Encrypt (m,Sig(m)) w/ k (AES, 3DES) Email Plaintext m Sig(m) w/ SKA (RSA, DSA) Sending E-mails Email Header Encrypt (m,Sig(m)) w/ k (AES, 3DES) Encrypt (k) w/ PKA (SELS/El Gamal) H(X) w/ HA (SHA-1) Email Plaintext m Email Header Transform k w/ K’A, K’B (SELS Proxy Re-encryption) H(Y) w/ HB (SHA-1)

  9. Additional Protocol Operations • Unsubscribing Users • User sends request to LM who cosigns request and sends to LS • LS deletes user’s corresponding private key • Revocation Immediate • Signature key validation • LM sends occasional (e.g., monthly) updates on invalid keys • Archiving and retrieval • Archive after partial transformation; encrypted with KLK • Complete transformation for user on request • Analysis • If users have access to all e-mails, compromise of one user leads to compromise of all e-mails • Solution: Use key epochs • Archive e-mails only for an epoch • LM changes KLK every epoch

  10. Recent Work: Formal Verification and Implementation • Formal Verification with Proverif • Fully automated protocol verification tool based on pi calculus • Verified that SELS provides confidentiality and anti-spamming • Implemented SELS Prototype in Java • Integrated with Eudora E-mail Client via command-line interface • Integrated with GnuPG Toolkit for standard Signature and Encryption operations • Work in Progress • Plugin for JavaMail, Eudora • Integration with Majordomo list server software

  11. Summary • Increasing use of ELS for exchanging private content  security is important • Security for ELSs is significantly different from that for two-party e-mail exchange • Provide solutions for confidentiality, integrity, authentication, and anti-spamming • E-mail plaintext not exposed at LS via proxy encryption • Formal Verification with Proverif • Implementation work ongoing

More Related