automated key management for end to end encrypted email
play

Automated Key Management for End-To-End Encrypted Email - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Automated Key Management for End-To-End Encrypted Email Communication Intermediate talk for the Guided Research by Thomas Maier advised by


  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Automated Key Management for End-To-End Encrypted Email Communication Intermediate talk for the Guided Research by Thomas Maier advised by Benjamin Hof Wednesday 24 th January, 2018 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. Table of Contents Introduction Planning Problem Analysis Related Work Approach Final Steps T. Maier — Automated Key Management 2

  3. Introduction Problem & Motivation: • Secure end-to-end email encryption is difficult to handle for laypersons [1, 2, 3]. • Usability issues ⇒ Security problems • One of the major impediments is the Key Exchange between end-users ⇒ Inability to ... • send and receive public keys • verify keys and signatures Research Question: How is it possible to automatically exchange authenticated public keys in order to make end-to- end encrypted mailing more usable? Goals: • Automated key exchange between end-users • Implicit guarantee of authenticity (guaranteed mapping key → user ) T. Maier — Automated Key Management 3

  4. Planning Steps to address the problem 1. Analyze the problem 2. Search for related work 3. Draft protocol ideas 4. Compare protocol ideas 5. Design chosen protocol 6. Implement prototype T. Maier — Automated Key Management 4

  5. Problem Analysis Derivation of Criteria and Necessary Features • Key Exchange requires publication and retrieval of a key K pub • Automation requires a sequence to support service discovery • Key authenticity is required to guarantee user-key-binding • Ease of solution distribution is required • High scalability • Easy installation • Low costs T. Maier — Automated Key Management 5

  6. Related Work • Transparency Frameworks • Certificate Transparency, CONIKS, Key Transparency • No authentication • But: Monitoring after publication • Web of Trust: Bad usability [1, 2, 3] • Mail Provider Approaches • Public Key Upload and Retrieval: DNS or isolated application • Assisting in Encryption: Usage of browser add-ons or own applications • Service Discovery: DNS or manual • Deployment Distribution: Isolated applications ⇒ No scalability problems • Client-side Approach Mailpile (makes use of Trust on First Use concept) T. Maier — Automated Key Management 6

  7. Approach Abstract Protocol Design T. Maier — Automated Key Management 7

  8. Approach Protocol Drafts • SMTP Service Extension: Key exchange via SMTP • IMAP Extension: Key exchange via IMAP • Key Mailing: Using email transport to send and receive K pub T. Maier — Automated Key Management 8

  9. Final Steps 1. Comparison of protocols (in progress) 2. Protocol design (in progress) 3. Prototypical implementation (to do) T. Maier — Automated Key Management 9

  10. Bibliography [1] S. Ruoti, J. Andersen, D. Zappala, and K. Seamons. Why Johnny Still, Still Can’t Encrypt: Evaluating the Usability of a Modern PGP Client. arXiv:1510.08555 [cs] , Oct. 2015. arXiv: 1510.08555. [2] S. Sheng, L. Broderick, J. J Hyland, and C. Alison Koranda. Why Johnny still can’t encrypt: evaluating the usability of email encryption software . ACM - Proceedings of the second symposium on Usable privacy and security, Nov. 2017. [3] A. Whitten and J. D. Tygar. Why Johnny Can’T Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th Conference on USENIX Security Symposium - Volume 8 , SSYM’99, pages 14–14, Berkeley, CA, USA, 1999. USENIX Association. T. Maier — Automated Key Management 10

Recommend


More recommend