Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group
Motivation • To Improve/Restore the Usefulness of Email • Lightweight Trust for Email Signatures [ACHR2005] • Can we get reasonable encryption from similar simplified key management?
Lightweight Signatures • Makes forging email from bob@foo.com as difficult as receiving Bob’s email. • No explicit user key management • Uses only existing infrastructure
Review ID-Based Crypto "bob@foo.com" keyserver MPK MSK PK bob SK bob Alice Bob
Review ID-based Domains MPK foo.com MPK wonderland . com wonderland.com foo.com keyserver keyserver MSK wonderland . com MSK foo.com SK bob @ foo . com SK alice @ wonderland . com Alice Bob
DNS to distribute Review Master Public Keys MPK wonderland . com DNS wonderland.com MPK wonderland . com Publish foo.com MPK foo . com wonderland.com key server MSK wonderland . com [DomainKeys]
Email-Based Review Authentication SK alice @ wonderland . com SK alice @ wonderland . com wonderland.com wonderland.com Alice keyserver incoming MSK wonderland . com mail server [Gar2003] Alice
Review Lightweight Sigs DNS 1 1 PUBLISH PUBLISH wonderland.com MPK wonderland foo.com wonderland.com foo.com MPK foo key server key server 5 From: Alice SK A MPK bank 2 To: Bob “ alice @ wonderland . com ” Subject: Guess? 4 I heard that... I'm serious! Signed: Alice 6 Bob Alice 3 Wonderland.com foo.com Network Network
For Encryption? DNS 1 1 PUBLISH PUBLISH wonderland.com MPK wonderland foo.com wonderland.com foo.com MPK foo key server key server 5 From: Alice SK A MPK bank 2 To: Bob “ alice @ wonderland . com ” Subject: Guess? 4 I heard that... I'm serious! ? Signed: Alice 6 Bob Alice 3 Wonderland.com foo.com Network Network
Threat Model • Assume your incoming mail server won’t actively spoof/attack you. • Signatures If the MSK is compromised, simply change the MSK/MPK (DNS updates). • Encryption Different story....
Threat #1: MSK compromise • all past encrypted emails wonderland.com are immediately compromised. MSK wonderland • if the MSK compromise is SK alice @ wonderland . com discreet, then all future encrypted emails are also compromised. (hacking into a keyserver). Alice
Splitting Keys MPK wonderland MPK wonderland , 0 MPK wonderland , 1 MPK wonderland , 2 wonderland.com wonderland.com wonderland.com MSK wonderland , 0 MSK wonderland , 1 MSK wonderland , 2 SK Alice SK Alice SK Alice wonderland . com , 0 wonderland . com , 1 wonderland . com , 2 Alice SK Alice wonderland . com
Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all wonderland.com secret key material. MSK wonderland . com SK alice @ wonderland . com • a passive corrupt mail server can intercept all emails. wonderland.com incoming mail server • even MSK splitting Alice doesn’t help.
Recombining Keys • Bob generates a new DNS MPK/MSK pair foo.com MPK foo . com • The combined SK matches the foo.com combined MPK. key server MPK Bob + foo . com SK Bob • The combined MPK foo . com provides certification and protection . ( MSK Bob , MPK Bob ) SK Bob Bob • The second MPK Bob component needs no certification!
Single Core Solution CombineMasterKey MPK c ombined MPK 1 MSK 1 bob@foo.com params MPK 2 MSK 2 bob@foo.com SK 1 CombineSecretKey SK c ombined SK 2 SK 1 VerifySecretShare MPK 1
Building These Features on Boneh-Franklin and Waters Identity-Based Encryption
Review Bilinear Maps G 1 , G 2 , both of prime order q e : G 1 × G 1 → G 2 g, h generate G 1 Z ab e g a Z = e ( g, h ) generates G 2 h b G 1 G 2 e ( g a , h b ) = e ( g, h ) ab e ( ug, h ) = e ( u, h ) e ( g, h )
Review Boneh-Franklin Keys Public Parameters: G 1 , G 2 , q, g, H MSK = s ∈ Z q MPK = g s ∈ G 1 PK ID = H ( ID ) SK ID = H ( ID ) s
Splitting & Recombining Boneh-Franklin Keys [BF2000] MSK 1 = s 1 MSK 2 = s 2 MPK 1 = g s 1 MPK 2 = g s 2 SK 1 = H ( ID ) s 1 SK 2 = H ( ID ) s 2 MPK = MPK 1 · MPK 2 = g s 1 + s 2 CombineMasterKey SK = SK 1 · SK 2 = H ( ID ) s 1 + s 2 CombineSecretKey Effective MSK = s 1 + s 2
Review Waters Keys Public Parameters: G 1 , G 2 , q, g, h, F MSK = h s MPK = g s PK ID = F ( ID ) SK ID = ( h s F ( ID ) r , g r )
Splitting & Recombining Waters Keys MSK 1 = h s 1 MSK 2 = h s 2 MPK 1 = g s 1 MPK 2 = g s 2 SK 1 = ( h s 1 F ( ID ) r 1 , g r 1 ) SK 2 = ( h s 2 F ( ID ) r 2 , g r 2 ) MPK = MPK 1 · MPK 2 = g s 1 + s 2 CombineMasterKey SK = ( h s 1 F ( ID ) r 1 · h s 2 F ( ID ) r 2 , g r 1 · g r 2 ) CombineSecretKey = ( h s 1 + s 2 F ( ID ) r 1 + r 2 , g r 1 + r 2 ) Effective MSK = g s 1 + s 2
Additional Details • Malicious Share Generation : NIZK Proof of Knowledge of MSK share • Malicious SK Distribution : k-out-n shares using Lagrange coefficients [GJKR99]
Putting it All Together 2 DNS CombineMasterKey foo.com MPK foo . com MPK foo . com Lightweight 5 MPK foo . com 1 2 Cert. Server 1 ( bob @ foo . com , MPK Bob ) foo.com foo.com MPK foo . com key server #1 key server #2 bob @ foo . com CombineMasterKey 3 ( MSK Bob , MPK Bob ) 6 SK foo . com SK foo . com Bob, 2 Bob, 1 SK Bob Bob foo.com incoming mail server 4 GenerateShare Encrypt From: Alice 7 To: Bob CombineSecretKey Subject: Secret SK Bob Alice Bob
Alice’s Point of View • Finding Bob’s Public Key : automatic: a lookup, a computation against MPK. No trust decision necessary. • Decryption Key Management : automatic, just upgrade the mail client • Key Revocation, etc... : automatic, with upgraded mail client Automation!
Summary • Lightweight key infrastructure is not enough for encryption • To protect against MSK compromise: key splitting • To protect against mail server compromise: key recombination • Both can be accomplished with the same trick on Boneh-Franklin and Waters keys
Questions?
Backup Slides
Another Solution yahoo.com gmail.com incoming incoming mail server mail server SK Alice SK Alice yahoo . com gmail . com Alice
Recommend
More recommend