View
6
Download
0
Category
Preview:
Citation preview
Lightweight Encryption for Email
Ben Adidaben@mit.edu7 July 2005
joint work withSusan Hohenberger and Ronald L. RivestMIT Cryptography and Information Security Group
Motivation
• To Improve/Restore the Usefulness of Email
• Lightweight Trust for Email Signatures [ACHR2005]
• Can we get reasonable encryption fromsimilar simplified key management?
Lightweight Signatures
• Makes forging email from bob@foo.comas difficult as receiving Bob’s email.
• No explicit user key management
• Uses only existing infrastructure
ID-Based CryptoReview
keyserver
Alice Bob
MSK MPK
"bob@foo.com"
PKbob SKbob
ID-based Domains
BobAlice
SKalice@wonderland.com SKbob@foo.com
MPKwonderland.com MPKfoo.com
wonderland.com
keyserver
MSKwonderland.com
foo.com
keyserver
MSKfoo.com
Review
DNS to distributeMaster Public Keys
wonderland.com
key server
MSKwonderland.com
DNS
wonderland.com
foo.com
MPKwonderland.com
MPKfoo.com
Publish
[DomainKeys]
Review
MPKwonderland.com
Email-BasedAuthentication
[Gar2003]Alice
wonderland.com
incoming
mail server
wonderland.com
keyserver
MSKwonderland.com
SK
alice@wonderland.com
Review
Alice
SKalice@wonderland.com
Lightweight SigsReview
foo.comNetwork
Wonderland.comNetwork
wonderland.com
key server
foo.com
key server
BobAlice
PUBLISH
DNS
wonderland.com
foo.com
PUBLISH
MPKfoo
1 1
MPKwonderland
From: Alice
To: Bob
Subject: Guess?
I heard that...
I'm serious!
Signed:
Alice
3
4
“alice@wonderland.com”
MPKbank
5
6
SKA 2
For Encryption?
foo.comNetwork
Wonderland.comNetwork
wonderland.com
key server
foo.com
key server
BobAlice
PUBLISH
DNS
wonderland.com
foo.com
PUBLISH
MPKfoo
1 1
MPKwonderland
From: Alice
To: Bob
Subject: Guess?
I heard that...
I'm serious!
Signed:
Alice
3
4
“alice@wonderland.com”
MPKbank
5
6
SKA 2
?
Threat Model
• Assume your incoming mail serverwon’t actively spoof/attack you.
• SignaturesIf the MSK is compromised, simplychange the MSK/MPK (DNS updates).
• EncryptionDifferent story....
Threat #1:MSK compromise
• all past encrypted emailsare immediately compromised.
• if the MSK compromise is discreet, thenall future encrypted emailsare also compromised.(hacking into a keyserver).
Alice
SKalice@wonderland.com
wonderland.com
MSKwonderland
Splitting Keys
wonderland.com
MSKwonderland,1
wonderland.com
MSKwonderland,0
wonderland.com
MSKwonderland,2
Alice
SKAlicewonderland.com,0 SK
Alicewonderland.com,1 SK
Alicewonderland.com,2
SKAlicewonderland.com
MPKwonderland
MPKwonderland,0 MPKwonderland,1 MPKwonderland,2
Threat #2:Corrupt Mail Server
• a corrupt incoming mail server can decrypt and read all secret key material.
• a passive corrupt mail server can intercept all emails.
• even MSK splitting doesn’t help.
Alice
wonderland.com
incomingmail server
SKalice@wonderland.com
wonderland.com
MSKwonderland.com
Recombining Keys
Bob
foo.com
key server
DNS
foo.com
MPKfoo.com
SKBobfoo.com
MPKBob+foo.com
(MSKBob,MPKBob) SKBobBob
• Bob generates a new MPK/MSK pair
• The combined SK matches the combined MPK.
• The combined MPK provides certification and protection.
• The second MPK component needs no certification!
Single Core Solution
params
MSK1
MPK1
MSK2
MPK2
SK1
SK2
bob@foo.com
CombineSecretKey SKcombined
CombineMasterKey MPKcombined
bob@foo.com
VerifySecretShareSK1
MPK1
Building These Features onBoneh-Franklin and Waters
Identity-Based Encryption
Bilinear MapsReview
e : G1 × G1 → G2
g, h generate G1
e(ga, hb) = e(g, h)ab
e(ug, h) = e(u, h)e(g, h)
Z = e(g, h) generates G2
G1 G2
ga
Zab
hb
e
G1, G2,both of prime order q
Boneh-Franklin KeysReview
MSK = s ∈ Zq
MPK = gs∈ G1
Public Parameters: G1, G2, q, g, H
PKID = H(ID)
SKID = H(ID)s
Splitting & RecombiningBoneh-Franklin Keys
MSK1 = s1 MSK2 = s2
MPK1 = gs1 MPK2 = gs2
CombineMasterKey MPK = MPK1 · MPK2 = gs1+s2
SK2 = H(ID)s2SK1 = H(ID)s1
CombineSecretKey SK = SK1 · SK2 = H(ID)s1+s2
Effective MSK = s1 + s2
[BF2000]
Waters KeysReview
Public Parameters: G1, G2, q, g, h, F
MSK = hs
MPK = gs
PKID = F (ID)
SKID = (hsF (ID)r, gr)
Splitting & RecombiningWaters Keys
MPK1 = gs1 MPK2 = gs2
SK2 = (hs2F (ID)r2 , gr2)SK1 = (hs1F (ID)r1 , gr1)
MSK1 = hs1 MSK2 = h
s2
CombineMasterKey MPK = MPK1 · MPK2 = gs1+s2
CombineSecretKey SK = (hs1F (ID)r1· hs2F (ID)r2 , gr1
· gr2)= (hs1+s2F (ID)r1+r2 , gr1+r2)
Effective MSK = gs1+s2
Additional Details
• Malicious Share Generation:NIZK Proof of Knowledge of MSK share
• Malicious SK Distribution:k-out-n shares using Lagrange coefficients[GJKR99]
Putting it All Together
foo.com
key server #1
foo.com
key server #2
Bob
SKfoo.comBob,1 SK
foo.comBob,2
3
foo.com
incoming
mail server GenerateShare
(MSKBob,MPKBob)
4
Lightweight
Cert. Server
(bob@foo.com,MPKBob)
5
CombineMasterKey
MPKfoo.com
6
bob@foo.com
DNS
foo.com
CombineMasterKey
MPKfoo.com
1 MPKfoo.com
21
2
MPKfoo.com
Alice
From: Alice
To: Bob
Subject: Secret
Encrypt
CombineSecretKey
SKBob
SKBobBob
7
Alice’s Point of View
• Finding Bob’s Public Key:automatic: a lookup, a computationagainst MPK. No trust decision necessary.
• Decryption Key Management:automatic, just upgrade the mail client
• Key Revocation, etc...:automatic, with upgraded mail client
Automation!
Summary• Lightweight key infrastructure
is not enough for encryption
• To protect against MSK compromise:key splitting
• To protect against mail server compromise:key recombination
• Both can be accomplished with the same trick on Boneh-Franklin and Waters keys
Questions?
Backup Slides
Another Solution
yahoo.com
incoming
mail server
gmail.com
incoming
mail server
Alice
SKAliceyahoo.com SK
Alicegmail.com
Recommended