130 likes | 223 Views
Accredited DomainKeys: A Service Architecture for Improved Email Validation. Michael Goodrich Roberto Tamassia Danfeng Yao UC Irvine Brown University Work principally supported by IAM Registry Additional funding from NSF. Overview.
E N D
Accredited DomainKeys: A Service Architecture for Improved Email Validation Michael Goodrich Roberto Tamassia Danfeng Yao UC Irvine Brown University Work principally supported by IAM Registry Additional funding from NSF
Overview • DomainKeys signs outgoing messages using public-key cryptography (Delany 04) • Did the sender actually send this email? • Accredited DomainKeys provides assurance of sender’s public key and evidence of sender domain’s trustworthiness • Is the sender of this email trustworthy? • Two approaches of implementing Accredited DomainKeys are presented
Query for public key Example.net Name Server Yahoo.com MTA Send signed email Authentication-Results: example.net from=bob@example.net; domainkeys=pass; In-coming message DomainKey-Signature: a=rsa-sha1; s=mail; d=example.net; c=simple; q=dns; b=Fg…5J Out-going message Send and Receive in DomainKeys Public key Verify signature Private key Sign mail Example.net MTA
Accredited DomainKeys Architecture • Aims at establishing trust in the sender domain • Scalability, efficiency, and usability • Extends DomainKeys framework • Applicable also to Identified Internet Mail (Fenton, Thomas) • Introduces a trusted third-party: accreditation bureau • Accreditation bureau generates and updates accreditation seals for registered domains • The accreditation seal is the proof of membership • Time quantum of seal updates depends on applications
Update seal at each time quantum Register public key Yahoo.com MTA Send signed email Example.net MTA Accreditation Bureau Accredited-DomainKeys: v=seal DomainKey-Signature: a=rsa-sha1; s=mail; d=example.net; c=simple; q=dns; b=Fg…5J Write mail Bob Send in Accredited DomainKeys Public key Example.net Name Server Private key Sign email
Example.net Name Server Query for public key Query for accreditation seal Yahoo.com MTA Update accreditation seal at each time quantum Receive mail Authentication-Results: example.net from=bob@example.net; domainkeys=pass; accreditation=pass Accreditation Bureau Alice from Yahoo.com Receive in Accredited DomainKeys Verify signature Verify seal
Seal realization: simple signature Example.net Name Server • The seal is a signature signed by the bureau on the public key of a domain • The seal is refreshed at each time quantum • The seal is verified against the public key of the accreditation bureau Update accreditation seal at each time quantum Accreditation Bureau
Query Response Seal realization: STMS • The Secure Transaction Management System [Goodrich, Tamassia et al.] implements an authenticated dictionary Basis (signed) Updates t Responder A User t DS Source Answer Proof Basis (signed) Responder B DS DS
Example.net Name Server (STMS Responder) Yahoo.com MTA (STMS User) Receive mail Accreditation Bureau (STMS Source) Seal realization: STMS (cont’d) Query for accreditation seal (proof-basis pair) Verify signature of basis Verify proof of domain Update proof and basis at each time quantum Obtain the bureau’s public-key
Seal Realizations: Efficiency N: Number of domains registered with the accreditation bureau
Summary and Future Work • Summary • Accredited DK provides assurance of sender’s public key and evidence of sender domain’s trustworthiness • Extension of DK framework • Accreditation seals issued by accreditation bureau and stored in domain name server • STMS approach is more scalable than simple signature approach • Website:http://www.accrediteddomainkeys.net • Current and Future Work • Performance tests • Accredited DKIM
Related Work • SPF (Lentczner, Wong) and Sender ID Framework (Microsoft) • DomainKeys (Delany) • Identified Internet Mail (Fenton, Thomas) • Flexible Sender Validation (Levine) • Sender Authorization with RMX DNS RR (Danisch) • Reverse DNS Marking (Stumpf, Hoehne) • Project Lumos (Email Service Provider Coalition) • Authenticated data structures (Goodrich, Tamassia et al.)
Acknowledgements • David Croston and IAM Registry, Inc • David Ellis, John Nuber • Eric Allman, Jon Callas, Mark Delany, and Jim Fenton • National Science Foundation