170 likes | 305 Views
SELS: A S ecure E -mail L ist S ervice. Himanshu Khurana Senior Security Engineer hkhurana@ncsa.uiuc.edu. NCSA Private Sector Program Annual Meeting May 16-18, 2005. List Moderator (LM) - creates lists - Subscribes users. List Server (LS) - creates lists - forwards emails
E N D
SELS: A Secure E-mail List Service Himanshu Khurana Senior Security Engineer hkhurana@ncsa.uiuc.edu NCSA Private Sector Program Annual MeetingMay 16-18, 2005
List Moderator (LM) - creates lists - Subscribes users List Server (LS) - creates lists - forwards emails - archives email • User/subscriber • - subscribes to lists • sends/receives • email Introduction to E-mail List Services • ELSs enable users to easily exchange emails • LS bears all the overhead • Increasingly popular for exchange of both public and private content security is an important concern • E.g., there are over 300,000 registered lists on LISTSERV while only 20% of them serve public content • Little or no work in providing security solutions for ELSs • We provide SELS: Secure Email List Service • solutions for confidentiality, integrity, and authentication
Security Solutions X X X • Confidentiality: only authorized users (i.e. list subscribers) should • be able to read emails – list server is excluded • Integrity: receivers must be assured that email has not been modified • in transit • Authentication: receivers must be able to verify the identity of the • sender
Need for SELS • Maintain confidentiality of sensitive information exchanged in collaborative discussions; e.g., • Security lists concerning infrastructure protection • Subscribers: system/security administrators • Executives lists concerning corporate strategies • Subscribers: managers, executives • Enforce privacy laws regarding user data in collaborative research • E.g., multi-institution R&D on health care needs to enforce HIPAA laws • Enable trustworthy groupware applications that are increasingly using ELSs as underlying messaging infrastructure; e.g., • Document annotation and storage • Distributed software development • Mobile Teamwork
key k key k Enc Dec Pub. key PKB Priv. key SKB Plaintext Ciphertext Plaintext Asymmetric Key Encryption (RSA) Enc Dec key k, PKB key SKB, k Plaintext Ciphertext Plaintext Hybrid Encryption Enc Dec Background: Encryption/Decryption for Confidentiality Bob Alice Plaintext Ciphertext Plaintext Symmetric Key Encryption (AES)
Signed Message Hash Verif. key PKA Match? Dec Background: Digital Signatures for Integrity and Authentication Bob Alice Signing key SKA Plaintext Hash Enc
PGP: Alice’s signature verification key PKA PGP: Bob’s encryption key PKB Alice Bob Base-64 encoded message Pretty Good Privacy (PGP) Security for Two-party Email Exchange Header in Plaintext Encryptk(m, Sig(m)) AES, 3DES Encrypt (k) w/ PKB RSA, El Gamal Plaintext m Sign h(m) with SKA (RSA, DSA) • Other approaches for achieving confidentiality, integrity, and authentication • Privacy Enhanced Mail (PEM), Secure MIME (S/MIME) • Challenge: certificate distribution and validation • Identity-based encryption • Public key (for encryption) generated from email address
Satisfying Security in ELSs • Confidentiality • Possible Solutions • Users exchange symmetric key out-of-band for encryption • Difficult to provide secure key distribution • Users use PGP web-of-trust to exchange secure email • High key management overhead for each user • Use cryptographic hardware to do decryption/encryption • Expensive, broken in the past (e.g., CCA on IBM 4758) • Our solution • Use software-based proxy re-encryption at LS to transform encrypted e-mail between sender and receivers without requiring access to plaintext Dec, EncPKRi(m) R1 EncPKLS(m) LS S R2 DecSKRi(c) Rn Problem: confidentiality requirement not met; adversary can compromise LS to obtain e-mails
Satisfying Security in ELSs • Integrity and Authentication • Use digital signatures with LM providing certificate distribution and validation (w.r.t. list membership) • Key Management • Encryption key established during list subscription • Signature verification key co-signed by LM during list subscription • (Any) revoked keys of unsubscribed users provided by LM occasionally (e.g., monthly)
Create Group Establish Corresponding LS Key KLS LM LS Establish Corresponding Private key K’U1, LM, LS implicitly agree KLK = KLM + KLS is list key Establish LM Key KLM Transform and forward Subscribe Send signed, encrypted, email Decrypt and verify signature Establish key pair (KU1,PKU1), Co-signed signature verification key U3 U2 U1 SELS Overview • Assumption • LM is an independent entity not controlled by LS
Key Store: Members’ corresponding private keys K’Ui Key Store: (SKA, PKA) Alice LS Base-64 encoded Sig(m) w/ SKA (RSA, DSA) Key Store: (PKA, SKB) Bob LS Base-64 encoded Email Header Transform k W/ K’UA, K’UB (SELS Proxy Re-encryption) Encrypt (m,Sig(m)) w/ k (AES, 3DES) Email Plaintext m Sig(m) w/ SKA (RSA, DSA) Sending Secure E-mails in SELS Email Header Encrypt (m,Sig(m)) w/ k (AES, 3DES) Encrypt (k) w/ PKA (SELS/El Gamal) Email Plaintext m
Additional Protocol Operations • Unsubscribing Users • User sends request to LM who cosigns request and sends to LS • LS deletes user’s corresponding private key • Archiving and retrieval • Archive after partial transformation; encrypted with KLK • Complete transformation for user on request • Analysis • If users have access to all e-mails, compromise of one user leads to compromise of all e-mails • Solution: Use key epochs • Archive e-mails only for an epoch • LM changes KLK every epoch
Recent and Ongoing Work: Formal Verification and Implementation • Formal Verification with Proverif • Fully automated protocol verification tool based on pi calculus • Verified that SELS provides confidentiality even if LS is compromised • Implementing SELS Prototype • Initial prototype developed and tested in Java using Eudora e-mail client • Client-side: Integrate web-based subscribe functions with GnuPG to generate standard PGP keys • Any email client that employs a PGP plugin can use our tools • No modifications to any email client needed • Server-side: Develop plugins for Majordomo and Mailman • Development tools • GnuPG toolkit, libgcrypt library, C/C++, …
Additional Goal: Anti-Spamming • Many approaches • Filters • Keyword based; e.g., “be over 21” • Naïve Bayesian • Train filters with sample e-mail • Challenge: False positives • Legal • Spam is a felony in VA • Congress passed CAN SPAM act effective Jan 2004: appropriate labeling, opt-out options • Challenge: Tracing, enforcement, jurisdiction • ELSs Goal: only subscribed users can send e-mail to list • Use digital signatures with LM providing certificate validation • Requires expensive exponentiation operations • Instead, use MACs as a cheaper alternative with LS participating actively
Create Group Establish Corresponding List Key KLS LM LS Establish Corresponding Private key K’U1, MAC Key HU1 LM, LS implicitly agree KLK = KLM + KLS is list key Establish List Key KLM Verify MAC, transform and forward Subscribe Send signed, encrypted, and MACd email Verify MAC, decrypt and verify signature Establish Private key KU1 MAC Key HU1 U3 U2 U1 SELS modification for anti-spamming • Problem: New emailing protocol requires modifications/plugins to email clients • We plan on developing plugins for demonstration
Key Store: Members’ corresponding private keys K’Ui and HMAC Keys HUi Key Store: (SKA, PKA),HUA Alice LS Base-64 encoded X Sig(m) w/ SKA (RSA, DSA) Key Store: (SKB, PKB), HUB Bob LS Base-64 encoded Y Encrypt (m,Sig(m)) w/ k (AES, 3DES) Email Plaintext m Sig(m) w/ SKA (RSA, DSA) Sending E-mails that prevent spam Email Header Encrypt (m,Sig(m)) w/ k (AES, 3DES) Encrypt (k) w/ PKA (SELS/El Gamal) H(X) w/ HUA (SHA-1) Email Plaintext m Email Header Transform k W/ K’UA, K’UB (SELS Proxy Re-encryption) H(Y) w/ HUB (SHA-1)
Summary • Increasing use of ELS for exchanging private content security is important • SELS provides solutions for confidentiality, integrity, authentication, and anti-spamming • E-mail plaintext not exposed at LS via proxy encryption • Formal Verification with Proverif • Implementation work ongoing • Application to other areas • Instant messaging • Extensions developed to secure group communication; e.g., video conferencing • For more information contact Himanshu Khurana – hkhurana@ncsa.uiuc.edu; http://www.ncsa.uiuc.edu/people/hkhurana