lightweight encryption for email
play

Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July - PowerPoint PPT Presentation

Jun 14, 2023 •194 likes •487 views

Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group Motivation To Improve/Restore the Usefulness of Email

  1. Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group

  2. Motivation • To Improve/Restore the Usefulness of Email • Lightweight Trust for Email Signatures [ACHR2005] • Can we get reasonable encryption from similar simplified key management?

  3. Lightweight Signatures • Makes forging email from bob@foo.com as difficult as receiving Bob’s email. • No explicit user key management • Uses only existing infrastructure

  4. Review ID-Based Crypto "bob@foo.com" keyserver MPK MSK PK bob SK bob Alice Bob

  5. Review ID-based Domains MPK foo.com MPK wonderland . com wonderland.com foo.com keyserver keyserver MSK wonderland . com MSK foo.com SK bob @ foo . com SK alice @ wonderland . com Alice Bob

  6. DNS to distribute Review Master Public Keys MPK wonderland . com DNS wonderland.com MPK wonderland . com Publish foo.com MPK foo . com wonderland.com key server MSK wonderland . com [DomainKeys]

  7. Email-Based Review Authentication SK alice @ wonderland . com SK alice @ wonderland . com wonderland.com wonderland.com Alice keyserver incoming MSK wonderland . com mail server [Gar2003] Alice

  8. Review Lightweight Sigs DNS 1 1 PUBLISH PUBLISH wonderland.com MPK wonderland foo.com wonderland.com foo.com MPK foo key server key server 5 From: Alice SK A MPK bank 2 To: Bob “ alice @ wonderland . com ” Subject: Guess? 4 I heard that... I'm serious! Signed: Alice 6 Bob Alice 3 Wonderland.com foo.com Network Network

  9. For Encryption? DNS 1 1 PUBLISH PUBLISH wonderland.com MPK wonderland foo.com wonderland.com foo.com MPK foo key server key server 5 From: Alice SK A MPK bank 2 To: Bob “ alice @ wonderland . com ” Subject: Guess? 4 I heard that... I'm serious! ? Signed: Alice 6 Bob Alice 3 Wonderland.com foo.com Network Network

  10. Threat Model • Assume your incoming mail server won’t actively spoof/attack you. • Signatures If the MSK is compromised, simply change the MSK/MPK (DNS updates). • Encryption Different story....

  11. Threat #1: MSK compromise • all past encrypted emails wonderland.com are immediately compromised. MSK wonderland • if the MSK compromise is SK alice @ wonderland . com discreet, then all future encrypted emails are also compromised. (hacking into a keyserver). Alice

  12. Splitting Keys MPK wonderland MPK wonderland , 0 MPK wonderland , 1 MPK wonderland , 2 wonderland.com wonderland.com wonderland.com MSK wonderland , 0 MSK wonderland , 1 MSK wonderland , 2 SK Alice SK Alice SK Alice wonderland . com , 0 wonderland . com , 1 wonderland . com , 2 Alice SK Alice wonderland . com

  13. Threat #2: Corrupt Mail Server • a corrupt incoming mail server can decrypt and read all wonderland.com secret key material. MSK wonderland . com SK alice @ wonderland . com • a passive corrupt mail server can intercept all emails. wonderland.com incoming mail server • even MSK splitting Alice doesn’t help.

  14. Recombining Keys • Bob generates a new DNS MPK/MSK pair foo.com MPK foo . com • The combined SK matches the foo.com combined MPK. key server MPK Bob + foo . com SK Bob • The combined MPK foo . com provides certification and protection . ( MSK Bob , MPK Bob ) SK Bob Bob • The second MPK Bob component needs no certification!

  15. Single Core Solution CombineMasterKey MPK c ombined MPK 1 MSK 1 bob@foo.com params MPK 2 MSK 2 bob@foo.com SK 1 CombineSecretKey SK c ombined SK 2 SK 1 VerifySecretShare MPK 1

  16. Building These Features on Boneh-Franklin and Waters Identity-Based Encryption

  17. Review Bilinear Maps G 1 , G 2 , both of prime order q e : G 1 × G 1 → G 2 g, h generate G 1 Z ab e g a Z = e ( g, h ) generates G 2 h b G 1 G 2 e ( g a , h b ) = e ( g, h ) ab e ( ug, h ) = e ( u, h ) e ( g, h )

  18. Review Boneh-Franklin Keys Public Parameters: G 1 , G 2 , q, g, H MSK = s ∈ Z q MPK = g s ∈ G 1 PK ID = H ( ID ) SK ID = H ( ID ) s

  19. Splitting & Recombining Boneh-Franklin Keys [BF2000] MSK 1 = s 1 MSK 2 = s 2 MPK 1 = g s 1 MPK 2 = g s 2 SK 1 = H ( ID ) s 1 SK 2 = H ( ID ) s 2 MPK = MPK 1 · MPK 2 = g s 1 + s 2 CombineMasterKey SK = SK 1 · SK 2 = H ( ID ) s 1 + s 2 CombineSecretKey Effective MSK = s 1 + s 2

  20. Review Waters Keys Public Parameters: G 1 , G 2 , q, g, h, F MSK = h s MPK = g s PK ID = F ( ID ) SK ID = ( h s F ( ID ) r , g r )

  21. Splitting & Recombining Waters Keys MSK 1 = h s 1 MSK 2 = h s 2 MPK 1 = g s 1 MPK 2 = g s 2 SK 1 = ( h s 1 F ( ID ) r 1 , g r 1 ) SK 2 = ( h s 2 F ( ID ) r 2 , g r 2 ) MPK = MPK 1 · MPK 2 = g s 1 + s 2 CombineMasterKey SK = ( h s 1 F ( ID ) r 1 · h s 2 F ( ID ) r 2 , g r 1 · g r 2 ) CombineSecretKey = ( h s 1 + s 2 F ( ID ) r 1 + r 2 , g r 1 + r 2 ) Effective MSK = g s 1 + s 2

  22. Additional Details • Malicious Share Generation : NIZK Proof of Knowledge of MSK share • Malicious SK Distribution : k-out-n shares using Lagrange coefficients [GJKR99]

  23. Putting it All Together 2 DNS CombineMasterKey foo.com MPK foo . com MPK foo . com Lightweight 5 MPK foo . com 1 2 Cert. Server 1 ( bob @ foo . com , MPK Bob ) foo.com foo.com MPK foo . com key server #1 key server #2 bob @ foo . com CombineMasterKey 3 ( MSK Bob , MPK Bob ) 6 SK foo . com SK foo . com Bob, 2 Bob, 1 SK Bob Bob foo.com incoming mail server 4 GenerateShare Encrypt From: Alice 7 To: Bob CombineSecretKey Subject: Secret SK Bob Alice Bob

  24. Alice’s Point of View • Finding Bob’s Public Key : automatic: a lookup, a computation against MPK. No trust decision necessary. • Decryption Key Management : automatic, just upgrade the mail client • Key Revocation, etc... : automatic, with upgraded mail client Automation!

  25. Summary • Lightweight key infrastructure is not enough for encryption • To protect against MSK compromise: key splitting • To protect against mail server compromise: key recombination • Both can be accomplished with the same trick on Boneh-Franklin and Waters keys

  26. Questions?

  27. Backup Slides

  28. Another Solution yahoo.com gmail.com incoming incoming mail server mail server SK Alice SK Alice yahoo . com gmail . com Alice

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background: Lightweight Encryption Lightweight: Meant to be fast. Symmetric key: Same key used for encryption and decryption. Used in embedded systems, browsers,

300 views • 12 slides
On Security Enhancement of Lightweight Encryption Employing Error Correction Coding and

On Security Enhancement of Lightweight Encryption Employing Error Correction Coding and

On Security Enhancement of Lightweight Encryption Employing Error Correction Coding and Simulators of Channels with Synchronization Errors Miodrag MIHALJEVIC Mathematical Institute, Serbian Academy of Sciences and Arts Belgrade, Serbia - COST

933 views • 41 slides
New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007 Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES?

364 views • 12 slides
GIFT : A Small Present Towards Reaching the Limit of Lightweight Encryption Subhadeep Banik 1 , 2

GIFT : A Small Present Towards Reaching the Limit of Lightweight Encryption Subhadeep Banik 1 , 2

Introduction Specification Design Rationale Security and Performances Conclusion GIFT : A Small Present Towards Reaching the Limit of Lightweight Encryption Subhadeep Banik 1 , 2 Sumit Kumar Pandey 1 Thomas Peyrin 1 Yu Sasaki 3 Siang Meng Sim 1

457 views • 41 slides
ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 ,

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 ,

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 , Francesco Regazzoni 3,4 , Vincent Rijmen 5 , Elmar Tischhauser 5 1 Technical University of Denmark 2 IAIK, Graz University of Technology, Austria 3 ALaRI -

279 views • 26 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides
JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of Mathematical Sciences School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore { wuhj,huangtao } @ntu.edu.sg

267 views • 16 slides
Lightweight Authentication for Email (and Web?) Ben Adida ben@mit.edu PAW/DIG Meeting June

Lightweight Authentication for Email (and Web?) Ben Adida ben@mit.edu PAW/DIG Meeting June

Lightweight Authentication for Email (and Web?) Ben Adida ben@mit.edu PAW/DIG Meeting June 30th, 2005 (joint work with Susan Hohenberger and Ronald L. Rivest) Distributed Phishing Friends and Colleagues Jakobsson & Young 2005

335 views • 21 slides
Thoughts on Email Encryption Michael Kennedy Bar Counsel 1 8/29/2016 Rule 1.6 A lawyer shall

Thoughts on Email Encryption Michael Kennedy Bar Counsel 1 8/29/2016 Rule 1.6 A lawyer shall

8/29/2016 2016 National Federation of Paralegal Associations Annual Conference and Policy Meeting E Mail Encryption Tech Ethics Online Reputation Management Thoughts on Email Encryption Michael Kennedy Bar Counsel 1 8/29/2016 Rule 1.6 A

671 views • 28 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
Mailfence Reclaim your email privacy A SECURE AND PRIVATE EMAIL Mohammad Salman Nadeem

Mailfence Reclaim your email privacy A SECURE AND PRIVATE EMAIL Mohammad Salman Nadeem

Mailfence Reclaim your email privacy A SECURE AND PRIVATE EMAIL Mohammad Salman Nadeem Information security analyst Mailfence 31 March 2017 Why did email encryption never take off? Why email data needs to be protected? Email

362 views • 10 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de |

EFAIL BREAKING S/MIME AND OPENPGP EMAIL ENCRYPTION USING EXFILTRATION CHANNELS mail@efail.de | https://www.efail.de 1 Mnster University of Applied Sciences Damian Poddebniak 1 , Christian Dresen 1 , Jens Mller 2 , Fabian Ising 1 , 2 Ruhr

675 views • 41 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
Last lesson Moving beyond individual computers Networks Layer model The Internet

Last lesson Moving beyond individual computers Networks Layer model The Internet

11/21/2009 Last lesson Moving beyond individual computers Networks Layer model The Internet IP addresses Domain names 1 11/21/2009 This week Application Protocols Email SMTP, POP, IMAP The Web HTTP

440 views • 13 slides
Dovecot: Secure IMAP Email Server February 2, 2006 Why Run An Email Server? Control resource

Dovecot: Secure IMAP Email Server February 2, 2006 Why Run An Email Server? Control resource

NDLUG Dovecot: Secure IMAP Email Server February 2, 2006 Why Run An Email Server? Control resource allocation Limited storage on regular email account (50 megabytes at ND) Unlimited on your own computer Do filtering and sorting

454 views • 8 slides
Electronic Communication Lecture 5 COMPSCI111 Todays lecture u Looking at how different

Electronic Communication Lecture 5 COMPSCI111 Todays lecture u Looking at how different

Electronic Communication Lecture 5 COMPSCI111 Todays lecture u Looking at how different types of electronic communication work u Email u Instant messaging u Forums u Issues with electronic communication u Spam u Netiquette u Security

511 views • 29 slides
CompSci 356: Computer Network Architectures Lecture 23: Application Layer Protocols Chapter 9.1

CompSci 356: Computer Network Architectures Lecture 23: Application Layer Protocols Chapter 9.1

CompSci 356: Computer Network Architectures Lecture 23: Application Layer Protocols Chapter 9.1 Xiaowei Yang xwy@cs.duke.edu The Internet Architecture Application layer Transport layer Transport layer / Layer 4 Network layer Link layer

680 views • 37 slides
Email Delivery Security Zakir Durumeric et al. ACM IMC 2015 Slides Credit: Sogand Sadrhaghighi

Email Delivery Security Zakir Durumeric et al. ACM IMC 2015 Slides Credit: Sogand Sadrhaghighi

An Empirical Analysis of Email Delivery Security Zakir Durumeric et al. ACM IMC 2015 Slides Credit: Sogand Sadrhaghighi 1 Motivation How is your everyday email protected? 2 SMTP (Simple Mail Transfer Protocol) SMTP is the Internet

965 views • 16 slides
Neither Snow Nor Rain Nor MITM ... An Empirical Analysis of Email Delivery Security by Zakir

Neither Snow Nor Rain Nor MITM ... An Empirical Analysis of Email Delivery Security by Zakir

Neither Snow Nor Rain Nor MITM ... An Empirical Analysis of Email Delivery Security by Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten Elie Bursytein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, J. Alex Champaign

357 views • 17 slides
DevOps to NoOps 10 cloud services you should be using

DevOps to NoOps 10 cloud services you should be using

DevOps to NoOps 10 cloud services you should be using Ross Mason, MuleSo= @rossmason, @mulejockey About Me Agenda Impact of APIs Top 10

681 views • 34 slides
Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com

Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com

BlackHat Briefings, 2009 Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com Mike Zusman intrepidusgroup.com Introduction Chosen-prefix MD5 collisions allowed us to create a rogue Certificate

493 views • 37 slides

More recommend