Secure e-mail protocols providing perfect forward ... - Semantic Scholar

58

IEEE COMMUNICATIONS LETTERS, VOL. 9, NO. 1, JANUARY 2005

Secure E-mail Protocols Providing Perfect Forward Secrecy Hung-Min Sun, Bin-Tsan Hsieh, and Hsin-Jia Hwang

Abstract— Electronic mail, e-mail in short, has been used to transfer various types of electronic data on internet. In order to deliver the e-mail from the sender to the receiver both efficiently and securely, the e-mail system usually employs both conventional and public key cryptographic systems. The basic protection in an e-mail system is to encrypt the bulk mail using a conventional cryptosystem with a short-term key and to protect the short-term key using a public-key cryptosystem with the receiver’s public key. However this protection cannot provide perfect forward secrecy because once the receiver’s secret key is disclosed, all previous used short-term keys will also be opened and hence all previous e-mails will be learned. Two new e-mail protocols providing perfect forward secrecy are proposed in this paper. Index Terms— E-mail, network security, encryption, perfect forward secrecy.

his identity and password IDA , P assword to the mail server for authentication. After passing the authentication, the mail server sends the ciphertexts EncP KA (k), Ek [M ] to A. A decrypts the ciphertext of k using his private key SKA and then decrypts the ciphertext of M using k. Sending Phase: (1)B → S (A is off-line) Receiving Phase: (2)A → S (B is off-line) (3)S → A (B is off-line) A computes: Fig. 1.

I. I NTRODUCTION

E

LECTRONIC mail, e-mail in short, has been wildly used instead of traditional communication established by pen and paper. Modern e-mail systems transfer not only text but also electronic documents, voice, graphics, animations, and financial transactions via internet. In an internet environment, consider the case that a sender B and a receiver A want to achieve secure communication via existing e-mail system and gain efficiency simultaneously. In Fig. 1, some notations are used. M denotes the plaintext while C denotes the ciphertext. EncP K (M ) and DecSK (C) denote encryption function with a public key P K and decryption function with a private key SK of a public-key cryptosystem, respectively. Ek [M ] and Dk [C] denote encryption and decryption functions of a conventional cryptosystem with secret key k, respectively. As illustrated in Fig. 1, the sender B first encrypts the bulk mail M to obtain Ek [M ] using a conventional cryptosystem, such as AES or IDEA [1], with a short-term key k , chosen by the sender. He/she also encrypts k to obtain EncP KA (k) using a public key cryptosystem, such as RSA and ElGamal [1] [2], with the receiver’s, A’s, public key P KA . B then sends the receiver’s identity IDA and both the ciphertexts Ek [M ] and EncP KA (k) to the mail server(S). Upon receiving IDA , EncP KA (k), Ek [M ] , the mail server keeps them and waits for A. When A wants to receive the mail, A sends Manuscript received March 27, 2004. The associate editor coordinating the review of this letter and approving it for publication was Dr. Lidong Chen. Hung-Min Sun is with the Department of Computer Science, National Tsing Hua University, Hsinchu, Taiwan (email: [email protected]). Bin-Tsan Hsieh is with the Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan, Taiwan. Hsin-Jia Hwang is with the Department of Computer Science and Information Engineering, TamKang University, Tamsui, Taipei Hsien, Taiwan (email: [email protected]). Digital Object Identifier 10.1109/LCOMM.2005.01004.

IDA , EncP KA (k), Ek [M ] IDA , P assword EncP KA (k), Ek [M ] k = DecSKA (EncP KA (k)) M = Dk [Ek [M ]]

Existing E-mail System

The purpose of encrypting bulk M using a conventional cryptographic system and encrypting k using a public key cryptographic system is to earn the efficiency. However such kind of protection, e.g. PGP [5] [6], cannot provide perfect forward secrecy because once the secret key of the receiver is disclosed, all previous used short-term keys will also be opened and hence previous e-mails will be learned. Note that perfect forward secrecy is a very important security requirement for evaluating a strong protocol. A protocol providing perfect forward secrecy means that even if one entity’s longterm secret key is compromised, it will never reveal any old short-term keys used before. For example, the well-known Diffie-Hellman key agreement scheme [3] can provide perfect forward secrecy. On the other hand, Feng, Robert and Wenbo [4] introduced a new cryptographic primitive, called “Certificate of Encrypted Message Being a Signature” (CEMBS). The CEMBS is used to convince a verifier that a ciphertext is indeed a certain party’s signature on a public information while without disclosing the signature. In this letter, two secure e-mail protocols based on the Diffie-Hellman key agreement and CEMBS are proposed. These two protocols can provide perfect forward secrecy and are suitable for e-mail system in the real world. The remainder of this paper is organized as follows. Section II gives the notations which will be used in the proposed protocols. In section III, a secure protocol for e-mail system with the use of smart card is proposed. In section IV, a secure protocol for e-mail system without the need of smart card is proposed. Finally, our conclusion is in section V. II. N OTATIONS We give the notations which will be used throughout this letter.

c 2005 IEEE 1089-7798/05$20.00
Authorized licensed use limited to: National Cheng Kung University. Downloaded on October 16, 2008 at 03:20 from IEEE Xplore. Restrictions apply.

SUN et al.: SECURE E-MAIL PROTOCOLS PROVIDING PERFECT FORWARD SECRECY

59

Sigk (M )

A signature of a message M using a signature Note that for each round, A must choose a random number scheme with signing key k x and keep it for short-term key computation later. Hence An encryption of a plaintext M using a Ek [M ] A must have a portable device, i.e. smart card, to keep the conventional cryptosystem with key k random number. EncP K (M ) An encryption of a plaintext M using a public-key cryptosystem with public key P K B. Security Analysis A, B, S The receiver, the sender , and the mail server Compared with the conventional method, the proposed h() A one-way hash function scheme uses a short-term key to encrypt the message M , but a, b, ms Secret keys of A, B and doesn’t use the receiver’s public key to protect the short-term the mail server respectively a key. The short-term key in our protocol is constructed under g modp, the public key of A P KA Diffie-Hellman key agreement scheme. Except A and B, no pwd A password shared between user A and one can compute the short-term key shared between A and B mail server due to the Diffie-Hellman problem. Hence, if A’s secret key Cert A certificate of the ciphertext is compromised, it will never reveal the short-term key. Thus x, y, w Random numbers all previous e-mails can be kept secure. p A large prime k A short-term key IV. S ECURE P ROTOCOL FOR M A message E- MAIL S YSTEM W ITHOUT U SING S MART C ARD III. S ECURE P ROTOCOL FOR A. The Proposed Protocol E- MAIL S YSTEM U SING S MART C ARD A. The Proposed Protocol Pre-computation (1) A → S (B Sending Phase: (2) B → S (A (3) S → B (A (4) B → S (A Receiving Phase: (5) A → S (B

is off-line)

Pre-computation: B computes:

r = g x modp s = b + h(IDA , r)modp − 1 Sigb (IDA ) = (r, s) W = g w modp V = r(P KA )w modp EncP KA (r) = (W, V )

g x modp, Siga (g x modp)

IDA , g y modp, Sigb (g y modp) g x , Siga (g x modp) Sending Phase: h(k||g x modp), Ek [M ] (1) B → S (A (2) S → B (A is off-line) Request Mail Server for B computes: New E-mails (3) B → S (A (6) S → A (B is off-line) g y modp, h(k||g x modp), Receiving Phase: Ek [M ], Sigb (g y modp) (4) A → S (B Fig. 2. Secure Protocol for E-mail System Using Smart Card is off-line) is off-line) is off-line)

In Message (1), A pre-chooses a random number x, and sends g x modp and Siga (g x modp) to the mail server. Note that this step can be finished when the receiver read emails last time. The mail server accepts the message from A and waits for B’s message. When B wants to send an email to A, B chooses a random number y, and sends IDA , g y modp, Sigb (g y modp) (Message (2)) to the mail server. The mail server, upon receiving IDA and Sigb (g y modp), checks the validity of Sigb (g y modp). If it is valid, the mail server forwards g x modp and Siga (g x modp) to B (Message (3)). If Siga (g x modp) passes the verification, B computes the shortterm key k = (g x )y modp and encrypts M using k. Besides the ciphertext of a message M , B also computes the hash image of k and g x modp then sends them (Message (4)) to the mail server. The mail server accepts the message from B and waits for A. When A becomes on-line, A requests the mail server for new e-mails (Message (5)). Then, the mail server sends Message (6) to A. Finally A can computes the short-term key k = (g y )x modp, checks the validity of k by h(k||g x modp), and decrypts the ciphertext of M . In the case of authentication, sending Sigb (g y modp) in message 6 is optional if it is important for the mail system to provide sender authentication.

is off-line) is off-line) is off-line) is off-line)

(5) S → A (B is off-line) Fig. 3.

EncP KA (r), Cert, IDA g y modp, Sigms (g y modp) k = (g y )x modp Ek [M ], h(k||g y modp) Request Mail Server for New E-mails Ek [M ], EncP KA (r), Cert, h(k||g y modp), EncP KA (y)

Secure Protocol for E-mail System without Using Smart Card

In this protocol, the concept of Certificate of Encrypted Message Being a Signature (CEMBS) is introduced [4]. The CEMBS is used to convince a verifier that a ciphertext is indeed a certain party’s signature on a public information while without disclosing the signature. B first generates the signature of IDA using Shnorr’s signature scheme [1]. The signature of IDA is (r, s) , where r = g x modp and s = b + h(IDA , r)mod p − 1. B then encrypts r using ElGamal cryptographic system [2]. The ciphertext of r is (W, V ), where W = g w modp and V = r(P KA )w modp . B sends EncP KA (r), Cert, IDA (Message (1)) to the mail server. Cert is used to prove that EncP KA (r) is the ciphertext of signature, r, without releasing the signature. The mail server verifies the correctness of EncP KA (r), Cert, IDA . If it is true, the mail server chooses a random number y and responds Sigms (g y modp) (Message (2)) to B. After checking the validity of Sigms (g y modp), B generates the shortterm key k = (g y )x modp and sends Ek [M ], h(k||g y modp) (Message (3)) to the mail server. The mail server keeps the

Authorized licensed use limited to: National Cheng Kung University. Downloaded on October 16, 2008 at 03:20 from IEEE Xplore. Restrictions apply.

60

IEEE COMMUNICATIONS LETTERS, VOL. 9, NO. 1, JANUARY 2005

message from B. When A becomes on-line, A requests the mail server for new e-mails (Message (4)). The mail server sends Ek [M ], EncP KA (r), Cert, h(k||g y modp), EncP KA (y) (Message (5)) to A. To obtain the message M , A decrypts y using the password shared with the mail server and decrypts r using his secret key. Then A computes k = ry = (g x )y modp and checks the correctness of k by h(k||g y modp). Finally A decrypts Ek [M ] using the short-term key k and gets the message M . B. Security Analysis Being similar to the security analysis in the previous protocol, the short-term key is constructed under Diffie-Hellman key agreement scheme. The difference between both is that in this protocol we use the CEMBS to prevent the mail server from knowing the short-term key. The e-mail server can verify whether the ciphertext of the signature r is valid but cannot derive the short-term key though the secret exponent y is chosen by the mail server. If A’s secret key or password is compromised, an adversary can only get the signature r or secret exponent y. Thus the adversary will not get the short-term key unless both A’s secret key and password are compromised simultaneously. Even both A’s secret key and password are compromised simultaneously, the adversary can derive only the short-term key at this time. Previous short-term keys cannot be opened because the short-term key is constructed under the DiffieHellman key agreement scheme. So this protocol also provides perfect forward secrecy. In our previous protocol, for each round, A must choose a random number x and keep it for short-term key computation later. Hence A must have a portable device, i.e. smart card, to keep the random number. In this protocol, the mail server

takes over the job instead of A. A doesn’t a portable device to remember the random number. Therefore, this protocol is more reasonable and familiar to the real world e-mail system. V. C ONCLUSIONS AND R EMARKS In order to provide perfect forward secrecy, two new email protocols are proposed. In the first protocol, the receiver requires a portable device to remember a used secret random integer. To remove the requirement, the second protocol is proposed. In the second protocol, the mail server takes over the job instead of the receiver. The second protocol is more flexible and suitable to the e-mail system in our real life. ACKNOWLEDGMENT The authors would like to thank the anonymous referees for their valuable comments. This work was supported in part by National Science Council of Republic of China under contract NSC-92-2213-E-007-099. R EFERENCES [1] B. Schneier, Applied Cryptography, Second Ed. New York: John Wiley & Sons, Inc., 1995. [2] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. Inform. Theory, vol. 31, pp. 469-472, Apr. 1985. [3] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans. Inform. Theory, vol. 22, pp. 644-654, June 1976. [4] F. Bao, R. H. Deng, and W. Mao, “Efficient and Practical Fair Exchange Protocols with Off-line TTP,” IEEE Symposium on Security and Privacy Proceedings, pp. 77-85, 1998. [5] B. Schneier, E-Mail Security with PGP and PEM: How to Keep Your Electronic Mail Private, 1995. [6] Andre Bacard, The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP Privacy Software, Peachpit Press, 1995.

Authorized licensed use limited to: National Cheng Kung University. Downloaded on October 16, 2008 at 03:20 from IEEE Xplore. Restrictions apply.