[768] in cryptography@c2.net mail archive
forward secrecy and email protocols
daemon@ATHENA.MIT.EDU (Adam Back)
Fri May 9 13:26:12 1997
Date: Fri, 9 May 1997 14:15:27 +0100
From: Adam Back <aba@dcs.ex.ac.uk>
To: mab@crypto.com
CC: cryptography@c2.net
In-reply-to: <199705071339.JAA26142@crypto.com> (message from Matt Blaze on
Wed, 07 May 1997 09:39:01 -0400)
Matt Blaze <mab@crypto.com> writes:
> [...]
> It clearly makes no sense to want the ability to recover
> communication session keys (indeed, the ability to do so destroys
> forward secrecy, making communication protocols and implementations
> with a recovery feature much harder to secure or even evaluate).
No existing email communications systems I am aware of have forward
secrecy, because to take PGP as an example: the eavesdropper has
escrowed your ciphertext, and you still have the private key.
Everything is still recoverable with your cooperation. If other
people have backups of your private key, your cooperation is not even
needed.
I think this is a mistake. Much better to not yourself have the
ability to decrypt your old messages.
The problem is how do we easily integrate this into existing mail
protocols, which are non-interactive. If we modify SMTP to do D-H key
exchange, we have shifted the security from keys held by the user, to
keys held by the SMTP daemon.
I'm not sure non-interactive forward secrecy protocols are possible.
(I've been trying to design such a protocol.)
I understand the US DMS (Defense Messaging System) has use-once public
keys distributed by a keyserver. Each user submits many keys. Each
key is handed out once, and discarded. When the keys are all used up
the user submits another set. The user certifies the use-once keys
with a persistent signature key.
I'm not sure I like this approach because it requires the sender to be
online to ask for a new public key on each communication, before
encrypting. Apart from the inconvenience, there is a possible DoS
attack, just send them lots of garbage email, and use up their keys.
Also, the sender is revealing their identity publically every time
they fetch a key.
Other than that it works. (I haven't read the DMS docs, this is based
on someone else's understanding, forwarded to me in email.)
Adam
--
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
