[794] in cryptography@c2.net mail archive
Re: forward secrecy and email protocols
daemon@ATHENA.MIT.EDU (Adam Back)
Sat May 10 15:37:10 1997
Date: Sat, 10 May 1997 18:39:46 +0100
From: Adam Back <aba@dcs.ex.ac.uk>
To: pgut001@cs.auckland.ac.nz
CC: cryptography@c2.net
In-reply-to: <86321183401281@cs26.cs.auckland.ac.nz>
(pgut001@cs.auckland.ac.nz)
Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:
> Adam Back <aba@dcs.ex.ac.uk> writes:
> >The problem is how do we easily integrate this into existing mail
> >protocols, which are non-interactive. If we modify SMTP to do D-H key
> >exchange, we have shifted the security from keys held by the user, to
> >keys held by the SMTP daemon.
>
> Why not bolt something like SKEME over the top of SMTP? This gives
> perfect forward secrecy and authentication (and has several other
> neat features as well, depending on your requirements).
SKEME's keys are for link security rather than object or message
security. If you used SKEME directly you could get forward secrecy,
but the keys wouldn't be owned by the user. Using link level security
where your SMTP session was transparently tunneled through an
encrypted IP layer with forward secrecy would give you this
transparently.
If you want the keys to be user owned rather than machine owned, both
users would have to be online and at the keyboard at the same time (to
give their private keys) else you woudn't get PFS using SKEME
protocols and user owned keys.
Email for many users is store and forward with SMTP mail hubs and POP3
accounts. This class of users does not have the ability to have a
permanently connected IP addresses hosting with a SKEME key management
process running.
So perhaps you could hive off distribution of sets of short-lived keys
to a keyserver, or the ISP. Say we distribute one weeks keys at a
time, one key per day, delete keys a day after expiry. Or have
use-once keys as in DMS. Disadvantage for dial-up users is you've got
to go online and fetch an up-to-date key for the recipient before
posting. For people with permanent connectivity (say corporates) this
will be less of a problem.
Anonymity disadvantage is that it leaks your choice of recipient even
if your communicating anonymously; the keyserver knows which key you
are fetching even if you encrypt the link to the keyserver.
Adam
--
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
