Identity Based Encrypted e-Mail

1
Identity Based Encrypted e-Mail

• Neil Costigan
• Dublin City University

2
Quick personal background

• 1992. Graduate DCU (NIHE ?).
• joined ltltTelecom Ireland Softwaregtgt.
• 1994. Moved to Stockholm Sweden. joined
  consultancy firm developed video conference
  software, firewalls, and custom internet
  security software.
• 1997. Co-founded internet security company ltltCelo
  Communicationsgtgt.
• 1998. Moved to San Francisco, California as CTO
  of Celo.
• 2000. Celo acquired by French smart card company
  ltltGemplusgtgt.
• 2001. Moved to Aix-en-Provence France to lead RD
  for financial and security.
• 2002. Started MSc. _at_ DCU.
• Working with Dr. Mike Scott and Noel McCullough
  on an Enterprise Ireland funded project.

3
The problem

• E-Mail is still one of the largest use of
  internet bandwidth.
• E-Mail traffic, because of the underlying
  protocols, is exposed to unauthorised access
  (sniffing)
• Existing solutions, while technically functional,
  tend to impose prohibitive burden on the end user.

4
(No Transcript)
5
Backgrounder how e-Mail works

• SMTP
• Simple Mail Transfer Protocol. RFC - 821.
• POP3
• Post Office Protocol. RFC 1939
• IMAP
• Internet Message Access Protocol. RFC - 2060
• Microsoft Exchange
• proprietary

6
Sample SMTP session

• 220 mail.simpson.com ESMTP Sendmail
  8.10.2/8.10.2 Wed, 17 Mar 2003 ..
• HELO bartspc
• 250 mail.simpson.com Hello 123.213.123.213,
  pleased to meet you
• MAIL FROM bart_at_simpson.com
• 250 2.1.0 bart_at_simpson.com... Sender ok
• RCPT TO lisa_at_simpson.com
• 250 2.1.5 lisa_at_simpson.com ... Recipient ok
• DATA
• 354 Enter mail, end with "." on a line by itself
• From Bart Simpson" lt bart_at_simpson.com gt

7
And POP3

• USER userid
• PASS password
• STAT The response to this is OK msgs bytes.
  E.g OK 3 345910
• LIST A line for each message with its number and
  size in bytes, ending with a period on a line by
  itself. E.g OK 2 messages 1 1205 2 344400 .
  
• RETR msg This sends message number msg to you.
  E.g RETR 2
• TOP msg lines (optional) Lists the header for
  msg and the first lines of the message text.
  E.g. TOP 1 5 would list the headers and first 5
  lines of the message text.
• DELE msg This marks message number msg for
  deletion from the server. E.g. DELE 3
• RSET This resets (unmarks) any messages
  previously marked for deletion in this session so
  that the QUIT command will not delete them.
• QUIT This deletes any messages marked for
  deletion, and then logs you off of the mail
  server.

8
Backgrounder Encryption / PKI

• Symmetric shared secret - 2 copies of key.
  (DES, AES etc.)
• Asymmetric public private - locked box.
  (RSA, DH, ECC etc.)
• But
• Asymmetric is computational expensive so we use a
  combined system
• Use symmetric to encrypt the message and then use
  asymmetric to encrypt the key.
• Bundle both together in meta message.

9
Backgrounder existing email security

• S/MIME RFC 2311
• Secure / Multipurpose Internet Mail Extensions.
• Can be signed and/or encrypted.
• DES encrypted with random key and this key is
  then encrypted by RSA public. (or DH ?)
• Keys embedded in X.509 certificates swapped out
  of band. (prior or lookup.)
• Assumes trust of CA.
• PGP performs similar but with rings of trust
• Issues
• Losing keys ?
• How to get the public key for a user?
• How do I know the key I got is your key ?
• User generated keys, getting signed etc.
• Scalability
• Revocation issues (CRLs, OCSP)

10
Re-cap IBE 1

• Use any string to be a public key.
• ltltHardgtgt problems
• We deal with Elliptic Curves
• equations of the form
• y2 x3 Ax B
• The Curve is reduced modulo by a large prime p.
• This gives (y2 x3 Ax B)mod p
• Tate Pairing is a function that operates on two
  points P and Q and will map these two points to
  an element of a cyclic group
• It is believed hard to invert the pairing i.e.
  Find X in the following equation, where P and C
  are known.
• e(P, X) C
• Therefore it is possible to have a secret point
  in the pairing (X), and the result of the pairing
  being known (C)

11
Re-cap IBE 2

• If you use the services of a Trusted Authority
  (with secret s), you have the following scheme to
  generate a shared secret
• As identity, as verified by TA, is mapped to the
  point A
• Bs identity is mapped to the point B
• A and B are given secret keys sA and sB
  respectively remember, even they cant
  calculate s on its own.
• shared secret e(sA, B) e(A, sB) e(A, B)s

12
Re-cap IBE 3

• Again, the public key is a point ID and private
  key is sID,
• P and sP are known to everyone.
• Encryption is rP, C e(rsP, ID) ? Message
• Decryption is e(rP, sID) ? C
• Since e(rP, sID) e(sP, ID)r e(P, ID)sr
• e(P, ID)sr ? e(P, ID)sr ? Message Message
• So
• You can use any email address or string or combo
  of both
• Allows for future sending.
• There IS escrow The TA can decrypt messages.

13
Note..

• Big numbers
• Not 5
• But
• 13407807929942597099574024998205846127479365820592
  39337772356144372176403007354697680187429816690342
  76900318581864860508537538828119465699464336490060
  84096134078079299425970995740249982058461274793658
  20592393375123561443721764030073546976801874298166
  90342769003185818648605085375388281194656994643364
  9006084096 21024
• Implementation
• Semi-portable C core
• MFC based GUI
• Crypto build on Built on Mike Scotts MIRACL
• Multiprecision Integer and Rational Arithmetic
  C/C Library.
• Utility layer provided by Noel McCullagh

14
Yes we use buzzwords XML

• Why
• Need some format. Interoperability is desirable.
• XML is great for file formats.
• Existing S/MIME is too rigid
• Email clients can display Html. XML can be
  transformed to HTML.
• XMLDiGSig XMLEnc exist and can be reused.
• DOM vs. SAX
• Document Object Model tree.
• Simple API for XML parse events.
• XPATH
• Data retrieval via query into document.
• Issues
• because messages it can be big, it can require
  too much memory to be handled as a single data
  structure.

15
Obligatory XML

• Message
• lt?xml version"1.0" standalone"yes" ?gt
• lt!-- IBE Mail --gt
• ltibegt
• ltEncryptedSessionKeygt6211... .72F8lt/EncryptedSess
  ionKeygt
• ltEncryptedData Type'http//www.w3.org/2001/04/xm
  lencElement'gt ltEncryptionMethod
  algorithm"http//www.w3.org/2001/04/xmlenckw- a
  es128" /gt ltCipherDatagt ltCipherValuegtMv7x.....3t
  zXult/CipherValuegt lt/CipherDatagt
• lt/EncryptedDatagt
• lt/ibegt

16
XML configuration

• lt?xml version"1.0" standalone"yes" ?gt
• lt!--DOCTYPE ibe SYSTEM "ibecommon.dtd" --gt
• ltibe xmlns"ibecommon.xsd" xmlnsxsi"http//www.w
  3.org/2001/XMLSchema-instance" xsischemaLocation
  "ibecommon.xsd"--gt
• ltibesetupgt
• ltserver_urlgthttp//www.computing.dcu.ie/ncostig
  a/ibe/IBECommon.xmllt/server_urlgt
• ltfieldSizeInBitsgt512lt/fieldSizeInBitsgt
• ltnumberBasegt16lt/numberBasegt
• ltpgtDF9BD3ED0034174E54597AA4E2AB033D21C7F6F1AFDD0
  80D4708BC67CAC2AED554FE43F3DA7CD547ED458502C46356B
  B2A76688DDF064094EBE7785EDE2E413Flt/pgt
• ltAgt-3lt/Agt
• ltBgtCFEC8DDB4E226F34828D4F9B30571BB52E14D1611FA34
  031423862B3ACB179102A1C152E860FC993A87999CB6A85395
  16C04950344270037ABC0905175FD47Elt/Bgt
• ltcurveOrdergtDF9BD3ED0034174E54597AA4E2AB033D21C7
  F6F1AFDD080D4708BC67CAC2AED3767AC584178BA7D62E6F13
  DDC46356BB2A6EEE7C284037F0B03E22219BED5EF6lt/curveO
  rdergt
• ltPgtA46F8F0AA97FE3C2593DE7BAA204B298B56A72C3FA6CA
  B715FC7602DA5FE74B27202149F3DBA635D623E0AF030CA92E
  9FFCE2DDDAD5F0279A875F9089A5165631954CFE189AD9AC2
  6B035B4436E02329D8B0CEDAEA28AB3FD89FF234695324D53C
  62439AFBEA1D8C2318424F63DD5A399BE4F6586A420667579F
  8BE37F02E910lt/Pgt
• ltsPgt2849065EC6160D44B040C9834C5DF2636DAA3FA182FD
  9D83D2F7E1310B6242D01F26CC018F7706CF433C8AB383C8CB
  3A0638225DE8A619A858B5C64AA176F504537083753C97121
  EF735AB8217CB70E332D525ECECCFA70CEB941E67D8E98D818
  042645E8A46DE6FA80E9F4126F073F4B1147A521FD99A6BE9C
  2E5E383B6C594lt/sPgt
• lt/ibesetupgt
• lt/ibegt

17
XML schema

• lt?xml version"1.0" encoding"utf-8" ?gt
• lt!-- Neil Costigan (Dublin City University)
• The values required for p,A,B are probably best
  given by the equation
• y2 x3 Ax B mod p
• fieldSizeInBits is the size of p (ie 512bit
  512, 1024bit 1024)
• curveOrder is the number of points on the curve
• numberbase is the numberbase for p,A,B and the
  curveOrder (ie decimal 10, hex 16)
• --gt
• lt!--
• ltxselement name"p" type'ibehexstring'/gt
• ltxsdsimpleType name'hexstring'
  base'xsdstring'gt
• ltxsdpattern value'A-F1d6'/gt
• --gt
• ltxsschema xmlnsxs"http//www.w3.org/2001/XMLSch
  ema" xmlnsmsdata"urnschemas-microsoft-comxml-m
  sdata" id"ibe"gt
• ltxselement name"ibe" msdataIsDataSet"true"gt
• ltxscomplexTypegt
• ltxschoicegt
• ltxselement name"ibesetup"gt

18
Potential solutions

• New secure email client.
• Add-on to existing systems.
• Catch all approach.

19
New Secure client

• Exclusively an identity based encryption client
• Commercially flawed.
• Great as a test bed and to fine tune formats.

20
Add-on Outlook

• Office allows automation via Scripting and COM
  add-ins
• Reverse engineer VB scripting to find event
  hooks.
• Pros
• Use familiar interface, training, setup etc.
• Can do proprietary MS Exchange
• Cons
• Version war
• Limited in some respects
• Over featured in others.
• Still most commercially viable (XX?)
• Options include open source like Mozilla or
  Ximian

21
Catch all socket relay based

• scalable implementation (Multi-threaded etc.)
• windows but with portable core.
• tray or system service.
• works as socket relay at application layer just
  above TCP.
• listens on a configured ports and connects based
  on rules
• Right now its SMTP and POP3
• Later IMAP and possibly Exchange
• Even later maybe all protocols
• View message xml as stream (not perfect but
  enough)

22
(No Transcript)
23
(No Transcript)
24
Next steps

• Optimise socket relay to tight loop
• Pursue Outlook peculiarities.
• General case for application layer VPN
• Instant messaging (chat), P2P,
• Standardise IBE XML
• Find commercial customer.
• Commercialise
• Business plan
• Web presence
• Write up !