[kitten] Group/Enterprise encrypted email

"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> Fri, 29 May 2015 22:35 UTC

Return-Path: <bnordgren@fs.fed.us>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 763A31A1ADC for <kitten@ietfa.amsl.com>; Fri, 29 May 2015 15:35:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id hQCrm4fQdqSC for <kitten@ietfa.amsl.com>; Fri, 29 May 2015 15:35:55 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0095.outbound.protection.outlook.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAC001A8A80 for <kitten@ietf.org>; Fri, 29 May 2015 15:35:54 -0700 (PDT)
Received: from CO2PR06CA033.namprd06.prod.outlook.com ( by CY1PR0601MB1564.namprd06.prod.outlook.com ( with Microsoft SMTP Server (TLS) id; Fri, 29 May 2015 22:35:52 +0000
Received: from BN1AFFO11FD007.protection.gbl (2a01:111:f400:7c10::185) by CO2PR06CA033.outlook.office365.com (2a01:111:e400:142a::33) with Microsoft SMTP Server (TLS) id via Frontend Transport; Fri, 29 May 2015 22:35:52 +0000
Authentication-Results: spf=pass (sender IP is smtp.mailfrom=fs.fed.us; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of fs.fed.us designates as permitted sender) receiver=protection.outlook.com; client-ip=; helo=mail.usda.gov;
Received: from mail.usda.gov ( by BN1AFFO11FD007.mail.protection.outlook.com ( with Microsoft SMTP Server (TLS) id via Frontend Transport; Fri, 29 May 2015 22:35:51 +0000
Received: from 001FSN2MPN1-046.001f.mgd2.msft.net ([]) by 001FSN2MMR1-003.001f.mgd2.msft.net ([]) with mapi id 14.03.0224.003; Fri, 29 May 2015 22:35:49 +0000
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: Group/Enterprise encrypted email
Thread-Index: AdCaU4EBKI9vXfbmSrKplnpcKmT5cg==
Date: Fri, 29 May 2015 22:35:49 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E7DF8C3@001FSN2MPN1-046.001f.mgd2.msft.net>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_82E7C9A01FD0764CACDD35D10F5DFB6E7DF8C3001FSN2MPN1046001_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD007; 1:iO9A4rYp5IyCP2EMDvqIFvasFAjl0RcfLx/FkR7VHzW0XwUnvr0BDQ9qjpGduzhrJovRczDHJVar+BpVDTFRfWbNbH8NB3CNhJ6sqNRo4uQYb1Iayglgc/bQz3z9+R0Ldga7EVNBARUSFWGr5uh8NDdM3/87w1fCu4W2vyMYHM0XOVHBYxNNpYEsWdu4eF0MUDiNWMHYT3vRTXnqOMa+SNhNutp/syIvBK+NfFfw6rdGMC8NG/hQfS3TDfPjMcV2IUVl8d5RwoZFVMjVD8yCjg==
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(438002)(189002)(76104003)(199003)(450100001)(229853001)(19300405004)(22756005)(22746005)(2930100002)(6806004)(81156007)(4001540100001)(54356999)(189998001)(33656002)(2501003)(55846006)(104016003)(69596002)(46102003)(86146001)(97736004)(5890100001)(26826002)(87936001)(2920100001)(86362001)(19625215002)(102836002)(16236675004)(66066001)(19580395003)(84326002)(62966003)(2351001)(512954002)(110136002)(77156002)(74482002)(107886002)(2900100001)(64706001)(15975445007)(5001960100002)(50986999)(68736005)(2656002)(5001830100001)(106466001)(5001860100001)(92566002)(80862005)(79686002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR0601MB1564; H:mail.usda.gov; FPR:; SPF:Pass; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0601MB1564;
X-Microsoft-Antispam-PRVS: <CY1PR0601MB15644E574CF452580CF377A0E5C90@CY1PR0601MB1564.namprd06.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(520003)(5005006)(3002001); SRVR:CY1PR0601MB1564; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0601MB1564;
X-Forefront-PRVS: 059185FE08
X-OriginatorOrg: fs.fed.us
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 May 2015 22:35:51.6362 (UTC)
X-MS-Exchange-CrossTenant-Id: 49808c08-7df8-4c41-af62-7a0827de9408
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=49808c08-7df8-4c41-af62-7a0827de9408; Ip=[]; Helo=[mail.usda.gov]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0601MB1564
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/hYG2I5yRnT2k5SqqW3qMrXC4Ttw>
Subject: [kitten] Group/Enterprise encrypted email
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 22:35:59 -0000

This is a "what if" message, centered around trying to make email encryption as painless as email signing. I want to be able to encrypt an email message once, no matter how many recipients there are. An enterprise should be able to decrypt employees' email to ensure there's no misbehavior. I want as little "extra" supporting infrastructure as possible. I also want to minimize the amount of inter-organizational coordination required.

What if sending an encrypted email required clients to contact an email key gatekeeper (EKG)? The EKG issues one-time-use encryption keys to authorized senders, and releases the decryption key once (only) to each recipient.

Detailed flow:

When encryption is desired, the sender's email client formats a key request to the EKG and signs it using the sender's email signing key. The key request includes the recipient's email addresses, but not their public keys, which are unknown. If the EKG is configured to recognize the sender, it replies with: 1] an encryption key, encrypted with the sender's public email signing key; and 2] a plaintext copy of the key request, signed by the EKG itself. The sender then decrypts the encryption key, encrypts the message and attachments, and attaches the signed key request. Poof. The message is sent. If the sender's client stores outgoing mail in a "sent mail" folder, the stored copy must be encrypted using some other means.

The EKG-signed key request includes: 1] a unique identifier for the encryption key; 2] contact info, so recipients can locate the EKG; and 3] of course, the list of recipients (part of the original key request).

The Sender's organization can decrypt the outbound email at a gateway by contacting the EKG and retrieving the decryption key (which could be the same as the encryption key if symmetric, or the other half of an asymmetric keypair if not.)

The recipient's organization (assuming different than sender's organization) cannot decrypt the inbound email at a gateway.

The recipient's email client detects the EKG's signed key request attached to the email. The EKG's signature is verified. The recipient's client uses the recipient's email signing cert to sign the EKG-signed key request, and sends to the EKG using the contact information provided.

The EKG verifies the recipients' signature. The EKG verifies that the recipient's certificate contains an email address that is included as a recipient in the original key request. The EKG verifies its own signature. The EKG encrypts the email's decryption key using the recipient's public email signing key, and signs the response. The recipient verifies the signature (ensuring same EKG signed key request and decryption key request) and decrypts the message/attachments.

If the message is to be stored, it must be re-encrypted in a locally recoverable fashion, likely with the recipient's credentials. If the recipient's organization is concerned about decrypting inbound email, the "locally recoverable fashion" should allow authorized individuals/services access. The original ciphertext should not be stored after decryption, and the decryption key must not be stored. Probably best not to get too psycho over this: the recipient can always cut and paste to some cleartext medium like word, or take a screenshot. Reasonable assurance that clients keep things encrypted when they're received encrypted is what we're after.

The EKG keeps track of which recipients have requested the decryption key. Recipients are allowed to request the key once and only once. When all recipients have requested the decryption key, that key must never be served out again. The EKG should not re-use encryption keys for subsequent messages.

Clearly, the EKG needs to be just as publicly available as the organization's mailserver. I do not believe there would need to be anything special in DNS (no "EKG" records, etc.) To summarize:  The EKG knows nothing about senders or recipients other than what the certificates tell it. Encryption keys for email messages are one-time-use, and shared among sender and all recipients. Recipients get decryption keys by having a certificate with a matching email address. No extra coordination is involved over and above the configuration necessary to verify email signatures.

What do you think? Is there an obvious reason this hasn't been done before?