Re: [perpass] Proposal for e2e email encryption
Nick Doty <npdoty@ischool.berkeley.edu> Tue, 03 September 2013 00:17 UTC
Return-Path: <npdoty@berkeley.edu>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1317621F9D7E for <perpass@ietfa.amsl.com>; Mon, 2 Sep 2013 17:17:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.284
X-Spam-Level:
X-Spam-Status: No, score=-2.284 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wYUrDCyjTGVU for <perpass@ietfa.amsl.com>; Mon, 2 Sep 2013 17:17:32 -0700 (PDT)
Received: from mail-pd0-f174.google.com (mail-pd0-f174.google.com [209.85.192.174]) by ietfa.amsl.com (Postfix) with ESMTP id D039C21F9D66 for <perpass@ietf.org>; Mon, 2 Sep 2013 17:17:32 -0700 (PDT)
Received: by mail-pd0-f174.google.com with SMTP id y13so5264395pdi.19 for <perpass@ietf.org>; Mon, 02 Sep 2013 17:17:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=wtvp5ekMDrMH4IdXcnzDgN9/aka+nSCMPPUPIr5iUR8=; b=GUx2I3gmY9Uh8qtiuV7619YrdGiXDZRD+FpCnR9NwCB3xqY+uJNYh/5RXFl0zxF2Od 71FOxWISZ03wPyZ0O8/P71QJIslZNxgK37BtY7+jB5xBbfGf8Ks0zEzMEHnae3Kw/ntp qtwBwJX231TlVzbU7Al9gUpJNtkKsmXlYHQk642TnXXFmgAWiD2Q19tXi+h1mEUzO/G7 rNmoH8ix3UpykAqTg19m5S7tG+Gib+MzDR6HoceY2ZG+MiOu/Sx9iBNUgqbBbwP5lc0h QqI6g+zd2gvzHHU0UP/jjZLuVqdEo1YnhaNV6E2ec8l9fqGZHXVysweYe9bUuWY0soba M7Cg==
X-Gm-Message-State: ALoCoQnI+fq/sb+B1cIznNSsBK89pAWi0mYAaN5kZbF22kwWXXo/GIeHdg9CL113MfSiAjKxSbDD
X-Received: by 10.68.244.168 with SMTP id xh8mr27840515pbc.3.1378167452455; Mon, 02 Sep 2013 17:17:32 -0700 (PDT)
Received: from [192.168.43.102] (mb80536d0.tmodns.net. [208.54.5.184]) by mx.google.com with ESMTPSA id ye1sm19903528pab.19.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Sep 2013 17:17:31 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_E2E72511-373D-4D84-B2B9-327DE4754D15"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Nick Doty <npdoty@ischool.berkeley.edu>
In-Reply-To: <CAPQd5oQpEfOKcheKJEf8ozC6gt7vHJ-YVPs9evokPYTdjiSSgA@mail.gmail.com>
Date: Mon, 02 Sep 2013 17:17:31 -0700
Message-Id: <C8BDCE40-2700-4FCA-BD86-8640E04B455A@ischool.berkeley.edu>
References: <CAPQd5oQpEfOKcheKJEf8ozC6gt7vHJ-YVPs9evokPYTdjiSSgA@mail.gmail.com>
To: Yakov Shafranovich <yakov-ietf@shaftek.org>
X-Mailer: Apple Mail (2.1508)
Cc: perpass@ietf.org
Subject: Re: [perpass] Proposal for e2e email encryption
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 00:23:06 -0000
I don't consider myself qualified to comment on all the details of your proposed protocol, but I find one property interesting. Encrypting email for a domain (and then separately for a user) can help with the problem of metadata revealing our communication partners, but only to the extent that domains are shared by lots of people. For those of us who maintain personal domain names, knowing that an email comes from a particular domain sufficiently identifies an individual author; e.g., emails sent from any address @npdoty.name always come from me. Revelations about NSA activities and user privacy concerns have created some renewed interest in owning one's own email address (for example [0]). It would be surprising (and I think, unfortunate) if advice was to *avoid* using personalized domains or services in order to support a privacy model. The question of centralization/decentralization in this case might help us clarify the threat model. A common privacy concern of centralization is that a governmental adversary can compel that single bottleneck to reveal the contents, or in this case, the to/from information of many communications. If we all use @foo.com email addresses but Foo Inc. is compelled by a PRISM-like program to allow an adversary to search for who is emailing whom, then the proposed protocol may not provide an advantage. On the other hand, if the adversary is inspecting unencrypted traffic diverted from a backbone provider, then anonymizing recipients down to the foo.com domain name could provide a real advantage. —Nick [0] https://konklone.com/post/take-control-of-your-email-address On Sep 2, 2013, at 1:02 PM, Yakov Shafranovich <yakov-ietf@shaftek.org> wrote: > This is a followup on Jim Fenton's proposal and is somewhat inspired > by Cyberpunk remailers and Tor/Onion routing. > > My goals are to compartmentalize the knowledge in the mail handling > process to as needed only: > > 1. Only the author's and recipient's message user agents (MUA) have > access to the full headers and body of the email. > > 2. Only the author's message user agent (MUA) and the receipient's > message delivery agent (MDA) would know the destination mailbox of the > email, and the author's domain. However, the receipient's MDA would > not be able to know the sender's mailbox or see the message itself. > > 3. The author's message submission agent (MSA) would know the author's > mailbox and how to resolve a bounced email back to the author, and the > destination domain of the email, but not the recipient's mailbox or > the anything in the email itself. > > 4. The author's message transfer agent (MTA) and all the other MTA's > between the author and the recipient would only know the domain names > of the author and recipient but not their individual mailboxes. They > also would not be able to see what's inside the email. > > 5. All transactions including SMTP and local submission would require > TLS/SSL as per Jim Fenton's proposal. > > This would work as follows: > 1. Domains participating in this protocol would publish an S/MIME or > PGP key in DNS, and a mailbox address to be used for secure email. > > 2. Authors that send email to domains participating in this protocol, > would encrypt their email using S/MIME or PGP, addressing it to the > recipient's mailbox. They would then encrypt the inner message a > second time, wrapping it in outer envelope, addressed from the secure > mailbox of the author's domain, and addressed to the secure mailbox of > the recipient's domain. This should be done in the MUA, either a > software client, or a browser plugin for webmail. It can also be > digitally signed at that point. > > 3. The email would then travel via SMTP to the author's MSA, with > TLS/SSL required as per Jim Fenton's proposal. At this point the > author's MSA would need to record some information about the message > in order to handle bounce backs. It can also be digitally signed using > DKIM or similar mechanism. > > 4. The MSA would hand it over the MTA, using SSL/TLS, and the email > would be delivered to the destination domain via one or more MTAs, > addressed from the secure mailbox of the author's domain to the secure > mailbox of the recipient's domain. > > 4. The destination domain would receive the email, unwrap the outer > envelope and find the recipient's mailbox, and then deliver the > message, optionally digitally signing it as well via DKIM. > > 5. The recipient would then unwrap the message a second time, finding > the original email. > > In the ideal world, where all steps along the way are compliant with > this protocol, everything would be encrypted with TLS/SSL for > transport, and the message information itself would not reveal to any > MTA who the parties are. > > Here are some fallback provisions: > > 1. If one of the MTAs along the way does not support "TLS/SSL > required" for SMTP, the message would automatically be delivered via > non encrypted SMTP. At that point any attacker monitoring the channel > would only learn that the message is traveling from the generic > "secure mailbox" of domain A to the same on domain B. With commercial > providers like Gmail, etc. delivering millions of messages via this > mechanism, it would be pretty hard to figure out the parties involved. > Same goes if the TLS/SSL process is somehow hacked along the way, or > the TLS/SSL key is obtained from the MTA via a court order. The > digital signatures from the author's MSA tied to DNS would prevent MIM > attacks. > > 2. If the receiver's MDA is compromised, the most they will learn is > which domain the message came from as well but not the mailbox of the > sender. In order to learn that, both the sender's MSA and the > receiver's MDA would need to be compromised. In that case, the inner > email is still encrypted. If multiple gateways are used, then the > number of providers that need to be compromised increases. > > 3. If the sender's MSA does not support this protocol, the most an > attacker can learn is that a message is being send from the author's > mailbox but not to whom, only the domain of the destination. > Additionally, one can envision the author using this protocol with any > email system today, as long as the receiver's domain publishes the > correct data, and the author's MUA can encrypt it. > > 4. This system does not assume a prior agreement between the sender's > and receiver's mail providers, just like things work today. As long > they publish their information in DNS, it can work. Obviously, there > is still an issue of key exchange among individual users. > > 5. Spam and abuse are obviously an issue here. If the messages are > encrypted e2e, then it would be hard to analyze them for spam, > phishing, etc. > > 6. SSL/TLS key issues, key rotation, etc are still a problem. > > 7. This assumes DNS SEC. > > It becomes really interesting if you start doing what Tor does with > multiple gateways for the message. > > Thanks, > Yakov > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass
- [perpass] Proposal for e2e email encryption Yakov Shafranovich
- Re: [perpass] Proposal for e2e email encryption Nick Doty
- Re: [perpass] Proposal for e2e email encryption Yakov Shafranovich