Usable Secure Mailing Lists with Untrusted Servers
Rakesh Bobba, Joe Muggli, Meenal Pant, Jim Basney and Himanshu Khurana
IDtrust, April 14 – 16, 2009.
Gaithersburg, MD
Introduction to Mailing Lists
• Mailing Lists (MLs) enable users to easily exchange emails• LS bears all the overhead
• Increasingly popular for exchange of both public and private content security is an important concern
• Little or no work in providing security solutions for MLs• We provide SELS: Secure
Email List Services• solutions for confidentiality,
integrity, and authentication
List Server (LS)- creates lists- forwards emails- archives email
List Moderator (LM)- creates lists- Subscribes users
User/subscriber- subscribes to lists- sends/receives email
Untrusted Servers
• Existing Solutions• Password based encryption (end-to-end confidentiality)
• Clunky to exchange and manage passwords out-of-band whenever a subscriber leaves
• Encrypt to LS, which decrypted and re-encrypted with subscriber keys• LS takes care of key management• LS had access to plaintext messages.
• Desirable to Reduce Trust Liability• Trust LS to manage lists and forward messages correctly• But do not trust LS with content of messages – “untrusted
server”
SELS History
• Original SELS protocol.• Himanshu Khurana, Adam Slagell, and Rafael Bonilla. SELS: A Secure E-mail
List Service. In proceedings of the Security Track of the ACM Symposium on Applied Computing (SAC), March 2005.
• Modified, practical version of SELS, with extensive experimentation and integration.• Himanshu Khurana, Jin Heo, and Meenal Pant. From Proxy Encryption Primitives
to a Deployable Secure-Mailing-List Solution. In the Eighth International Conference on Information and Communications Security (ICICS '06), Raleigh, North Carolina, December 2006.
Protocol Overview
LM LS
U1 U2 U3
Send signed,encrypted,email
Transform andforward
Decrypt andverify signature
• Assumption: LM is an independent entity not controlled by LS
Create Group
EstablishLM Key KLM
Establish CorrespondingLS Key KLS
LM, LS implicitly agreeKLK = KLM + KLS is list key
Subscribe
Obtain keypair (KU1,PKU1)
Establish Proxy Key K’U1,
KLK = KU1 + K’U1
Proxy re-encryption at LS ensures that plaintext is not exposed
Sending Emails in SELS
EmailPlaintext m
Encryptk (m,Sig(m))
(AES, 3DES)
Encrypt k w/ PKLK
(El Gamal)
Email HeaderSig(m) w/ SKA
(RSA, DSA)
Keyring: Members’ proxy keys K’Ui
Alice LS
Keyring: (SKA, PKLK)
Transform k W/ K’B
(SELS ProxyRe-encryption)
Email Header EmailPlaintext m
Encryptk (m,Sig(m))
(AES, 3DES)
Sig(m) w/ SKA
(RSA, DSA)
Bob LS
Keyring: (PKA, SKB)
Suitable for environments where GPG is/can be used
Preliminary Usability Evaluation: Groupware Walkthrough
Potential Usability Issues• Installation of multiple keys
• List public-key and user decryption key pair (includes private key)• Installing a private key is not common operation
• Place appropriate trust in the keys• Sign them or use PGP trust model
• Managing and using multiple keys• Users get a private key for every SELS list
• Need to remember passwords for each key or set same password for all keys
• Most GPG plug-ins cache only one password
• Prior GPG experience• Lack of GPG knowledge/experience might make it unusable
Focused User Study - Setup• Two Studies
• Study I – sign keys to place trust• Study II – use PGP trust model
• Two user groups in each study• Novice – no prior GPG experience (8 in study I and 5 in study II )• Experts – prior GPG experience (3 in study I and 3 in study II)
• 5 Parts to each study• Background questionnaire• Two Party Secure E-mail (TPSE) key installation and message
exchange using GPG• SUS questionnaire
• TPSE Vulnerability Evaluation• Tasks involving SELS key installation and message exchange
• SUS questionnaire• SELS Vulnerability Evaluation
Focused User Study - Results
User Type
Key Install Success Rate
KeyInstall Time (Avg. /
Std. Dev)
SUS Score Changed Passwd.
TPSE SELS TPSE SELS TPSE SELS
Expert 2 of 3 2 of 3 6.5 / 2.12 11 / 1.41 85.83 / 5.2 76.67 / 11.55 3 of 3
Novice 6 of 8 2 of 8 8.83 / 2.86 25.5 / 0.71 79.38 / 9.33 54.44 / 16.66 3 of 8
User Type
Key Install Success
Rate
KeyInstall Time (Avg. /
Std. Dev)
SUS Score Changed Passwd.
TPSE SELS TPSE SELS TPSE SELS
Expert 3 of 3 3 of 3 4 / 0 12.66 / 2.01 74.17 / 20.21.2 74.16 / 23.23 2 of 3
Novice 4 of 5 5 of 5 8.4 / 2.7 18.2 / 3.19 61.5 / 10.98 52 / 13.62 5 of 5
Observations from Study I
Observations from Study II
Focused User Study – Vulnerability EvaluationMessage Type and
DescriptionTwo Party Secure Email (TPSE) using GPG
SELS Messages
Encrypted and signed correctly
This message is encrypted for the user and signed with a trusted key.
This message is signed and encrypted by a valid member of list, with a trusted signature key and the correct list encryption key.
Encrypted withwrong key
The email message is encrypted with a key that does not belong to the user. Hence the user cannotdecrypt it.
This email message is encrypted with a key for which the user has no secret-key and delivered directly to the user but made to look like a message delivered on the list by forging the headers.
Encrypted andsigned with forged “From”
The email message is encrypted with the user’s key, but signed with a key that does not match the “From” address.
The email message is encrypted with the list key but signed with a key that does not match the “From” address.
Encrypted correctly but signed with amissing key
This email message is encrypted with the user’s key, but is signed with a key for which the public keyis not available to the user.
This email message is encrypted with the list key, but is signed with a key for which the public-key is not available to the user.
Encrypted withforged “To”
The user is made to believe that this encrypted message was sent to the user and someone else by forging “To” header.
The user is made to believe that this encrypted only message was sent on the list by forging the headers. It is encrypted such that the user can decrypt it correctly.
Vulnerability Evaluation - Results
User Type
% of correctly formed messages trusted (Avg. / Std.
Dev)
% of incorrectly formed messages trusted (Avg. / Std.
Dev)
TPSE SELS TPSE SELS
Expert 100 / 0 100 / 0 16.67 / 14.43
8.33 / 14.43
Novice 93.75 / 17.68 100 / 0 18.75 / 17.68
15.63 / 12.94
Observations from Study I
User Type
% of correctly formed messages trusted (Avg. / Std.
Dev)
% of incorrectly formed messages trusted (Avg. / Std.
Dev)
TPSE SELS TPSE SELS
Expert 100 / 0 100 / 0 8.33 / 14.43 16.67 / 28.87
Novice 100 / 0 100 / 0 30 / 20.92 35 / 13.69
Observations from Study II
Useful changes to interfaces
• Manage/Cache multiple passwords
• Caution users on unsigned messages (Mac Mail already does this)
• Alert users when signer and sender do not match
SELS Deployment - Production Environment
• Redundancy• Two industrial grade
servers• Power backup• RAID storage
• Partial list isolation• VM for each list
• Manual failover• Monitoring scripts
SELS Deployment• Customers are Computer Security and Incident
Response Teams (CSIRTs) of Computational Grids
• Experience with 2 lists from one such CSIRT• ~52 members • Previous used password based security with PGP/GPG tools
• Considered expert users
• 4 out of 52 faced issues• Compatibility• Misunderstanding about usage
SELS Deployment
• Security and usability concern of users• Concern about importing “private” key
• Removed “signing key” component from SELS user keys• Concern about selecting a wrong key in the interface
• Removed “email address” from names of keys for visual distinction
• Pushback on placing “Ultimate Trust” in moderator key• Place “complete” or “full” trust in moderator key and sign it
locally
• Anecdotal evidence to suggest that SELS made it easy to exchange secure messages on these lists
Where do we go from here?
• Reach out and promote broader adoption• S/MIME is natively supported in popular clients
• Develop SELS for S/MIME using recently added ECC support
• Improve features based on feedback
• Questions?• Contact:
• Rakesh Bobba [email protected]• Himanshu Khurana [email protected]• Jim Basney [email protected]
• Software: www.sels.ncsa.uiuc.edu
Backup Slides
Security Requirements
• Confidentiality: only authorized users (i.e. list subscribers) should be able to read emails – list server is excluded
• Integrity: receivers must be sure that email has not been modified in transit
• Authentication: receivers must be able to verify the identity of the sender
X X
X
System Design
• Suitable for environments where GPG is/can be used
MTA (e.g., Sendmail)
SELS Transformation AgentProcess
invocation Handlers
Interface(GPG Plugin)
MUA
List Mgmt
Crypto Functions(GPG, BC Libs)
Crypto Functions(GPG, BC Libs)
Server
List Moderator Subscriber
Interface(GPG Plugin)
MUA
Crypto Functions(GPG Lib)
List Server (e.g., Mailman)
Crypto Functions(GPG, BC Libs)
Key Mgmt(GPG)
Legend: COTS component; Developed component
Key Mgmt(GPG)
Key Mgmt(GPG)