Usable Secure Mailing Lists with Untrusted Servers

Rakesh Bobba, Joe Muggli, Meenal Pant, Jim Basney and Himanshu Khurana

IDtrust, April 14 – 16, 2009.

Gaithersburg, MD

Introduction to Mailing Lists

• Mailing Lists (MLs) enable users to easily exchange emails• LS bears all the overhead

• Increasingly popular for exchange of both public and private content security is an important concern

• Little or no work in providing security solutions for MLs• We provide SELS: Secure

Email List Services• solutions for confidentiality,

integrity, and authentication

List Server (LS)- creates lists- forwards emails- archives email

List Moderator (LM)- creates lists- Subscribes users

User/subscriber- subscribes to lists- sends/receives email

Untrusted Servers

• Existing Solutions• Password based encryption (end-to-end confidentiality)

• Clunky to exchange and manage passwords out-of-band whenever a subscriber leaves

• Encrypt to LS, which decrypted and re-encrypted with subscriber keys• LS takes care of key management• LS had access to plaintext messages.

• Desirable to Reduce Trust Liability• Trust LS to manage lists and forward messages correctly• But do not trust LS with content of messages – “untrusted

server”

SELS History

• Original SELS protocol.• Himanshu Khurana, Adam Slagell, and Rafael Bonilla. SELS: A Secure E-mail

List Service. In proceedings of the Security Track of the ACM Symposium on Applied Computing (SAC), March 2005.

• Modified, practical version of SELS, with extensive experimentation and integration.• Himanshu Khurana, Jin Heo, and Meenal Pant. From Proxy Encryption Primitives

to a Deployable Secure-Mailing-List Solution. In the Eighth International Conference on Information and Communications Security (ICICS '06), Raleigh, North Carolina, December 2006.

Protocol Overview

LM LS

U1 U2 U3

Send signed,encrypted,email

Transform andforward

Decrypt andverify signature

• Assumption: LM is an independent entity not controlled by LS

Create Group

EstablishLM Key KLM

Establish CorrespondingLS Key KLS

LM, LS implicitly agreeKLK = KLM + KLS is list key

Subscribe

Obtain keypair (KU1,PKU1)

Establish Proxy Key K’U1,

KLK = KU1 + K’U1

Proxy re-encryption at LS ensures that plaintext is not exposed

Sending Emails in SELS

EmailPlaintext m

Encryptk (m,Sig(m))

(AES, 3DES)

Encrypt k w/ PKLK

(El Gamal)

Email HeaderSig(m) w/ SKA

(RSA, DSA)

Keyring: Members’ proxy keys K’Ui

Alice LS

Keyring: (SKA, PKLK)

Transform k W/ K’B

(SELS ProxyRe-encryption)

Email Header EmailPlaintext m

Encryptk (m,Sig(m))

(AES, 3DES)

Sig(m) w/ SKA

(RSA, DSA)

Bob LS

Keyring: (PKA, SKB)

Suitable for environments where GPG is/can be used

Preliminary Usability Evaluation: Groupware Walkthrough

Potential Usability Issues• Installation of multiple keys

• List public-key and user decryption key pair (includes private key)• Installing a private key is not common operation

• Place appropriate trust in the keys• Sign them or use PGP trust model

• Managing and using multiple keys• Users get a private key for every SELS list

• Need to remember passwords for each key or set same password for all keys

• Most GPG plug-ins cache only one password

• Prior GPG experience• Lack of GPG knowledge/experience might make it unusable

Focused User Study - Setup• Two Studies

• Study I – sign keys to place trust• Study II – use PGP trust model

• Two user groups in each study• Novice – no prior GPG experience (8 in study I and 5 in study II )• Experts – prior GPG experience (3 in study I and 3 in study II)

• 5 Parts to each study• Background questionnaire• Two Party Secure E-mail (TPSE) key installation and message

exchange using GPG• SUS questionnaire

• TPSE Vulnerability Evaluation• Tasks involving SELS key installation and message exchange

• SUS questionnaire• SELS Vulnerability Evaluation

Focused User Study - Results

User Type

Key Install Success Rate

KeyInstall Time (Avg. /

Std. Dev)

SUS Score Changed Passwd.

TPSE SELS TPSE SELS TPSE SELS

Expert 2 of 3 2 of 3 6.5 / 2.12 11 / 1.41 85.83 / 5.2 76.67 / 11.55 3 of 3

Novice 6 of 8 2 of 8 8.83 / 2.86 25.5 / 0.71 79.38 / 9.33 54.44 / 16.66 3 of 8

User Type

Key Install Success

Rate

KeyInstall Time (Avg. /

Std. Dev)

SUS Score Changed Passwd.

TPSE SELS TPSE SELS TPSE SELS

Expert 3 of 3 3 of 3 4 / 0 12.66 / 2.01 74.17 / 20.21.2 74.16 / 23.23 2 of 3

Novice 4 of 5 5 of 5 8.4 / 2.7 18.2 / 3.19 61.5 / 10.98 52 / 13.62 5 of 5

Observations from Study I

Observations from Study II

Focused User Study – Vulnerability EvaluationMessage Type and

DescriptionTwo Party Secure Email (TPSE) using GPG

SELS Messages

Encrypted and signed correctly

This message is encrypted for the user and signed with a trusted key.

This message is signed and encrypted by a valid member of list, with a trusted signature key and the correct list encryption key.

Encrypted withwrong key

The email message is encrypted with a key that does not belong to the user. Hence the user cannotdecrypt it.

This email message is encrypted with a key for which the user has no secret-key and delivered directly to the user but made to look like a message delivered on the list by forging the headers.

Encrypted andsigned with forged “From”

The email message is encrypted with the user’s key, but signed with a key that does not match the “From” address.

The email message is encrypted with the list key but signed with a key that does not match the “From” address.

Encrypted correctly but signed with amissing key

This email message is encrypted with the user’s key, but is signed with a key for which the public keyis not available to the user.

This email message is encrypted with the list key, but is signed with a key for which the public-key is not available to the user.

Encrypted withforged “To”

The user is made to believe that this encrypted message was sent to the user and someone else by forging “To” header.

The user is made to believe that this encrypted only message was sent on the list by forging the headers. It is encrypted such that the user can decrypt it correctly.

Vulnerability Evaluation - Results

User Type

% of correctly formed messages trusted (Avg. / Std.

Dev)

% of incorrectly formed messages trusted (Avg. / Std.

Dev)

TPSE SELS TPSE SELS

Expert 100 / 0 100 / 0 16.67 / 14.43

8.33 / 14.43

Novice 93.75 / 17.68 100 / 0 18.75 / 17.68

15.63 / 12.94

Observations from Study I

User Type

% of correctly formed messages trusted (Avg. / Std.

Dev)

% of incorrectly formed messages trusted (Avg. / Std.

Dev)

TPSE SELS TPSE SELS

Expert 100 / 0 100 / 0 8.33 / 14.43 16.67 / 28.87

Novice 100 / 0 100 / 0 30 / 20.92 35 / 13.69

Observations from Study II

Useful changes to interfaces

• Manage/Cache multiple passwords

• Caution users on unsigned messages (Mac Mail already does this)

• Alert users when signer and sender do not match

SELS Deployment - Production Environment

• Redundancy• Two industrial grade

servers• Power backup• RAID storage

• Partial list isolation• VM for each list

• Manual failover• Monitoring scripts

SELS Deployment• Customers are Computer Security and Incident

Response Teams (CSIRTs) of Computational Grids

• Experience with 2 lists from one such CSIRT• ~52 members • Previous used password based security with PGP/GPG tools

• Considered expert users

• 4 out of 52 faced issues• Compatibility• Misunderstanding about usage

SELS Deployment

• Security and usability concern of users• Concern about importing “private” key

• Removed “signing key” component from SELS user keys• Concern about selecting a wrong key in the interface

• Removed “email address” from names of keys for visual distinction

• Pushback on placing “Ultimate Trust” in moderator key• Place “complete” or “full” trust in moderator key and sign it

locally

• Anecdotal evidence to suggest that SELS made it easy to exchange secure messages on these lists

Where do we go from here?

• Reach out and promote broader adoption• S/MIME is natively supported in popular clients

• Develop SELS for S/MIME using recently added ECC support

• Improve features based on feedback

• Questions?• Contact:

• Rakesh Bobba rbobba@illinois.uiuc.edu• Himanshu Khurana hkhurana@illinois.edu• Jim Basney jbasney@illinois.edu

• Software: www.sels.ncsa.uiuc.edu

Backup Slides

Security Requirements

• Confidentiality: only authorized users (i.e. list subscribers) should be able to read emails – list server is excluded

• Integrity: receivers must be sure that email has not been modified in transit

• Authentication: receivers must be able to verify the identity of the sender

X X

X

System Design

• Suitable for environments where GPG is/can be used

MTA (e.g., Sendmail)

SELS Transformation AgentProcess

invocation Handlers

Interface(GPG Plugin)

MUA

List Mgmt

Crypto Functions(GPG, BC Libs)

Crypto Functions(GPG, BC Libs)

Server

List Moderator Subscriber

Interface(GPG Plugin)

MUA

Crypto Functions(GPG Lib)

List Server (e.g., Mailman)

Crypto Functions(GPG, BC Libs)

Key Mgmt(GPG)

Legend: COTS component; Developed component

Key Mgmt(GPG)

Key Mgmt(GPG)