Lightweight Signatures for Email

We present the design and prototype implementation of a new public key infrastucture for email authentication. Our approach applies recent developments in identity-based cryptography and observations concerning the role of DNS and email servers in the current email architecture to produce end-to-end email signatures with no infrastructure change or new security assumption. Like current email signature proposals, this solution prevents email spoofing attacks such as phishing and, to some degree, spam. Unlike prior proposals, it conserves all current legitimate uses of email, transparently protects average Internet users, and optionally provides privacy-preserving repudiability. In other words, assuming today’s email infrastructure, we provide the best possible email signature scheme with the smallest possible side-effect. We call this approach Lightweight Signatures.

[1]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[2]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[3]  Ernesto Damiani,et al.  Spam attacks: p2p to the rescue , 2004, WWW Alt. '04.

[4]  Jean-Jacques Quisquater,et al.  A "Paradoxical" Indentity-Based Signature Scheme Resulting from Zero-Knowledge , 1988, CRYPTO.

[5]  Simson L. Garfinkel,et al.  Email-Based Identification and Authentication: An Alternative to PKI? , 2003, IEEE Secur. Priv..

[6]  Amir Herzberg,et al.  TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks , 2004 .

[7]  Marshall T. Rose,et al.  Post Office Protocol - Version 3 , 1988, RFC.

[8]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[9]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[10]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[11]  Bernard P. Zajac,et al.  Pretty good privacy , 1994 .

[12]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[13]  Tony A. Meyer,et al.  SpamBayes: Effective open-source, Bayesian based, email classification system , 2004, CEAS.

[14]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[15]  Susan T. Dumais,et al.  A Bayesian Approach to Filtering Junk E-Mail , 1998, AAAI 1998.

[16]  Markus Jakobsson,et al.  Modeling and Preventing Phishing Attacks , 2005, Financial Cryptography.

[17]  Christine Meierhöfer Pretty good privacy , 1996, SIGGRAPH '96.

[18]  Mark Delany,et al.  Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys) , 2007, RFC.

[19]  Paul E. Hoffman,et al.  SMTP Service Extension for Secure SMTP over Transport Layer Security , 2002, RFC.

[20]  Amir Herzberg Controlling Spam by Secure Internet Content Selection , 2004, SCN.