03/09/05Oregon State University X-Sig: An Signing Extension for the Simple Mail Transport Protocol (SMTP) Robert Rose 03/09/05

Oregon State University Overview What is Signing? Motivation Previous Work Protocol Implementation Opportunities

03/09/05Oregon State University What is Signing? You receive an , but how do you know who it’s from? –Headers give clues, but they don’t tell whole story –Fact: there is no way reliable to determine who sent an An signature: –Uses Public Key Cryptography (RSA/DSA/etc.) –Text of is hashed –Hash is encrypted using sender’s private key –Encrypted hash is attached to the –Sender is verified by decrypting the hash using the sender’s public key and checking the decrypted hash vs. a recalculated hash –For added security, a random value may appended added to the encrypted text

03/09/05Oregon State University Headers Return-Path: Received: from SMTP.magnellmail.net (smtp.magnellmail.net [ ]) by acabar.cafwap.net (8.11.6/8.11.6) with SMTP id iAUBfYZ16904 for ; Tue, 30 Nov :41: Received: from mail pickup service by e3ssl002 with Microsoft SMTPSVC; Tue, 30 Nov :47: From: To: Subject: Your Newegg.com Order information Date: Tue, 30 Nov :47: Dear Robert Rose Thank you for shopping at Newegg.com. We are dedicated to providing customers with high quality merchandise at low prices and only the finest in customer service. Your purchase will be processed and shipped in approximately hours and your specific order details have been provided below for your convenience. magnellmail.net  newegg.com?

03/09/05Oregon State University Motivation Know exactly who is sending you Reduce/eliminate spam –Spammers rely on “open relays” and invalid return addresses to generate spam –If you could verify exactly where an is coming from, spamming would no longer be an anonymous practice We are NOT motivated to: –Protect (encrypt the message itself) –Create something that is complicated –Create something that is not backwards-compatible with everything out there today

03/09/05Oregon State University Previous Work S/MIME –IETF Secure Mail Standard based on PKC –Not backwards-compatible with existing clients S/MIME mail will appear as garbage –Not easy to implement, thus it’s mild acceptance –Does not address key distribution MS Exchange Secure –Microsoft’s proprietary secure mail standard based on PKC –Backwards-compatible with existing clients –Only implemented by Microsoft –Key distribution uses LDAP and/or Exchange Requires you to know the sender’s LDAP server or be on the same Exchange server

03/09/05Oregon State University X-Sig is… An header for the signature –New header “X-Sig:” contains the hash of the encrypted using the sender’s private key –Adding a single header is backwards-compatible Existing clients are free to ignore the header… the body of the is unmodified A key distribution mechanism –DNS MX records are leveraged as a means of retrieving a sender’s public key –An client need only look up the MX record of the sender’s [supposed] domain and retrieve the public key over HTTP from the MX server –Thus, the sender’s public key must reside on the mail server for the domain they claim to be from

03/09/05Oregon State University X-Sig Header Algorithm: –Generate MD5 hash for entire body of –RSA encrypt this string using the sender’s private key –Encode the ciphertext as Base64 –Insert this string into the headers of the Example: –Body of is “sent by rob\n” –MD5 is 865a2d220cadb041e25aeb6af250c5c6 X-Sig-Version: 1.0 (MD5-RSA) X-Sig: IRtKF2YO5EC0D85imV5FYCzgK5NK7DkvJ0uDQHKm/XaipIvfgec lTyi/RDBWisllgGkKz6EKGTbGFmS6xhUiRw==

03/09/05Oregon State University X-Sig Verification Algorithm: –Generate MD5 hash of the body of the –Query the sender’s mail server for public key Lookup MX record (mailhost) Get public key from –Decrypt the X-Sig header using the public key –Check generated MD5 vs. MD5 in plaintext Example: –Sender is –Get MX: dig MX mydomain.com returns mail.mydomain.com –Get pub key: –Check decrypted MD5 versus generated MD5

03/09/05Oregon State University Prototype Implementation X-Sig implemented using: –SquirrelMail: Open source PHP webmail application –OpenSSL: Used for it’s simple open source RSA library –Java: Java used as front-end for OpenSSL –Perl: Key retrieval implemented in Perl User’s private key stored on mail server in ~/.sig.priv User’s public key stored on mail server in ~/.sig.pub When composing an , SquirrelMail uses the user’s private key to encrypt the hash of the When reading an , SquirrelMail attempts to retrieve the public key for the sender and check the hashes

03/09/05Oregon State University Demo: Composing an

03/09/05Oregon State University Demo: X-Sig Headers Return-Path: Received: from acabar.cafwap.net (acabar.cafwap.net [ ] (may be forged)) by acabar.cafwap.net (8.11.6/8.11.6) with ESMTP id iB11XvZ20663 for ; Tue, 30 Nov :33: Received: from (SquirrelMail authenticated user usera); by acabar.cafwap.net with HTTP; Tue, 30 Nov :33: (PST) Message-ID: Date: Tue, 30 Nov :33: (PST) Subject: Demo From: To: X-Sig-Version: 1.0 (MD5-RSA) X-Sig: IRtKF2YO5EC0D85imV5FYCzgK5NK7DkvJ0uDQHKm/XaipIvfgeclTyi/RDBWisllgGkKz6EKGTbGFmS6xhUiRw== User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Hey Rob, how's it going? I thought you might enjoy some Thomas Jefferson quotes: Banking establishments are more dangerous than standing armies.

03/09/05Oregon State University Demo: X-Sig Verification Mail is from so retrieve their public key: acabar dig MX cafwap.net cafwap.net IN MX 10 mail.cafwap.net. acabar curl -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMi5WRl5HDIngpNzysAUzjR1WYuQ7Nki j09086z85X25nnKT7dFw1f/PB4YoiYn9ChV+WrUSk0vjYbtXor7GBEcCAwEAAQ== -----END PUBLIC KEY----- Decrypt the X-Sig header using this public key and check it against our own MD5 that we calculated

03/09/05Oregon State University Demo: Reading an

03/09/05Oregon State University How does X-Sig Fight Spam? must be sent from a valid address –Spam mail is typically sent from an invalid address –Invalid addresses are immediately recognized as forged is verified who it was actually sent by –DNS MX records are used to retrieve the sender’s public key –The public key is used to check the signature of the –Invalid signatures are immediately recognized as forged If a large enough portion of Internet users adopt X-Sig: with an invalid signature or a forged address is spam

03/09/05Oregon State University Opportunities Server-side signature generation –If the connection between the client and the SMTP server is secured (e.g., Secure SMTP), then the server can generate the signature for the client Server-side signature verification – gateways (SMTP servers) can perform signature verification before the arrives at the client Automated key generation –If signature generation and verification occurs only on the server then the server could automatically generate keys for the user If all three of these things are done… X-Sig becomes completely transparent to the user!