1. 03/09/05Oregon State University X-Sig: An Email Signing Extension for the Simple Mail Transport Protocol (SMTP) Robert Rose 03/09/05

2. Oregon State University Overview What is Email Signing? Motivation Previous Work Protocol Implementation Opportunities

3. 03/09/05Oregon State University What is Email Signing? You receive an email, but how do you know who it’s from? –Headers give clues, but they don’t tell whole story –Fact: there is no way reliable to determine who sent an email An email signature: –Uses Public Key Cryptography (RSA/DSA/etc.) –Text of email is hashed –Hash is encrypted using sender’s private key –Encrypted hash is attached to the email –Sender is verified by decrypting the hash using the sender’s public key and checking the decrypted hash vs. a recalculated hash –For added security, a random value may appended added to the encrypted text

4. 03/09/05Oregon State University Email Headers Return-Path: Received: from SMTP.magnellmail.net (smtp.magnellmail.net [65.119.30.157]) by acabar.cafwap.net (8.11.6/8.11.6) with SMTP id iAUBfYZ16904 for ; Tue, 30 Nov 2004 03:41:37 -0800 Received: from mail pickup service by e3ssl002 with Microsoft SMTPSVC; Tue, 30 Nov 2004 11:47:24 -0800 From: To: Subject: Your Newegg.com Order information Date: Tue, 30 Nov 2004 11:47:24 -0800 Dear Robert Rose Thank you for shopping at Newegg.com. We are dedicated to providing customers with high quality merchandise at low prices and only the finest in customer service. Your purchase will be processed and shipped in approximately 24-48 hours and your specific order details have been provided below for your convenience. magnellmail.net  newegg.com?

5. 03/09/05Oregon State University Motivation Know exactly who is sending you email Reduce/eliminate spam email –Spammers rely on “open relays” and invalid return email addresses to generate spam –If you could verify exactly where an email is coming from, spamming would no longer be an anonymous practice We are NOT motivated to: –Protect email (encrypt the message itself) –Create something that is complicated –Create something that is not backwards-compatible with everything out there today

6. 03/09/05Oregon State University Previous Work S/MIME –IETF Secure Mail Standard based on PKC –Not backwards-compatible with existing email clients S/MIME mail will appear as garbage –Not easy to implement, thus it’s mild acceptance –Does not address key distribution MS Exchange Secure Email –Microsoft’s proprietary secure mail standard based on PKC –Backwards-compatible with existing email clients –Only implemented by Microsoft –Key distribution uses LDAP and/or Exchange Requires you to know the sender’s LDAP server or be on the same Exchange server

7. 03/09/05Oregon State University X-Sig is… An email header for the signature –New header “X-Sig:” contains the hash of the email encrypted using the sender’s private key –Adding a single header is backwards-compatible Existing email clients are free to ignore the header… the body of the email is unmodified A key distribution mechanism –DNS MX records are leveraged as a means of retrieving a sender’s public key –An email client need only look up the MX record of the sender’s [supposed] domain and retrieve the public key over HTTP from the MX server –Thus, the sender’s public key must reside on the mail server for the domain they claim to be from

8. 03/09/05Oregon State University X-Sig Header Algorithm: –Generate MD5 hash for entire body of email –RSA encrypt this string using the sender’s private key –Encode the ciphertext as Base64 –Insert this string into the headers of the email Example: –Body of email is “sent by rob\n” –MD5 is 865a2d220cadb041e25aeb6af250c5c6 X-Sig-Version: 1.0 (MD5-RSA) X-Sig: IRtKF2YO5EC0D85imV5FYCzgK5NK7DkvJ0uDQHKm/XaipIvfgec lTyi/RDBWisllgGkKz6EKGTbGFmS6xhUiRw==

9. 03/09/05Oregon State University X-Sig Verification Algorithm: –Generate MD5 hash of the body of the email –Query the sender’s mail server for public key Lookup MX record (mailhost) Get public key from http://mailhost/sig/?addr=sender@senderdomain –Decrypt the X-Sig header using the public key –Check generated MD5 vs. MD5 in plaintext Example: –Sender is rob@mydomain.com –Get MX: dig MX mydomain.com returns mail.mydomain.com –Get pub key: http://mail.mydomain.com/sig/?addr=rob@mydomain.com –Check decrypted MD5 versus generated MD5

10. 03/09/05Oregon State University Prototype Implementation X-Sig implemented using: –SquirrelMail: Open source PHP webmail application –OpenSSL: Used for it’s simple open source RSA library –Java: Java used as front-end for OpenSSL –Perl: Key retrieval implemented in Perl User’s private key stored on mail server in ~/.sig.priv User’s public key stored on mail server in ~/.sig.pub When composing an email, SquirrelMail uses the user’s private key to encrypt the hash of the email When reading an email, SquirrelMail attempts to retrieve the public key for the sender and check the hashes

11. 03/09/05Oregon State University Demo: Composing an Email

12. 03/09/05Oregon State University Demo: X-Sig Headers Return-Path: Received: from acabar.cafwap.net (acabar.cafwap.net [192.168.0.1] (may be forged)) by acabar.cafwap.net (8.11.6/8.11.6) with ESMTP id iB11XvZ20663 for ; Tue, 30 Nov 2004 17:33:58 -0800 Received: from 207.55.100.3 (SquirrelMail authenticated user usera); by acabar.cafwap.net with HTTP; Tue, 30 Nov 2004 17:33:58 -0800 (PST) Message-ID: Date: Tue, 30 Nov 2004 17:33:58 -0800 (PST) Subject: Demo From: usera@cafwap.net To: rose@domain.com X-Sig-Version: 1.0 (MD5-RSA) X-Sig: IRtKF2YO5EC0D85imV5FYCzgK5NK7DkvJ0uDQHKm/XaipIvfgeclTyi/RDBWisllgGkKz6EKGTbGFmS6xhUiRw== User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Hey Rob, how's it going? I thought you might enjoy some Thomas Jefferson quotes: Banking establishments are more dangerous than standing armies.

13. 03/09/05Oregon State University Demo: X-Sig Verification Mail is from “usera@cafwap.net,” so retrieve their public key: acabar dig MX cafwap.net cafwap.net. 1254 IN MX 10 mail.cafwap.net. acabar curl http://mail.cafwap.net/sig/?addr=usera@cafwap.net -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMi5WRl5HDIngpNzysAUzjR1WYuQ7Nki j09086z85X25nnKT7dFw1f/PB4YoiYn9ChV+WrUSk0vjYbtXor7GBEcCAwEAAQ== -----END PUBLIC KEY----- Decrypt the X-Sig header using this public key and check it against our own MD5 that we calculated

14. 03/09/05Oregon State University Demo: Reading an email

15. 03/09/05Oregon State University How does X-Sig Fight Spam? Email must be sent from a valid email address –Spam mail is typically sent from an invalid email address –Invalid email addresses are immediately recognized as forged Email is verified who it was actually sent by –DNS MX records are used to retrieve the sender’s public key –The public key is used to check the signature of the email –Invalid signatures are immediately recognized as forged If a large enough portion of Internet users adopt X-Sig: Email with an invalid signature or a forged address is spam

16. 03/09/05Oregon State University Opportunities Server-side signature generation –If the connection between the email client and the SMTP server is secured (e.g., Secure SMTP), then the server can generate the signature for the client Server-side signature verification –Email gateways (SMTP servers) can perform signature verification before the email arrives at the client Automated key generation –If signature generation and verification occurs only on the server then the server could automatically generate keys for the user If all three of these things are done… X-Sig becomes completely transparent to the user!