Perfecting email security

Sep 10, 2012

Millions of us send billions of emails back and forth each day without much concern for their security. On the whole, security is not a primary concern for most day-to-day emails, but some emails do contain personal, proprietary and sensitive information, documents, media, photos, videos and sound files. Unfortunately, the open nature of email means that they can be intercepted and if not encrypted easily read by malicious third parties. Even with the PGP - pretty good privacy - encryption scheme first used in 1995, if a sender's private "key" is compromised all their previous emails encrypted with that key can be exposed.

Writing in the International Journal of Security and Networks, Duncan Wong and Xiaojian Tian of City University of Hong Kong, explain how previous researchers had attempted to define perfect privacy that utilizes PGP by developing a technique that would preclude the of other emails should a private key be compromised. Unfortunately, say Wong and Tian this definition fails if one allows the possibility that the email server itself may be compromised, by hackers or other .

The team has now defined perfect forward secrecy for email as follows and suggested a technical solution to enable email security to be independent of the server used to send the message:

"An e-mail system provides perfect forward secrecy if any third party, including the e-, cannot recover previous session keys between the sender and the recipient even if the long-term secret keys of the sender and the recipient are compromised."

By building a new email protocol on this principle, the team suggests that it is now possible to exchange emails with almost zero risk of interference from third parties. "Our protocol provides both confidentiality and message authentication in addition to perfect forward secrecy," they explain.

The team's protocol involves Alice sending Bob an encrypted email with the hope that Charles will not be able to intercept and decrypt the message. Before the email is encrypted and sent the protocol suggested by Wong and Tian has Alice's computer send an identification code to the email server. The server creates a random session "hash" that is then used to encrypt the actual encryption key for the email Alice is about to send. Meanwhile, Bob as putative recipient receives the key used to create the hash and bounces back an identification tag. This allows Alice and Bob to verify each other's identity.

These preliminary steps are all automatically and without Alice or Bob needing to do anything in advance. Now, Alice writes her email, encrypts it using PGP and then "hashes" it using the random key from the server. When Bob receives the encrypted message he uses his version of the hash to unlock the container within which the PGP-encrypted email sits. Bob then uses Alice's public PGP key to decrypt the message itself. No snoopers on the internet between Alice and Bob, not even the email server ever have access to the PGP encrypted email in the open. Moreover, because a different key is used to lock up the PGP encrypted email with a second one-time layer, even if the PGP security is compromised past emails created with the same cannot be unlocked.

Explore further: LinkedIn membership hits 300 million

More information: "E-mail protocols with perfect forward secrecy" in Int. J. Security and Networks, 2012, 7, 1-5

add to favorites email to friend print save as pdf

Related Stories

'Dead time' limits quantum cryptography speeds

Sep 28, 2007

Quantum cryptography is potentially the most secure method of sending encrypted information, but does it have a speed limit" According to a new paper by researchers at the National Institute of Standards and Technology and ...

US banks, companies issue warning after email hack

Apr 04, 2011

Computer hackers gained access to the email addresses of customers of several large US banks and other companies in a potentially huge data breach at US online marketing firm Epsilon. ...

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

kevinrtrs
1.5 / 5 (4) Sep 10, 2012
THis is a much needed facility as more and more insurance, investment and banking companies want to save money by sending clients accounts and other confidential documents via email. This is already critical in fact.

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...