TY - GEN
T1 - KeyForge
T2 - 30th USENIX Security Symposium, USENIX Security 2021
AU - Specter, Michael A.
AU - Park, Sunoo
AU - Green, Matthew
N1 - Funding Information:
We are grateful to Jon Callas for helpful discussions about motivations for email non-attributability and our scheme's applicability to DKIM, and to Dan Boneh, Daniel J. Weitzner, John Hess, Bradley Sturt, Stuart Babcock, and Ran Canetti for their feedback on earlier versions of this work. This work was supported in part by the William and Flora Hewlett Foundation grant 2014-1601, and by the MIT Media Lab's Digital Currency Initiative and its funders. We would like to acknowledge support from the National Science Foundation under awards CNS-1653110 and CNS-1801479, and a Google Security & Privacy Award.
Funding Information:
We are grateful to Jon Callas for helpful discussions about motivations for email non-attributability and our scheme’s applicability to DKIM, and to Dan Boneh, Daniel J. Weitzner, John Hess, Bradley Sturt, Stuart Babcock, and Ran Canetti for their feedback on earlier versions of this work. This work was supported in part by the William and Flora Hewlett Foundation grant 2014-1601, and by the MIT Media Lab’s Digital Currency Initiative and its funders. We would like to acknowledge support from the National Science Foundation under awards CNS-1653110 and CNS-1801479, and a Google Security & Privacy Award.
Publisher Copyright:
© 2021 by The USENIX Association. All rights reserved.
PY - 2021
Y1 - 2021
N2 - Email breaches are commonplace, and they expose a wealth of personal, business, and political data whose release may have devastating consequences. Such damage is compounded by email's strong attributability: today, any attacker who gains access to your email can easily prove to others that the stolen messages are authentic, a property arising from a necessary anti-spam/anti-spoofing protocol called DKIM. This greatly increases attackers' capacity to do harm by selling the stolen information to third parties, blackmail, or publicly releasing intimate or sensitive messages - all with built-in cryptographic proof of authenticity. This paper introduces non-attributable email, which guarantees that a wide class of adversaries are unable to convince discerning third parties of the authenticity of stolen emails. We formally define non-attributability, and present two system proposals - KeyForge and TimeForge - that provably achieve non-attributability while maintaining the important spam/spoofing protections currently provided by DKIM. Finally, we implement both and evaluate their speed and bandwidth performance overhead. We demonstrate the practicality of KeyForge, which achieves reasonable verification overhead while signing faster and requiring 42% less bandwidth per message than DKIM's RSA-2048.
AB - Email breaches are commonplace, and they expose a wealth of personal, business, and political data whose release may have devastating consequences. Such damage is compounded by email's strong attributability: today, any attacker who gains access to your email can easily prove to others that the stolen messages are authentic, a property arising from a necessary anti-spam/anti-spoofing protocol called DKIM. This greatly increases attackers' capacity to do harm by selling the stolen information to third parties, blackmail, or publicly releasing intimate or sensitive messages - all with built-in cryptographic proof of authenticity. This paper introduces non-attributable email, which guarantees that a wide class of adversaries are unable to convince discerning third parties of the authenticity of stolen emails. We formally define non-attributability, and present two system proposals - KeyForge and TimeForge - that provably achieve non-attributability while maintaining the important spam/spoofing protections currently provided by DKIM. Finally, we implement both and evaluate their speed and bandwidth performance overhead. We demonstrate the practicality of KeyForge, which achieves reasonable verification overhead while signing faster and requiring 42% less bandwidth per message than DKIM's RSA-2048.
UR - http://www.scopus.com/inward/record.url?scp=85114499948&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85114499948&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85114499948
T3 - Proceedings of the 30th USENIX Security Symposium
SP - 1755
EP - 1773
BT - Proceedings of the 30th USENIX Security Symposium
PB - USENIX Association
Y2 - 11 August 2021 through 13 August 2021
ER -