Secure multicast key protocol for electronic mail ... - Wiley Online Library

SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2013; 6:100–107 Published online 17 May 2012 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.536

RESEARCH ARTICLE

Secure multicast key protocol for electronic mail systems with providing perfect forward secrecy Hsing-Chung Chen* Department of Computer Science and Information Engineering, Asia University, No. 500, Lioufeng Rd., Wufeng, Taichung City, 41354 Taiwan

ABSTRACT Electronic mail (e-mail) systems are widely used in the Internet. A user usually needs to send an e-mail to a group of users. In this paper, a secure multicast key protocol for e-mail systems with providing perfect forward secrecy is proposed to ensure confidentiality and authentication of this kind of e-mail system. The protocol employs the Chinese Remainder Theorem, RSA public key cryptosystems, and one-way hash functions. The protocol can save redundant key materials used for the e-mails. Via the security analysis, the protocol can satisfy the security requirements. In addition, we analyze the computation complexity of the protocol. The result showed that the protocol can save the computation cost for each e-mail sender. Copyright © 2012 John Wiley & Sons, Ltd. KEYWORDS cryptography; electronic mail; data security; key agreement; group key; group communication; Chinese Remainder Theorem *Correspondence Hsing-Chung Chen, IEEE member, Department of Computer Science and Information Engineering, Asia University, No. 500, Lioufeng Rd., Wufeng, Taichung City, 41354, Taiwan. E-mail: [email protected], [email protected]

1. INTRODUCTION People widely use electronic mails (e-mails) to communicate with each other via the Internet. Delivering an e-mail in the Internet, people can exchange not only normal text-based letter but also sensitive rich electronic files. Because of the popularity, e-mail systems become an adversary’s or a malicious user’s targets. Among e-mail security issues, basic and primary concerns are e-mails’ confidentiality and authentication [1]. Some of data cryptosystems can satisfy these concerns. Users can utilize a specific interactive key to encrypt or verify their e-mails. However, an e-mail system is a kind of store-and-forward system in which e-mail servers act as a proxy to accept, forward, and store users’ e-mails. User does not need continuously online to connect with an e-mail server. Only when user wants to obtain the e-mails received and stored in e-mail server, he or she needs to access the e-mail server. The operations of an e-mail system are briefly indicated in Figure 1. Assume that a user B, called as a sender, intends to send an e-mail to another user A, called as a receiver. The sender B firstly sends the e-mail to the e-mail server SB, and then the e-mail server SB forwards the e-mail into the receiver’s A e-mail server SA. Next, the e-mail server SA stores the e-mail into the memory. As the receiver A connects to the e-mail server SA, the receiver A sends a request for asking new e-mails, and the e-mail server SA forwards the stored e-mail into the receiver A. Because of this feature, it is obvious that users are not always online. 100

This causes challenges for authentication and key distribution of e-mail users. Public key systems provide a solution for these challenges. However, public key systems need costly time delay to encrypt or decrypt the e-mail. Therefore, it prefers to use hybrid cryptosystems [2] to prevent the high computation cost. Pretty Good Privacy (PGP) was implemented in 1991 and is a well-known secure e-mail protocol that provides data confidentiality between sender and receiver. It is available on almost any platform that was aimed to be used within existing e-mail systems [3–6]. PGP protocol [7] utilized the idea in the hybrid cryptosystems to securely transfer a session key to a pair of a sender and a receiver. A sender in the PGP system is given a certificated public key. The certificated public key can support a secure channel to transfer the session key. For a single sender and receiver, a session key, used for encrypting their e-mail, can be transferred by adopting the approaches mentioned before. PGP is designed for a distributed network of individuals. It depends on an internet of trust. That is, you can certify public keys of your e-mail receiving users. A user cannot verify the validity of each other PGP key, and one probably will not ever trust most users. However, under many circumstances, a sender needs to send a single e-mail. How to transfer a session key to a multireceiver is a challenge for securing e-mail systems. As a user usually needs to send an e-mail to a group of users, in the exiting e-mail protocols such as Simple Mail Copyright © 2012 John Wiley & Sons, Ltd.

Secure multicast key protocol for e-mail systems with PFS

H.-C. Chen

Figure 1. The procedures of an e-mail sent from a sender B to a single receiver A.

Transfer Protocol, the e-mail server forwards the copies of this e-mail into the receivers. We briefly show this operation in Figure 2. As a sender B intends to deliver an e-mail to the receivers A, C, and D, he or she firstly sends the e-mail to his or her e-mail sever SB. Then, the e-mail sever SB forwards copies of this e-mail into the receivers’ mail servers SA, SC, and SD, respectively. Next, the mail servers SA, SC, and SD wait for the request for asking new e-mails from the receivers. For example, if the SC receives a request sent by the receiver C, the SC forwards the copy of the e-mail into the receiver C. In the repeated transmission, there are redundant computations that cause significant time delay. In this paper, we propose a secure multicast key protocol for e-mail systems to provide a solution for distributing a session key to a multicast group. Our scheme is based on the Chinese Remainder Theorem (CRT) [8], the RSA public key system, and a cryptographically secure one-way hash function. The related works about securing e-mail systems were proposed to resist against other security issues, such as perfect forward secrecy problem. The perfect forward secrecy problem was pointed out by Sun et al. in 2005. The detail of the perfect forward secrecy problem is

described in the later paragraph. We will show that our protocol can not only satisfy the multicast requirements but also resist against these security problems. According to the previously proposed schemes [9–11], an e-mail server is required to repeatedly operate the same procedures to multicast an e-mail for the different receivers. The rest of this paper consists of the following parts. In Section 2, we will present the background knowledge and an overview of the related works. In Section 3, we will introduce our scheme. Then, in Section 4, we will indicate the security analysis and computation complexity. Finally, in Section 5, we will conclude our scheme.

2. BACKGROUND AND RELATED WORKS In this section, we introduce the CRT. Then, we will briefly introduce the schemes by Sun et al. [12], Lin et al. [11], Kim et al. [10], and Chang et al. [9].

Figure 2. The procedures of an e-mail sent from a sender B to the multiple receivers A, C, and D. Security Comm. Networks 2013; 6:100–107 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

101


2.1. The Chinese Reminder Theorem In Number Theory, the CRT is a famous theorem proposed by Han Xin who was one of ancient excellent Chinese generals. The basic definition [8] is introduced as the following. Fact 1. If integers m1, m2, . . ., mk are pair-wise relatively primes, then the system of simultaneous congruences x d1 ð modm1 Þ x d2 ð modm2 Þ ⋮ x dk ð modmk Þ has one, and only one, solution (modulo m = m1 m2 ⋯ mk).

2.2. Related works Abadi et al. [13] proposed a certified e-mail protocol on the basis of online trusted third party in 2002. The online trusted party is assigned to verify e-mail transmitted between sender and receiver with a predetermined public key. With the population of e-mail systems, many multiparty-certified e-mail protocols have been proposed to solve security issues of multiparty e-mail protocols. In 2004, a modified multiparty-certified e-mail protocol was proposed by Zhou [14] on the basis of one-way hash function and public key systems. In the protocol, evidence of e-mail can be verified by the intended party alone. In 2005, Sun et al. proposed two secure e-mail protocols, which aimed to satisfy the requirements of the perfect forward secrecy. The first protocol is based on the Diffie–Hellman key exchange protocol [15]. The second protocol is based on a cryptographic primitive called as “Certificate of Encrypted Message Being a Signature” [16]. In [17], Dent pointed out that the second protocol cannot satisfy the perfect forward secrecy. Moreover, Phan showed that the scheme by Sun et al. is vulnerable to unknown key-share attacks and replay attacks [18]. In 2006, the scheme by Lin et al. [11] was proposed to improve the problems of the scheme by Sun et al. The main idea in the scheme by Lin et al. is that the receiver’s password used for accessing into e-mail services will be refreshed at different time. The receiver can derive ephemeral interactive keys (short-term keys) through these refreshed passwords. Essentially, their scheme cannot satisfy the perfect forward secrecy because the refreshed passwords are updated using a specific initial password. Once this initial password is compromised, the refreshed passwords are compromised as well. Then, the ephemeral interactive keys will be disclosed. Besides, of the perfect forward secrecy problem, their scheme has also suffered from an insider attack, which means that malicious operators of an e-mail server can learn the ephemeral interactive keys and then eavesdrop e-mail content. In 2006, Kim et al. [10] also proposed their solution, in which an e-mail server acts 102

H.-C. Chen

as a proxy to establish and deliver the short-term session keys, for perfect forward secrecy problem. In [19], Yoon and Yoo pointed out that the scheme by Kim et al. cannot resist against sender impersonation attacks and e-mail server impersonation attacks. The scheme by Chang et al. [9], proposed in 2008, utilized a three-party password-authentication key exchange [20] to deal with the aforementioned security problems. However, their scheme has still suffered from the sender impersonation attack and the e-mail server impersonation attack because the messages transmitted in the e-mail system cannot be authenticated by a sender or receiver. Therefore, an adversary can copy information transmitted on the channel to impersonate some user. In this paper, we proof that our scheme not only reduces the computation complexity of e-mail multicasting but also deals with the perfect forward secrecy and the aforementioned attacks. Our scheme makes use of the CRT to reduce computation complexity. Our scheme utilizes the RSA public key system [21] and a cryptographically secure one-way hash function to deal with the perfect forward secrecy and aforementioned problems.

3. OUR SCHEME In this section, we introduce details of our scheme. Our scheme is divided into two protocols: single receiver and multireceivers. The single receiver means the procedures that a sender delivers an e-mail into single receiver. The multireceivers means the procedures that a user sends an e-mail into multiple receivers. Each protocol has three phases: precomputation phase, sending phase, and receiving phase. In the following description, we omit the transmission between the user’s and receivers’ mail servers for simplicity. We make use of a mail server to stand for the transmission. The parameters used in this paper are employed as follows: 3.1. Notations Ui S PKi SKi IDi Ek′ ðgÞ Dk′ ðgÞ Sigk′ ðmÞ h() m1||m2 M A!B

The ith user in an e-mail system The mail server A public key for a user Ui A secret key corresponding to the PKi for a user Ui The identification of user Ui that is a big and a uniquely prime number The asymmetric encryption function using a key k′ The asymmetric decryption function using a key k′ A signature function generated from the message m using the private key k′ A one-way collision-resistant hash function The catenation of messages m1 and m2 The content of the e-mail A symbol indicating that certain messages sent from an entity A to another entity B

Security Comm. Networks 2013; 6:100–107 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

H.-C. Chen


3.2. Bootstrapping

Step S6: U1 ! S: X, L, V, W, Y, t, n, where V ¼ d^ s ê s modn , W ¼ Mê s modn , and Y ¼ SigPK1 ðhðID1 jjID2 jjMjjtÞÞ. The parameter t is a timestamp at that time.

In the e-mail system, a user Ui is predistributed a public key PKi and the corresponding secret key SKi by the system. Note that we only focus on distribution of the short-term session keys. Authentication of the public key and secret key can be achieved by ID-based cryptosystems [22]. For simplicity, we call the public key and the corresponding secret key as a pair of public key and secret key or a pair of public key and the corresponding secret key in this paper. 3.3. Single receiver 3.3.1. Precomputation. Step S1: Ui ! S: ei, SigSKi ðei Þ, IDi. A user Ui generates another pair of public key and secret key (ei, di), where ei di 1 mod ’(IDi). This pair of public key and secret key is not related to the pair of public key PKi and secret key SKi predistributed by the system. The user Ui sends ei and SigSKi ðei Þ to the e-mail server. Note that this procedure is executed after the user Ui finished receiving an e-mail. 3.3.2. Sending phase. Assume that a sender U1 intends to send an e-mail to a receiver U2. The sender U1 executes the following procedures: Step S2: S ! U1: e2, SigSK2 ðe2 Þ, ID2. Step S3: The sender U1 chooses two random primes p and q. Next, the U1 computes n = p q. Then, he or she computes another pair of a public key ê s and the corresponding secret key d^ s , where ê s d^ s 1 modfðnÞ. Step S4: The sender U1 chooses arbitrary nonrepeated primes p1, p2, . . ., pk, where k is a small number depending on the requirement of security level of the system. Note that n < p1, p2, . . ., pk. Next, the sender U1 computes pairs of public keys: (a1, b1), (a2, b2), . . ., (ak,bk), where a1 b1 1 mod p1, a2 b2 1 mod p2, . . ., and ak bk 1 mod pk. Step S5: Then, the sender U1 computes the following congruous equations: X

2 X

½ þ

j¼1 k X

e2 L=IDj d^ s hIDj

e 2 ðL=Pl Þ d^ s hl mod L

l¼1

where L ID1 ID2 p1 ⋯ pk, L=IDj hIDj ¼ 1 modIDj , and (L/pl) hl = 1 mod pl. From the aforementioned equation, it is easy to derive the properties, by according to Fact 1, as follows: e 2 X ¼ d^ s modID2 a1 X ¼ d^ s modp1 ⋮ a2 X ¼ d^ s modp2 Security Comm. Networks 2013; 6:100–107 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

3.3.3. Receiving phase. As the receiver U2 connects to his or her mail server, the following procedures are executed: Step S7: U2 ! S: Request for asking new e-mails. Step S8: S ! U2: X, L, V, W, Y, t, n, ID1, ID2. Step S9: Receiver U2 derives the value d^s ’ð modID2 Þ by computing d^s ’ ¼ X d2 ð modID 2 Þ . Then, the ′ receiver U2 checks if ðV Þd^ s modn equals to the ′ value d^ s . If it does, the′ receiver U2 computes the content M ′ ¼ ðW Þd^ s modn. Upon deriving the content M′, the receiver U2 computes the value Y ′ ¼ SigPK1 ðhðID1 jjID2 jjM ′ jjtÞÞ and checks if Y′ equals to the value in the signature Y. 3.4. Multireceivers 3.4.1. Precomputation. Step M1: Ui ! S: ei, SigSKi ðei Þ, IDi. Note that this step is the same with Step S1. 3.4.2. Sending phase. Assume that the sender U1 intends to send an e-mail to the receivers U2, U3, . . ., and Un. The sender U1 executes the following procedures: Step M2: S ! U1: e2, e3, . . .,en; SigSK2 ðe2 Þ, SigSK3 ðe3 Þ, . . ., SigSKn ðen Þ; ID2, ID3, . . ., IDn. Step M3: The user U1 executes aforementioned Step S3 to choose a new (ê s , d^ s ). Then, the U1 computes the following value, by according to Fact 1, as n X ei X¼ ðL=IDi Þ d^ s hi modL i¼1

where L = ID1 ID2 ⋯ IDn IDi) hi = 1 mod IDi.

and

(L/

Step M4: Us ! S: X, L, V, W, Y, t, n, where V ¼ d^ s ê s modn , W ¼ M e^s modn , and Y ¼ SigPK1 ðhðID1 jjID2 jj⋯jjIDn jjMjjtÞ Þ: The parameter t is a timestamp at that time. 3.4.3. Receiving phase. When the receiver Ur connects to his or her mail server, where r 2 [2, . . ., n], he or she sends a request for asking new e-mails. Then, the following procedures are executed: Step M5: S ! Ur: X, L, V, W, Y, t, n, ID1, ID2, . . ., IDn. Step M6: Receiver Ur computes the value d^s ’ ¼ X dr modðIDr Þ. ^ Step M7: Receiver Ur computes the value ðV Þds ’ modn and checks if this value equals to ds ’. 103


Step M8: If the verification in Step M7 is valid, the receiver Ur computes the content M’ ¼ ^ W ds ’ modn. Then, the Ur computes the value ′ Y ¼ SigPK1 ðhðID1 jjID2 jjjjIDn jjM ′ jjtÞÞ and checks if Y ’ equals to the value in the signature Y.

4. SECURITY AND COMPLEXITY ANALYSIS In this section, we analyze the security and the computation complexity in our scheme. In the security analysis, we discuss the resistance of perfect forward secrecy [12], unknown key-share attacks [18], replay attacks [9], forgery attacks [9], and insider attacks. In the analysis of computation complexity, we evaluate the complexity with the metrics termed as rounds of modular exponential operation, one-way hash function, encryption operation, and decryption operation. Before the security analysis, Fact 2 and Definition 1 are given as follows: Fact 2. Let n = pq, where p and q are big primes. For e d 1 mod n, where e; d 2 Zn . Given public key (n, e), the problem of computing value d is computationally equivalent to the problem of factoring n. There is not sufficient algorithm for the problem of factoring n [8]. Proof: This fact was proved in the description of RSA cryptosystem in [8]. Definition 1. In a protocol, if compromise of long-term key does not compromise session, it is said that the protocol has perfect forward secrecy [8]. In the scheme by Sun et al. [12], each user uploads an exponential of a random number on a mail server when he or she connects with that mail server. When a user intends to send an e-mail to a receiver, he or she queries for the exponential of the random number, previously given by the receiver. Then he or she executes Diffie– Hellman key exchange protocol to derive a session key used for encrypting the e-mail. Because users refresh a new random for the exponential value on the e-mail server, an adversary cannot derive the session keys establish by the Diffie–Hellman key exchange protocol even if the adversary compromises users’ long-term key. Therefore, the confidentiality of the information in the e-mail can be maintained even if the user’s long-term key is compromised. In the following, we will show that our protocol can achieve perfect forward secrecy. 4.1. Security analysis 4.1.1. Perfect forward secrecy. The scheme by Sun et al. [12] was considered as the first scheme to deal with the perfect forward secrecy for 104

H.-C. Chen

e-mail systems. However, according to the description in [17], it cannot completely satisfy the perfect forward secrecy. The short-term session keys in our scheme are randomly chosen by the sender. According to Fact 2 mentioned before, the distribution of the short-term session keys is protected by RSA public key system [21]. Even if the receiver’s secret key is compromised, the short-term keys will not be disclosed because the session keys have no relationship with the secret key. Therefore, according to Definition 1, our scheme can satisfy perfect forward secrecy. The scheme by Lin et al. [11] cannot satisfy the perfect forward secrecy because an ephemeral key can be derived by compromising the receiver’s passwords. Even if the passwords are refreshed at different time, compromising the initial password causes the disclosure of the refreshed password. The scheme by Kim et al. cannot satisfy the perfect forward secrecy, neither. The reason was described in [19]. Although the scheme by Chang et al. [9] can satisfy the resilience of the perfect forward secrecy, it still has the insider attacks problems. 4.1.2. Unknown key-share attack. The unknown key-share attack was presented in [18]. This attack can be considered as a special case of impersonation attacks. An adversary makes copies of the preceding authentication messages transmitted between the sender and receiver to cheat a victim user to construct a short-term key. Then, the victim user considers the adversary as an authorized user and sends him messages, confined to specific authorized users. In our scheme, the sender signs on a digest related to the e-mail in Step S6 and Step M4. The input value of the signature Y includes the sender’s and receiver’s identifications, the content in the e-mail, and the timestamp t. According to the properties of a cryptographically secure one-way hash function [8], it is hard to reversely derive the input and find a collision. Moreover, the short-term session key is encrypted by the receiver’s public key. If an adversary tries to impersonate the sender with the preceding authentication messages, users can check the signature Y to discover the adversary. 4.1.3. Replay attack. The replay attack on e-mail systems was presented in [18]. The replay attack on e-mail systems means that a certain user who previously established a common key with the sender exploits preceding key materials to evade victim users’ verification procedures. Then, the victim users will receive the bogus information from this malicious user without discovering the misbehavior. In our scheme, the messages in Step S8 and M4 contain the time stamp t. The sender and receivers store these time stamps in their memory or storage devices. When a repeated time stamp is found on the received message, receivers can find out this misbehavior and discard the received messages. In addition, the receiver can check if the content in signature Y equals to the value derived by his or her ei. The preceding key materials will not derive the same value. Hence, malicious users cannot engage replay attack successfully. Security Comm. Networks 2013; 6:100–107 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec


H.-C. Chen

4.1.4. Sender impersonation attack. The sender impersonation attack was presented in [19]. It means that an adversary impersonates a legitimate sender to send a forged message to a receiver. In our scheme, the receiver checks the signature Y signed on by the sender in Step S6 and M4. Because of the properties of cryptographically secure one-way hash function, it is hard to find a collision corresponding to the forged content. In addition, an adversary who does not learn the sender’s secret key cannot produce a correct signature for the forged message. Therefore, the sender impersonation attack cannot be engaged successfully.

between the sender and receiver. The malicious node can use the short-term session key to eavesdrop the e-mail content or send the bogus message. In our scheme, the short-term session key is only known to the sender and receiver. Even if a malicious operator of the e-mail server collects the messages transmitted between the sender and receiver, he or she cannot derive the short-term session key. We summarize the resistance of aforementioned security for the previously proposed schemes [9–11,7,12] in Table I. “О” means good resistance for the corresponding attack, whereas “Х” means nonresistance for the corresponding attack. “△” means incomplete resistance against the corresponding attack. Table I shows that the scheme by Sun et al. can only partially satisfy the perfect forward secrecy because the second protocol in their scheme does not satisfy perfect forward secrecy. Neither of the schemes by Lin et al. and Kim et al. cannot completely satisfy the perfect forward secrecy. The main reason is that the receiver’s secret key or password is involved in the procedures of establishing or deriving the short-term session key. In Table I, the scheme by Sun et al. [12] cannot resist against the aforementioned attacks because an adversary can make use of preceding messages transmitted between the sender and receiver to cheat verifiers. The sender and receiver cannot distinguish preceding key materials from current ones. In Table I, the schemes by Lin et al. and Kim et al. have suffered from the aforementioned attacks because of the same problem that happens in the scheme by Sun et al. For the scheme by Chang et al., the compromising user’s password may cause security flaws. Hence, their scheme only can resist against some of the attacks. Note that PGP [7] and the scheme by Sun et al. can resist against the insider attacks because the e-mail server does not involve the establishment of the short-term session key. The schemes by Lin et al. and Kim et al. cannot resist the insider attack because the e-mail server can learn the interactive key shared between the sender and receiver.

4.1.5. E-mail server impersonation attack. The e-mail server impersonation attack was presented in [19]. An adversary impersonates a legitimate e-mail server to derive all messages transmitted between senders and receivers. In our scheme, the e-mail server only plays a role that relays the message sent by the sender. Even if an adversary tries to cheat the receiver, the adversary only derives ciphers of the content and the short-term session key secured by the receiver’s public key. Because of the properties of the RSA public key system [21], the adversary cannot derive the content encrypted by the receiver’s public key. Thus, our scheme can resist against the e-mail server impersonation attack. 4.1.6. Forgery attack. The forgery attack was presented in [9]. The forgery attack on e-mail systems means that an adversary sends bogus messages for authentication. In our scheme, the sender sends the message in Step S6 and M4, which are signed on by the sender’s secret key. The receiver can check the validity of the messages through the sender’s public key. Hence, any adversary cannot successfully engage a forgery attack in our scheme. 4.1.7. Insider attack. The insider attack means that malicious operators of e-mail servers can learn the short-term session key shared

Table I. Security analysis of the secure e-mail protocols.

Perfect forward secrecy [12] Unknown key-share attack [18] Replay attack [9] Sender impersonation attack [19] E-mail server impersonation attack [19] Forgery attack [9] Insider attack

PGP [7]

Scheme by Sun et al. [12]

Scheme by Lin et al. [11]

Scheme by Kim et al. [10]

Scheme by Chang et al. [9]

Our scheme

Х Х Х Х Х

Δ Х Х Х Х

Х Х Х Х Х

Δ Х Х Х Х

О Δ Δ Х Х

О О О О О

Х О

Х О

Х Х

Х Х

Δ О

О О

PGP, Pretty Good Privacy. О: the symbol denotes that the scheme can resist against the attack. Х : the symbol denotes that the scheme cannot resist against the attack. Δ : the symbol denotes that the scheme can partially resist against the attack.


105


H.-C. Chen

4.2. Computation complexity

5. CONCLUSIONS

In this section, we analyze computation complexity in our scheme. We evaluate the complexity with the metrics termed as rounds of modular exponential operation, oneway hash function, encryption operation, and decryption operation. In this paper, we only focus on the complexity of the sending phase and receiving phase. We assume that the sender needs to send the e-mail to the k receivers. The sender in our scheme needs k + 2 rounds of exponential operation for computing the message X in Step M3 except for the verification of signatures. In addition, the sender needs single one-way hash function operation and an operation of computing signature. The computation for the digest of the e-mail content is considered as one round of one-way hash function operation. We summarize the computation cost of PGP, of the schemes by Sun et al., Lin et al., Kim et al., Chang et al., and of our scheme in Table II. “E”, “S,” and “R” denote the e-mail server, the sender, and one of the receivers, respectively. In Table II, it is shown that our scheme only needs to sign the short-term session key once compared with the schemes by Sun et al., Kim et al., and Chang et al.

We propose a secure multicast key protocol for e-mail systems to deal with the computation complexity and the security problems for transmitting a sensitive electronic mail to a group of users. Our scheme utilizes the CRT to encapsulate the key materials of the short-term session key into a single transmission. Therefore, the distribution of the short-term session key is similar with the original operations in present e-mail protocols. An e-mail sender can save the computation cost and time delay for signing on the short-term session key. Via the security analysis, we showed that our scheme can satisfy the perfect forward secrecy. In addition, our scheme can resist against unknown key-share attacks, replay attacks, e-mail server impersonation attacks, forgery attacks, and insider attacks. We analyzed the computation complexity of our scheme, and we compared our scheme with the previously proposed schemes [9–11,7,12]. The result showed that our scheme prevent redundant computation compared with the other schemes. With the increases of the applications on e-mail systems, the security challenges of multicast of electronic mails are unavoidable. Our scheme can ensure the authentication and confidential for the group transmission for electronic mail systems and satisfy other requirements in the real world.

Table II. Computation comparison of the e-mail security protocols. Modular exponential

Signing a signature

PGP [7] E 0 0 S 0 0 R 0 0 Scheme by Sun et al. [12] E 0 0 S k k R 1 1 Scheme by Lin et al. [11] E k k S k k R k 1 Scheme by Kim et al. [10] E 2k 0 S k k R 2 0 Scheme by Chang et al. [9] E 4k 0 S k 0 R 1 0 Our scheme E 0 0 S k 1 R 1 1 PGP, Pretty Good Privacy. E: e-mail server. S: sender. R: receiver. k: number of users receiving the e-mail.

106

Verify a signature

One-way hash operation

ACKNOWLEDGEMENTS

k k 1

0 0 0

This work was supported in part by Asia University, Taiwan, under Grant 100-asia-34 and also by the National Science Council, Taiwan, China, under Grant NSC992221-E-468-011.

k k 1

0 k 1

REFERENCES

k k 1

0 k 1

k 0 1

0 0 0

0 0 0

k k 0

k k 1

0 1 0

1. Basagiannis S, Petridou S, Alexiou N, Papadimitriou G, Katsaros P. Quantitative analysis of a certified e-mail protocol in mobile environments: a probabilistic model checking approach. Computers & Security 2011; 30:257–272. 2. Fujisaki E, Okamoto T. Secure integration of asymmetric and symmetric metric encryption schemes. In Advances in Cryptology – CRYPTO’99, LNCS, Vol. 1666. Spring-Verlag, 1999; 537–554. 3. Atkins D, Stallings W, Zimmermann P. PGP Message Exchange Formats. Internet Draft, 1995. 4. Balenson D. Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers. RFC 1423, 1993. 5. Galvin J, Murphy G, Crocker S, Freed N. MIME Object Security Services. RFC 1848, 1995. 6. Elkins M. MIME Security with Pretty Good Privacy (PGP). Internet Draft, 1995. Security Comm. Networks 2013; 6:100–107 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

H.-C. Chen

7. Schneier B. E-mail security with PGP and PEM. How to Keep Your Electronic Mail Private, John Wiley & Sons, Inc.: Toronto 1995. 8. Menezes AJ, Van Oorschot PC, Vanstone SA. Handbook of Applied Cryptography. CRC Press, 1997. 9. Chang C-C, Wu Y-C, Chang S-C. A novel e-mail protocol using three-party password-authenticated key exchange. In Proceedings of International Conference on Security Technology (SECTECH’08), December 2008; 150–154. 10. Kim B, Koo J, Lee D. Robust e-mail protocols with perfect forward secrecy. IEEE Communications Letters 2006; 10(6):510–512. 11. Lin I-C, Lin Y-B, and Wang C-M. An Improvement on Secure E-mail Protocols Providing Perfect Forward Secrecy, in Proceedings of the 9th Joint Conference on Information Science (JCIS), 697–700, Kaohsiung, Taiwan October 2006. 12. Sun H-M, Hsieh B-T, Hwang H-J. secure e-mail protocols providing perfect forward secrecy. IEEE Communications Letters 2005; 15(8):58–60. 13. Abadi M, Glew N, Horne B, Pinkas B. certified email with a light on-line trusted third party: design and implementation. In Proceedings of the 11th International World Wide Web Conference, Honolulu, Hawaii, USA, 2002; 387–395. 14. Zhou J. On the security of a multi-party certified email protocol. Lecture Notes in Computer Science 2004; 3269:277–280.



15. Diffie W, Hellman ME. New directions in cryptography. IEEE Transactions on Information Theory 1976; IT-22(6):644–654. 16. Bao F, Deng RH, Mao W. efficient and practical fair exchange protocols with off-line TTP. In Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1998; 77–85. 17. Dent AW. Flaws in an e-mail protocol of Sun, Hsieh, and Hwang. IEEE Communications Letters 2005; 9(8):718–719. 18. Phan RC-W. Cryptanalysis of e-mail protocols providing perfect forward secrecy. Computer Standards & Interfaces 2008; 30(3):101–105. 19. Yoon EJ, Yoo KY. Cryptanalysis of robust e-mail protocols with perfect forward secrecy. IEEE Communications Letters 2007; 11(5). 20. Kwon JO, Jeong IR, Sakurai K, Lee DH. Efficient verifier-based password-authenticated key exchange in the three-party setting. Computer Standards & Interfaces 2007; 29(5):513–520. 21. Rivest RL, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 1978; 21(2): 120–126. 22. Shamir A. identity-based cryptography and signature schemes. Proceedings of International Conference on Advances in Cryptology CRYPTO’84, August 1984; 47–53.

107