PriviPK: Certificate-less and secure email communication

Mashael Alsabah, Alin Tomescu, Ilia Lebedev, Dimitrios Serpanos, Srini Devadas

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

We introduce PriviPK, an infrastructure that is based on a novel combination of certificateless (CL) cryptography and key transparency techniques to enable e2e email encryption. Our design avoids (1) key escrow and deployment problems of previous IBC systems, (2) certificate management, as in S/MIME, or participation in complicated Web of Trust, as in PGP, and (3) impersonation attacks because it relies on key transparency approaches where end users verify their identity and key bindings. PriviPK uses a new CL key agreement protocol that has the unique property that it allows users to update their public keys without the need to contact a third party (such as a CA) for the recertification process, which allows for cheap forward secrecy and key revocation operations. Furthermore, PriviPK uniquely combines important privacy properties such as forward secrecy, deniability (or non-deniability if desired), and user transparency while avoiding the administrative overhead of certificates for asynchronous communication. PriviPK enables quick bootstrapping of shared keys among participating users, allowing them to encrypt and authenticate each other transparently. We describe an implementation of PriviPK and provide performance measurements that show its minimal computational overhead. We also describe our PriviPK-enabled e2e secure email client, a modification of The Nylas Mail, 2015 email client.

Original languageEnglish
Pages (from-to)1-15
Number of pages15
JournalComputers and Security
Volume70
DOIs
Publication statusPublished - 1 Sep 2017

    Fingerprint

Keywords

  • Application of key transparency
  • Certificateless cryptography
  • Confidentiality
  • End-to-end secure email
  • Key agreement

ASJC Scopus subject areas

  • Computer Science(all)
  • Law

Cite this