public-key: the wrong model for email?

Hadmut Danisch hadmut at danisch.de
Thu Sep 16 16:28:59 EDT 2004 

On Wed, Sep 15, 2004 at 11:39:25AM -0700, Ed Gerck wrote:
> 
> Yes, SSL and public-key encryption are and continue to be a success for web
> servers. However, the security model for protecting email with public-key
> cryptography seems to be backwards, technically and business wise.


Exactly. It is easy to protect web sites with SSL, but it is difficult
to protect e-mail against spam with PKC.

Why?

Because PKC works for this Alice&Bob communication scheme. If you 
connect to a web server, then what you want to know, or what 
authentication means is: "Are you really www.somedomain.com?"
That's the Alice&Bob model. SSL is good for that.

If I send you an encrypted e-mail, I do want that _you_ Ed Gerck, 
can read it only. That's still the Alice&Bob model. PGP and S/MIME
are good for that. 

If you send me an e-mail with a signature, and there is any particular
relation between you and me, where it is important for an attacker to 
pretend to be Ed Gerck and not just anyone, even that is still the 
Alice&Bob model. PGP and S/MIME still work.

But that's not the way E-Mail works in common.

E-Mail means: Anyone on this world is basically able to send 
me an e-mail. And that's not yet an attack, because that's what
I want, that's why I put my e-mail address on my web page.

This is not Alice&Bob anymore. 

This is Anyone&Bob.

The sender of an e-mail does not need to pretend beeing a particular
person or sender. Any identity of the 8 (10?) billion humans on earth
will do it. 

What does it mean if the message has a digital signature? It most
certainly means that the sender is a human from planet earth. You 
could tell the same without a signature.

PKC is good as long as the communication model is a closed and 
relatively small user group. A valid signature of an unknown sender
has at least the meaning that the sender belongs to that user group. 

But if that 'closed user group' is all mankind, then this meaning
becomes useless. A digital signature is useful only if you know the
sender of if you can tell from the signature that the sender belongs
to a closed user group (e.g. is a citizen of some jurisdiction). 

But this is not the Alice&Bob model anymore. That's not what 
PKC is good for. 



There's another problem: 

Since e-mail does not require to forge mails from a particular
identity, but from anyone, you run into the problem that there 
are plenty of unsecure keys floating around. 

When Alice keeps her key well protected, an Attacker has no 
chance.

But for E-Mail, there is not just one Alice. There are
about 500 Millions of users.

Let's imagine that everyone has a public/secret key pair. 

How many of them use a Windows Computer vulnerable to the 
latest worm collecting all secrets from their computer?
If only 0.2% of those keys were compromised, that's still 

     1 Million of secret keys 

available for spammers etc.


Let's assume that this 1,000,000 keys were compromised 
within one year. That's an average of 2,700 keys a day. 
So the attackers/spammers/phishers have 2,700 fresh keys
every day to forge e-mail, and most of the owners will 
not even realize that their key was stolen within that day. 

This is where reality and the science of cryptography differ. 

It does not work because not all attackers agree to 
play the Alice&Bob game.


regards
Hadmut







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list