UCE - a simpler approach using just digital signing?
Ray Dillinger
bear at sonic.net
Fri Jan 30 16:47:23 EST 2009
I have a disgustingly simple proposal. It seems to me that one
of the primary reasons why UCE-limiting systems fail is the
astonishing complexity of having a trust infrastructure
maintained by trusted third parties or shared by more than
one user. Indeed, "trusted third party" and "trust shared by
multiple users" may be oxymorons here. Trust, by nature, is
not really knowable by any third party, not the same for any
set of more than one user, and in fact the people most willing
to pay for it at least where UCE is concerned, experience shows
to be usually the _least_ trustworthy parties.
So why hasn't anybody tried direct implementation of user-
managed digital signatures yet?
A key list maintained by individual recipients for themselves
alone could be astonishingly simpler in practice, probably
to the point of actually being practical.
In fact, it is _necessary_ to eliminate third parties and
shared infrastructure almost entirely in order to allow mail
recipients to have the kind of fine-grained control that
they actually need to address the problem by creating
social and business feedback loops that promote good security.
As matters stand today, there is no protection from UCE.
If I know there is a user account named 'fred' on the host
'example.com', then I have an email address and I can send
all the UCE I want. And poor fred has the same email address
he gives everybody, so he gets spam from people who've gotten
his address and he has no idea where they got it. All his
legitimate correspondents are using the same email address,
so he can't abandon it without abandoning *all* of them,
and he doesn't know which of them gave his address to the
spammers. What if email accounts weren't that simple?
Consider the implications of a third field, or "trust token,"
which works like a "password" to fred's mail box. Your
mailer's copy of fred's email address would look like
"fred#token at example.com" where "token" was a field that
was your own personal password to fred's mailbox. Your
system would still send mail to "fred at example.com" but
it would include a "Trust:" header based on the token.
The simplest solution I can think of would be a direct
application of digital signatures; the trust token would
be (used as) a cryptographic key, and the headers of any
message would have to include a "Trust" field containing a
digital signature (a keyed cryptographic hash of the message,
generated by that key). Messages to multiple recipients
would need to contain one "Trust" field per recipient.
Its use would follow simple rules:
Each time Fred gives out his email address to a new sender,
he creates a trust token for that sender. They must use it
when they send him mail. So fred gives his bank a key when
he gives them his email address. If fred were willing to
recieve mail from strangers, he could publish a trust token
on his webpage or on usenet or whatever - it would be painless
to revoke it later, so why not? If fred trusted someone to
give out his email address, he could give that person multiple
trust tokens to pass along to others. Again, an error in
judgement would be painless to revoke later.
Fred can revoke any trust token from his system at any time,
and does so whenever he gets spam with a trust token he issued.
In UI terms there'd be a button in his mail reader that works
as, "this message is spam, so revoke this trust token because
now a spammer has it." Other messages sent with the same
trust token would disappear from his mailbox instantly. Fred
might not push this button every time, but at least he'd know
what spam he was getting due to (say) his published trust token
on his webpage or usenet, and what spam he was getting due to
his relationship with a bank, and he'd have the option of
turning any source of spam off instantly.
In the short run the .aliases file on the mail host would need
a line so it would know to deliver mail to "fred#anything at example.com"
to fred. This is not because a legitimate email would ever include
the literal key, but for purposes of alerting fred's MUA to protocol
breaches, so it could do key management. Fred's MUA could then
be upgraded to use tokens without affecting other users on the
system. In later MDA's that handle trust tokens directly,
this forwarding would be automatic.
Whenever Fred gets email sent by someone using a trust token,
his system tells him which token - ie, what sender he gave
that trust token to. So email sent to fred using the trust
token he gave his bank will show up in his mailbox under a
heading that says "this was sent by someone using the trust
token you gave your bank."
Whenever fred gets email for "fred#token at example.com" and that's
still a legitimate token, his system revokes the token, sends him
an automatic note that says which trust token was revoked, and
bounces the email with a message that says,
"Your mailer is not using trust tokens. Your mail has not been
delivered and the trust token you used has been automatically
revoked because your mailer sent it in cleartext instead of using
it correctly. Please update your mailer and contact fred via
some other channel to obtain a new trust token."
Whenever fred gets email for "fred#token at example.com" and it's not
a legitimate token anymore, it bounces with the same message, but
doesn't generate another note to fred. Fred can see the status of
all his tokens (live or revoked) when he looks at his address book.
Whenever Fred gets email with no trust token, his system bounces
it with a message that says
"Contact fred using some other means to get a trust
token for email."
Whenever Fred gets email with a revoked trust token, his system
bounces it with a message that says,
"Sorry, this token is known to have been compromised; if
you're a legitimate sender then either you've sent mail
using a mailer that doesn't handle trust tokens correctly
or somehow a spammer has read your email database. If
you are a legitimate sender and you've updated your mailer,
repaired your data security, or stopped selling your mailing
list to spammers, whichever is applicable to your situation,
then please contact fred using some other means to get a new
trust token."
If fred gets UCE under his bank's trust token, then he can
revoke that token, and have a few words with the bank about
their information security and how some spammer was able to
get his hands on that trust token. This would promote early
detection of breaches of information security and suborned
machines, and also rapid detection of institutions that
sell email information to spammers in violation of the
users' trust.
The bank would have a motive it now lacks to keep spammers
out of its email database; every address/token combination
used to send spam would instantly stop working, requiring
them to resort to (relatively) expensive paper mail or use
the phone in order to contact their legit customer. And if
it happens again, and again, and again, then fred is likely
to do his banking elsewhere in the future.
To me, this feedback is the invaluable missing link that
all the third-party trust and shared-trust schemes I've
seen lack. When fred maintains his own trust keyring,
both fred and the bank know where the spammer got the
trust token. Also, both of them know the other will know
where the spammer got the trust token. A spammer getting
the trust token fred gave the bank will cost the bank
money, customer goodwill, and potentially business. And
fred and the bank must have contact with each other about
it if there is still a mutual wish to reestablish email
communication.
Machines suborned by spammers would be detected instantly
because all the trust tokens would be revoked within minutes
of the spammer using them. Spammers could not share trust
tokens around to get thousands of spam delivered on each
one, because fred would revoke the token the first time he
got spam on it and all the other spam would disappear. This
would destroy spammers' motive to cooperate by selling each
other spamlists. And when fred did revoke a key, none of
his legitimate email still arriving under non-compromised
tokens would be affected. Literally *EVERY* piece of spam
would be evidence of an information security breach traceable
to a single entity that fred gave his address to, and every
time spam were recieved there would be a single action that
fred could take to stop getting spam derived from that
particular information security breach.
This is basic digital signatures; it would work. We know
how to do it. We've known how to do it for a long time.
People would need to add one field to their email information
to keep trust tokens. Everything else you could implement
in the Mail User Agents. My inner cynic says nobody's
implemented it because nobody can figure a way to make money
by selling trust when users manage their own keyrings rather
than paying a third party to manage keyrings for them. Can
anybody else think of a better reason, or are we really
just lazy greedy bums who can't be bothered to work on
something unless we can "make money fast" doing it?
Bear
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list