Design and implementation of secure e-mail system using elliptic curve cryptosystem

Future Generation Computer Systems 20 (2004) 315–326

Design and implementation of secure e-mail system using elliptic curve cryptosystem Wongoo Lee∗ , Jaekwang Lee Abstract In this paper, we design and implement a secure mail system using elliptic curve cryptosystems (ECCs) to provide the highest cipher strength as well as security services such as message origin authentication, content integrity, content integrity, and content confidentiality. Of course, this is based on the difficulty of ECCs. © 2003 Elsevier B.V. All rights reserved. Keywords: Elliptic curve; Cryptosystem; Secure mail system

1. Introduction Recently, someone tends to sniff the content of e-mail through sniffing programs, although he did not obtain root permission. Another vulnerability of mail systems is that they provide non-secure Transfer Protocol (e.g., SMTP and POP3) and non-secure Message Security Protocol (e.g., PEM, PGP, and S/MIME). Without theses secure protocols, the message transmitted on network may be opened or forged with simple operations. With this, the traditional mail systems have needed to provide security services including message encryption, content integrity, message origin authentication, and non-repudiation as well as user-driven interface by applying public key algorithm, hash algorithm, digital signature algorithm, and encryption/decryption algorithm. In addition, there is a basic problem. Algorithms used in commercial mail security solutions do not provide perfect security services and are not high speed

∗ Corresponding author. E-mail addresses: [email protected] (W. Lee), [email protected] (J. Lee).

for encrypting/decrypting, signing, and verifying. In this paper, we design and implement a secure mail system using elliptic curve cryptosystems (ECC) to provide the highest cipher strength and fast speed [2].

2. Related researches 2.1. Message Security Protocol Message Security Protocols are PEM, PGP, and S/MIME v2 and so on. PEM is a message encryption and authentication procedure, in order to provide PEM services for electronic mail transfer in the Internet. PEM is intended to be compatible with a wide range of key management approaches, including both symmetric and asymmetric approaches for encryption of data encrypting keys. Use of symmetric cryptography for message text encryption and/or integrity check computation is anticipated. PGP is a remarkable phenomenon. PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. And S/MIME v2 is a security enhancement to the MIME Internet e-mail

0167-739X/$ – see front matter © 2003 Elsevier B.V. All rights reserved. doi:10.1016/S0167-739X(03)00147-X

316

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326

format standard, based on technology from RSA Data Security.

3. Design of secure e-mail system 3.1. Key exchange model

2.2. Elliptic curve cryptosystem A main feature that makes EC attractive is the relatively short operand length relative to RSA and the systems based on the discrete logarithm in finite fields. Cryptosystems which explore the discrete logarithm problem over elliptic curve (EC), can be built with an operand length of 150–200 bits. IEEE and other standard bodies such as ANSI and ISO are in the process of standardizing ECCs. It is either necessary or desirable for an entity using an EC public key to receive an assurance that the public key is valid—that is, it satisfies the arithmetic requirements of an EC public key— either to prevent malicious insertion of an invalid public key from enabling certain attacks like small subgroup attacks, or to detect inadvertent coding or transmission errors [4]. ECCs can provide various security services such as key exchange, contents confidentiality through encryption, and sender’s authentication and message integrity through digital signatures.

We implement a secure and fast key exchange model using ECDH (EC Diffie-Hellman) algorithm. A key exchange model is designed to be used by two entities as shown in Fig. 1—an entity A and an entity B—when A and B want to establish shared keying data that can be used to control the operation of a symmetric cryptographic scheme. Both A and B should use the schemes as follows when they want to establish keying data. First, A and B should use the setup procedure to establish which options to be used in the scheme then they should use the key deployment procedure to select key pairs and exchange public keys. Finally when A and B want to establish keying data, they should simultaneously use the key agreement operation. After A and B operate the key agreement operation with corresponding keys as inputs, they will obtain the same keying data.

Fig. 1. Key agreement model using ECDH.

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326

3.2. Cryptographic model 3.2.1. Digital signature model The security of a digital signature model relies on the difficulty of the ECDSA on the EC parameter being used—otherwise an attacker may be able to recover a receiver’s secret key from a sender’s public key and use this information to forge a receiver’s signature on any message. The key generation procedure of ECDSA is as follows [4]. Fig. 2 shows a signature model using ECDSA. [ECDSA Key Generation] To A’s key generation, A does the following: 1. Select elliptic curve E; zp 2. Select point P ∈ E(Zp ) with order x

317

3. Select a random or pseudodomain integer d, [2, n − 2] 4. Compute Q = dP 5. A’s public key is (E, P, n, Q); A’s private key is d [ECDSA Signature Generation] To sign a message m, A does the following: 1. Select a random or pseudorandom integer k, 1≤k ≤q−1 2. Compute kG = (x1 , y1 ) and convert x1 to an integer x1−1 3. If r = 0 then go to step xxx 4. Compute k−1 mod n 5. Compute s = k−1 {h(m) + dr} mod n (h: SHA-1)

Fig. 2. Signature model using ECDSA.

318

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326

6. If s = 0 then go to step xxx 7. A’s signature for the message m is (r, s) [ECDSA Signature Verification] To verify A’s signature on m. B then does the following: 1. B obtains an authentic copy of A’s parameter (E, P, n, Q) 2. Verify that r and s are integers in the interval [1, n − 1] 3. Compute w = s−1 mod n and h(m) 4. Compute u1 = h(m)w mod n and u2 rw mod n 5. Compute u1 P + u2 Q = (x0 , y0 ) and ν = x0 mod n 6. Accept the signature if and only if ν = r Against attacks on key generation, a key generation occurs key generation is involved in both the key deployment procedure and the signing operation of ECDSA. Secure random number generation is required during key generation to prevent from attacks when a receiver selecting a predictable secret key. Insecure random number generators are perhaps the

most common cause of cryptographic attacks on cryptographic systems [4]. 3.2.2. Message encryption/decryption model A public key encryption model is designed to be used by two entities—a sender A and a receiver B— when A wants to send a message M to B confidentially, and A wants B to recover M. First, A and B should use the setup procedure to establish which options to use the scheme with, then A should use the key deployment procedure to select a key pair and obtain B’s public key—A will use B’s public key to control the encryption procedure, and B will use its key pair to control the decryption operation. Then each time U wants to send a message M to B, A should apply the encryption operation to M under B’s public key to compute an encryption or encrypted message C of M, and convey C to B. Finally, when V receives C, B should apply the decryption operation to C under its key pair to recover the message M. The message encryption procedures are consisted of a encrypted

Fig. 3. Encryption model with Rijndael.

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326

session key, a encrypted message, and a digital signature. Fig. 3 depicts the process of message encryption procedures. 1. Using Rijndael algorithm and sender’s session key, encrypt message. 2. Using the EC-ElGamal algorithm, encrypt the Rijndael session key (selected EC information). 3. Using HAS160 algorithm, inputs the message and gets a message digest, then created by ElGamal algorithm. The received message is decrypted conversely: 1. Using EC-ElGamal algorithm, decrypts Rijndael session key (selected EC information). 2. Using Rijndael algorithm and decrypted Rijndael session key (selected EC information), decrypts encrypted data. 3. Using HAS160 algorithm and decrypted data, gets a message digest and verify signature value by ECDSA.

319

3.3. Verification model for delivery As shown in Fig. 4, the message origin is able to verify the delivery of the transmitted message to the legitimate receiver. For digital signature, HAS160 and ECDSA are used. It is designed not to be existentially forgeable, even in the presence of an adversary capable of launching chosen-message attacks. Here ECDSA signature schemes are designed to be used by two entities—a signer A (user agent) and a verifier B (user agent)—when A wants to send a message M in an authentic manner and B wants to verify the authenticity of M. A and B should use the schemes as follows when they want to communicate. First A and B should use the setup procedure to establish which options are to be used the scheme with, A should use the key deployment procedure to select a key pair and B should obtain A’s public key—A will use the key pair to control the signing operation, and B will use the public key to control the verifying operation.

Fig. 4. Verification model structure for delivery.

320

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326

Then each time A wants to send a message M, A should apply the signing operation to M under its key pair to obtain a signature S on M, form a signed message from M and S, and convey the signed message to B. Finally when B receives the signed message, B should apply the verifying operation to the signed message under A’s public key to verify its authenticity.

4. Secure e-mail system testing 4.1. Testing components A proposed secure e-mail system is provided in the form of an e-mail client. The major components are CipherMail class for message encryption/decryption and certification of delivery, and Massage class for storing and managing of mail message. For implementation in the form of e-mail client, it is easy to install a conventional Internet e-mail system, and there is no need for change in the part of MTA. Fig. 5 shows the classes for CipherMail application module including CipherMail class module.

First, a Composer class is the window that is used to create new messages. It is a subclass of a Frame and contains member variables representing each of its controls. The Composer class also contains a reference back to the secure mail instance that creates it. When the new message is finished, a Composer will ask a secure mail to send the message. When a Composer is created, it simply sets up its GUI uses setupWindow() and wireEvents(), which will be described. There is only one button on the Composer window, the Send button. If it is pressed, a Composer constructs a new Message and tells the secure mail object to send it. Then the Composer window dismisses itself by calling a dispose(). Second, The CipherMail class contains both the main GUI for the application as well as all the logic for encrypting and decrypting messages. As we walk through the class, We will skim over the GUI implementations and spend more time on the cryptography. A CipherMail’s constructor sets up the GUI for the window and loads the indicated preferences file. This class is the main application window for managing a e-mail message list and displaying the contents of an e-mail message.

Fig. 5. Cipher e-mail system module structure.

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326

And this class performs encryption, decryption, and certification of delivery when the Composer class requests. Third, a key generation/management class generates ECDSA key pairs in KeyManager class, one for digital signature and the other for a session key exchange, and managing public keys of legitimate receivers. 4.2. Testing results As shown in Fig. 6, the left part of the window contains a list of received messages, while the right part can display one of them at a time. As messages are selected in the left list, they are displayed in the right panel.

321

4.2.1. Creating and sending message An e-mail message can be sent with three kinds of mode: (1) normal e-mail transfer, (2) e-mail transfer with digital signature and message encryption, and (3) mode 2 plus certification of delivery. Users are required to select one of the three kinds of an e-mail transfer mode. In this case, a user selects mode 3, using certification of delivery. To create a new message, press the ‘Compose’ button. This pops up in the composition window, shown in Fig. 6. It contains fields for entering the receiver’s e-mail address and the subject of the e-mail. The third field, labeled ‘Crypto Key’, is used to choose the key name of the intended receiver. Secure mail will use this name to find a public key in your key file. When

Fig. 6. Creating a new message.

322

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326

Fig. 7. Encrypting and signing message.

the message writing is done, clicking the ‘Send’ button causes secure mail to encrypt the message body and send the message to its destination as Fig. 6. Also, Fig. 7 shows the encrypted message and the signed message for the source message. In a previous section, it shows the source of a session key encryption, the message encryption and electronic signature, and also a description process of encryption and an electronic signature. 4.2.2. Verifying delivery and signature An e-mail client of the legitimate receiver receives messages and verifies digital signatures. Fig. 8 shows the result of a digital signature verification. The e-mail client of the receiver implicitly operates the certification of delivery and the result of this operation goes to the e-mail client to the message origin. The main operation is an acknowledgement of the delivery from the legitimate receivers e-mail client. To get mail, press the ‘Get’ button. A secure mail will connect to the receiver POP3 server and retrieve the mail. The subject line of each message is displayed in the left part of main window. To view a particular message, click on its subject; the text of the message will be displayed in the right part of the window. Normal messages are shown directly. Encrypted messages will be decrypted

and displayed with the result from a delivery verification dialog box as in Fig. 8. That is, the e-mail client of the sender implicitly operates the delivery verification of receiving message. 4.3. Comparison of other e-mail systems Recently, a commercial mail security solution provides security services such as message origin authentication, content integrity, content confidentiality, non-repudiation of origin by applying SEED (128 bit)/ Triple-DES (128 bit)/RC2 algorithms, KCDSA/RSA (1024 bit) public key algorithm, SHA 1/MD5 hash algorithm, and DSA signature algorithm and also supports digital signature interoperable with X.509 based digital certificates and Native, RMI, HTTP, and SMTP protocol for integration with other systems. However, there is a big problem that algorithms used in commercial mail security systems and they do not provide perfect security services. They are not fast for cryptography against ECC. That is, there is a great difference between the performance of algorithms doing encryption/decryption and a signature on data over a security mail system infrastructure, and algorithms used in a proposed security mail system infrastructure. Key exchange algorithms are difficult,

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326

323

Fig. 8. Delivery and signature verification of received message.

which are needed to authenticate messages and users. The following figures and descriptions illustrate a comparative table on each module and each algorithm used, customized e-mail products and a secure e-mail system based on ECCs. First, A useful characteristic of a signature module using ECDSA can be seen from Table 1, which contains the original measurement data. The performance of ECDSA scales linearly with the key length, even up to key lengths not provided by DSA. These key lengths can provide security, which in the current understanding are unbreakable in the foreseeable future. A field size of 256 bits is security wise, comparable to a symmetric key of 128 bits or a DSA key of 2034 bits [17]. Another convenient characteristic of our implementation of ECDSA is that it uses a predefined curve Table 1 Comparison of ECDSA to other signature algorithms

Table 2 Comparing EC and RSA

Time (ms)

Key generation Signing Verifying General point multiplication

for all its operations. Therefore, even the first key generation is as fast as the subsequent ones shown in Fig. 9. The Sun DSA implementation, however, has to create the primes required for the keys during the first key generation. The execution tome of a prime generation varies considerably, but it is not uncommon to experience a prime generation hundreds of times slower than the actual key generation by the help of experiments running on a Intel Pentium III with a 800 MHz clock frequency. Therefore, if the total number of keys created is very small, it is possible that the total time for creating key pairs and signing documents is already shorter with the current ECDSA implementation than with DSA as shown in Fig. 9 [18]. Table 2 illustrates the difficulty of the ECC. It contains estimates in MIPS, years of the computing power

GF(p)

GF(2n )

RSA

DSA

Key length of EC (bit)

Key length of RSA (bit)

MIPS year

5.5 6.3 26 21.1

11.7 11.3 60 56

1s 43.3 0.65

7 7 28.3

160 320 600 1200

1024 5120 21000 120000

1012 1036 1070 10100

324

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326

Fig. 9. The running time of ECDSA at different field lengths (in bits) compared to the performance of 1024 bit DSA by experiments.

required to solve the ECC on a general curve in software using the improved Pollard-r method. To place Table 1 in context, Odlyzko has estimated that 0.1% of the world’s computing power working for 1 year will amount to 108 MIPS years in 2004, and 1010 or 1011 MIPS years in 2014. Table 1 is reproduced from ANSI X9.62. More details on how the estimates were obtained can be found there. For EC, the field size is approximately 191 bits. The modulus for RSA is 1024 bits long; the RSA public exponent is 3. All times in ms, unless otherwise indicated [20]. In Table 3, we also provide a comparison between the speeds that ECCs can attain and the speeds of other algorithms such as the Diffie-Hellman key exchange over prime fields. It is assumed that

Table 3 Time comparison for key exchange algorithms: modulo arithmetic vs. ECs over the field GF((216 )11 )

Key exchange times (s) Finding points with high orders (s)

DH 512

DH 1024

EC 176

1.16 –

8.62 –

0.246 0.533

both algorithms are running on an Intel Pentium III with a 800 MHz clock frequency (Fig. 10). Finally, it is important to point out that the DiffieHellman key exchange times over prime fields are not estimates but rather the timings reported in [Bea96]/the EC key exchange algorithm outperforms the Diffie-Hellman algorithm for both the 512 and

Fig. 10. The running time of EC-ElGamal at different field lengths (in bits) compared to the performance of 1024 bit RSA by experiments.

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326

1024 bit modulus. It is important to point out that the times reported in Table 3 are average times, since each key exchange will depend on the specific exponent used. Finally, notice that the EC was provided at the same level of security as a Diffie-Hellman key exchange with 1200 bits, thus, the time improvement that is obtained with ECs is even more dramatic [20]. As shown in the previous figures, we can alternate by EC algorithm that has a less key length more, to keep cryptography strong.

5. Conclusion In order to protect these attacks, many secure e-mail systems are required to provide security services such as message encryption/decryption, content integrity, and non-repudiation service as well as user-driven interface, and they also need to guarantee higher speed of cryptography with high cipher strength. Thus, we propose mail security systems based on ECCs which can solve the above problems. As EC is the relatively short operand length, relative RSA systems and systems based on the discrete logarithm in finite fields, they can provide various services such as secure key exchange, content confidentiality through encryption/decryption, and sender’s authentication and message integrity through digital signature. They also provide the highest cipher strength against other systems and the highest speed for encrypting/decrypting, signing, and verifying of mail message. As it stands now, secure mail systems furthermore strike a balance between the security of authenticated, confidential e-mail messages and the convenience of standard Internet e-mail protocols and infrastructure [1]. In the future, EC public key cryptosystems will be well on their way to being a serious alternative to older public key cryptosystems, in particular RSA systems (in particular RSA systems). They will be implemented efficiently, and have a number of advantages that can make them the best choice for a range of applications. For further reading The following references may also be of interest to the readers: [3,5–16,19].

325

References [1] J. Knudesen, Java Cryptography, O’Reilly, 2002. [2] Sun Microsystems, Java 3 SDK, Standard Edition Documentation, 2002. [3] S. Oaks, Java Security, O’Reilly, 2000. [4] Certicom Research, SEC1: Elliptic Curve Cryptography, 2001. [5] E.R. Harold, Java Network Programming, O’Reilly, 2000. [6] B. Schneier, Applied Cryptography, Wiley, New York, 2001. [7] J. Zhou, D. Gollmann, A fair non-repudiation protocol, in: Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996. [8] J. Zhou, D. Gollmann, Observations on non-repudiation, in: Proceedings of ASIACRYPT’96, Springer, Berlin, 1996. [9] S.T. Kent, Internet privacy enhanced mail, CACM 36 (3) 1993. [10] S.T. Kent, An overview of Internet privacy enhanced mail, in: Proceedings of INET’93, June 1993. [11] P. Zimmermann, in: PGP User’s Guide, Phil’s Pretty Good Software, 1994 of PGP-based WWW Mail System, Proceedings of Autumn Conference of Korean Information Science Society, vol. 24, No. 2, 1997. [12] Y. Choi, W. So, Y. Lee, Network Security, GreenPublish, 2001. [13] J. Hong, Y. Yoon, D. Kim, Analysis of e-mail system protection methods, J. Korean Inst. Inform. Security Cryptogr. 4 (2) (1994) 6. [14] H. Cho, B. Kim, J. Lee, Design of A Secure e-mail System, Hannam University, 1998. [15] C. Park, Survey of e-mail systems for certification of delivery and contents, J. Korean Inst. Inform. Security Cryptogr. 7 (2) (1997) 6. [16] N. Borenstein, S/MIME (Secure Multipurpose Internet Mail Extensions), Version 2, RFC 2311, 2312. [17] ANSI Working Draft of X9.62-1998, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), April 1998. [18] Y. Kortesniemi, Implementing elliptic curve cryptosystems in Java 1.2, 1999. [19] E. De Win, B. Preneel, Elliptic curve public key cryptosystems—an introduction, 1998. [20] J. Guajardo, Efficient algorithms for elliptic curve cryptosystems, May 1997.

WonGoo Lee received his BS and MS degrees in computer engineering from Hannam University in 2000 and 2002, respectively. Currently, he goes through the doctor’s course in Information Technology Department from Hannam University. His research interests include network management, network security, cryptography, and Java security. His most recent research has focused on the areas of active network and Grid middleware security.

326

W. Lee, J. Lee / Future Generation Computer Systems 20 (2004) 315–326 JaeKwang Lee received his BS, MS and PhD degrees in computer science from the Kwangwoon University in 1984, 1986, and 1993, respectively. Currently, he is a Professor in the Computer Engineering Department at Hannam University and also worked as the Director of the Office of Academic Information. He has been a Visiting Professor at University of Alabama. His research interests include

information security, system security, network management, and Java security. His most recent research has focused on the areas of active network security, Grid middleware security, and secure operating system. He has also served as a WISA 2002 and ICAT 2003. He has been an advisory committee member for ISRD (information security research division) in ETRI since 2000.