1 Secure Mail Transfer Protocol (SecMTP) Hathai Tanta-ngai, Tony Abou-Assaleh, Sittichai Jiampojamarn, and Nick Cercone, Fellow, IEEE
Abstract— Simple Mail Transfer Protocol (SMTP) is a common receives the message. Similarly, the receiver may have policies protocol for transferring email messages worldwide. SMTP is regarding the acceptance and rejection of messages based on anonymous and provides only the basic functions required to the sender’s identity. Sender authentication is important to give transfer a message, namely specifying a sender, recipients, and message text. SMTP was designed without consideration for the validity to the content of the message. security. We propose a new protocol, Secure Mail Transfer Non-repudiation prevents the sender from denying sending Protocol (SecMTP), to provide user-to-user secure email services the message. Similarly, it prevents the receiver from denying with a seamless interface with existing SMTP clients. SecMTP receiving the message. is an extension service for SMTP. The SecMTP architecture Certification means receiving credibility from a trusted third addresses the major security goals: confidedentiality, integrity, party regarding the identity of the sender and the receiver, as authentication, non-repudiation, and certification. We describe the SecMTP specifications and architecture, and compare it with well as certifying that a particular server conforms to a set of the current mail transfer technologies. security requirements for sending secure messages. A number of extension services for SMTP (ESMTP) [1] exist that attempt to partially address some of the security I. INTRODUCTION issues, such as SMTP over Transport Layer Security (TLS) Electronic mail (email) has become one of the most com- [2], and Authentication [3] service extensions. We provide an mon methods of communication in the 21st century. The main overview of these extensions in section 2. The use of these reasons behind the success of email are the wide availability, extensions is optional. Thus, they are based on best-effort ease of use, and affordability. Simple Mail Transfer Protocol and operate at the node-to-node level. They do not provide (SMTP) [1] is the primary protocol for transferring email mes- any guarantees for user-to-user level security as the message sages worldwide. As the title indicates, SMTP was designed may pass through intermediate nodes that do not support these to be as simple as possible. Thus, it incorporated only the extensions. most basic functions required to transfer a message, namely We propose a new protocol—Secure Mail Transfer Protocol specifying a sender, recipients, and message text. (SecMTP), which is an extension service for SMTP. The SMTP is anonymous by nature. It does not require the goal of SecMTP is to provide guaranted services for user- sender to authenticate itself. The protocol relies on the sender to-user security by ensuring that messages travel only through to specify to the receiver identification information. As a result, compliant secure nodes. SecMTP addresses the five security it is trivial for the sender to hide its identity. Further, the goals mentioned earlier. It uses existing extension services message is transferred from source to destination in plain whenever possible to avoid reinventing the wheel and intro- text without any protection. It is fairly simple to intercept a ducing conflicting standards, and defines new functionality for message and view its contents, as well as modify the contents the features that are not currently standardized as an SMTP and the sender identification data. In other words, security was extension service. not taken into consideration in SMTP. The rest of the paper is organized as follows. Section 2 There is an ever-growing modern communications need discusses papers, protocols, and standards related to secure for a mechanism that combines the simplicity, availability, mail transfer technologies. Section 3 introduces the Secure and affordability of email with security. There are five major Mail Transfer Protocol; its specifications, and its architecture. security goals that are significant in email communication: Section 4 compares SecMTP with the existing secure mail confidentiality, integrity, authentication, non-repudiation, and transfer technologies and discusses the advantages and the certification. Confidentiality protects a message from eaves- shortcomings of SecMTP. Section 5 summarizes our results dropping. and section 6 states our future work directions. Confidentiality is important at the level of user-to-user com- munication and at the level of node-to-node communication. II. RELATED WORK The former one guarantees that the intermediate nodes that There are many current technologies that provide the mech- are used to deliver the message from source to destination are anism to achieve some degree of security for transferring unable to access the contents of the message. The node-to- email over internet. We discuss those technologies in terms node confidentiality protects the message from eavesdropping of confidentiality and integrity, authentication, notification, while being transferred from one node to another on a network. and non-repudiation. At the end, we discuss user and web In some cases, confidentiality might not be as important as applications that provide services for secure email. integrity. The message might not contain sensitive information, though it is crucial that it is delivered untempered with. A. Confidentiality and Integrity Authentication is important for several reasons. The sender SMTP Service Extension for Secure SMTP over Transport may require assurance that only the intended receiver actually Layer Security [2] provides a mechanism for communicating 2 over a secure socket by using the Transport Layer Security honestly communicate most of the time without contacting a (TLS) Protocol Version 1.0 [4]. TLS guarantees confidentiality TTP. The sender encrypts the message with TTP’s public key and integrity of the data steam between two nodes. Server and sends it to the receiver. Then, the receiver sends its digital authentication is done by using certificates that certify the signature to the sender. Finally, the sender sends the original domain name and ownership of the server to the client. message (without encryption with TTP’s key) to the receiver. The drawback of this extension is that the message is only If the sender does not send the message after receiving the secure if all the intermediate links also use TLS. If any of digital signature, the receiver can contact TTP to decrypt the the intermediate nodes does not support the TLS extension encrypted message, at which point a notification is sent to the service, the sender does not have the ability to request that the sender, which eliminates the exploit where the receiver request message is delivered using secure connections only. Moreover, a decryption without sending a digital signature to the sender. even if the message is communicated from the sender to the TRICERT [9] is a hybrid method that combines the on-line receiver by the server using a TLS connection, the message is and the off-line approaches. It distributes the task of the TTP secured only between communication channels. At the nodes, optimistically to less trusted hosts and the TTP is contacted the massage is stored in a standard plain-text format. As a only if there is a dispute. result, this mechanism does not protect the message if the server is compromised. D. User Applications
B. Authentication Security goal can be achieved by deploying specialized user applications. Pretty Good Privacy (PGP) [10] is the most pop- SMTP Service Extension for Authentication [3] allows ular freeware and commercial application that provides email SMTP client to authenticate itself to the SMTP server, and security through plug-ins for most of the popular email clients. perform an authentication protocol exchange. This extension It uses public key cryptography and digital signatures to offer is a profile of the Simple Authentication and Security Layer confidentiality, integrity, authentication and non-repudiation of (SASL) [5]. The authentication protocol exchange consists sender. However, PGP does not have a mechanism to prove of a series of server challenges and client answers that are that the recipient read the message. specific to the authentication mechanism. This SMTP Service Privacy-Enhanced Mail (PEM) [11], [12], [13], [14] is a Extension provides the authentication between SMTP client set of standardized procedure for providing secure email. It is and SMTP server not between sender and receiver. Hence, based on public keys and signatures, as well as certificates. It there is no information for sender and receiver to ensure requires a key management system such as a centralized key the identity of each others. As a result, the authentication server (Kerberos) to manage keys or a Certification Authority is not satisfied in the user level. Moreover, this mechanism (CA) to manage certificates. PEM is also unable to provide is indicated by the user, server can not guarantee the user non-repudiation of receiver. authentication if they do not request this service.
C. Non-repudiation E. Web Applications Sender non-repudiation can be easily guaranteed by using Several web sites provide secure email service [15], [16], digital signature. If the sender signs a message, the receiver [17]. They use a combination of the TTP approach for non- can use this signature to verify and prove that the sender in fact repudiation of receiver and secure client-server communica- sent the message. However, to prove that the reader accessed a tions (HTTPS) to ensure confidentiality and integrity. The message required a trusted third party (TTP). There are three sender connects to the web site using a secure connection and scenarios for non-repudiation using TTP: on-line TTP, off- submits a message. The web site notifies the receiver of the line TTP, and hybrid systems. In the on-line TTP scenario URL where the message can be retrieved. The receiver can [6], the sender sends a message and a digital signature to be asked to provide a password in order to view the message. a TTP. The TTP requests a key and digital signature from The pitfalls of this approach lie in trusting the web site with receiver. When the receiver satisfies the request, the TTP sends the contents of the message. Also, being limited to using an the message to the receiver and a report of delivery to the Internet browser to send and receive messages is inconvenient. sender. A number of drawbacks arise in the approach. First, the TTP must always be online waiting for messages. Second, III. SECURE MAIL TRANSFER PROTOCOL TTP becomes a bottleneck since every single message from sender to receiver is sent through the TTP. And lastly, the TTP A. Overview can learn the contents of the message without authorization. SecMTP is designed to incorporate security procedures into The light on-line TTP scenario [7] addresses these issues. The SMTP while maintaining the simplicity and compatibility that sender sends an encrypted message directly to the receiver. The SMTP provides. The aim of SecMTP is to achieve the five receiver must send a digital signature to the TTP in exchange security goals of confidentiality, integrity, authentication, non- for the key to decrypt the message. TTP forwards the digital repudiation, and certification. signature to the sender. The communication channels used in the SMTP protocol The off-line TTP scenario [8] is an optimistic approach. It can be classified into user-server channels and server-server is based on the assumption that the sender and the receiver can channels. In SecMTP, the TLS is used for all the channels 3 to provide node-to-node confidentiality and integrity. User- to-user confidentiality is achieved through user public key encryption and decryption at the sending and receiving end servers. Authentication is derived from the Authentication USER Extension Service and is incorporated into the message header SecMTP Commands/ Replies as a digital signature, which also provides message and File System o Se c header integrity, and sender non-repudiation for the user-to- SecMTP client ve r MT Se c P MT user communication level. The SecMTP compliant server is P p o r t required to validate and sign the header that it adds. Both SecMTP File SecMTP server File sender and receiver non-repudiation are achieved by using one System over SecMTP port System of the TTP scenarios depending on the network structure. A SMTP client procedure based on certification by a CA is used to identify secure servers. The incorporation of security into the message transfer is transparent to the user. The user may use an existing USER SMTP email client, such as Microsoft Outlook, to send secure message. Fig. 1. SecMTP Basic Structure.
B. Assumption and Limitation We designed SecMTP’s architecture, protocol specifications, As a result of using TLS channels and authentication headers and SecMTP Extension Service to SMTP. The SecMTP com- with trusted servers, SecMTP implicitly provides the user- pliant server and client are also designed but we do not provide to-user level of confidentiality, integrity, authentication and their implementation. All SecMTP compliant servers must be sender non-repudiation. The non-repudiation on both sides is properly certified. One of TTP scenarios for non-repudiation achieved by using one of the TTP scenarios depending on the has to be implemented to achieve non-repudiation on both network structure. sides. It is assumed that the SecMTP user trusts the integrity of SecMTP provides another level of security for users to the sending and receiving end servers but not the intermediate explicitly request the SecMTP server to encrypt the message connections and nodes. with receiver public key. SecMTP can also adds a digital signature with sender private key before sending the message C. The SecMTP Architecture to TLS channel. To provide a seamless interface with users, including non-secMTP clients, the users private/public keys SecMTP architecture is based on SMTP architecture with are stored at the server machine. SecMTP server will retrieve the extension of security services. The SecMTP server is those keys for security operations with the user authentication an SMTP server which implements SMTP Extension Service mechanism such as login and password. This mechanism for Secure Mail Transfer Protocol (SecMTP). The SecMTP protects a message in the server and intermediate nodes. client is an SMTP client that supports SecMTP options. Digital signature with sender private key provides higher level SecMTP server provides services for non-SecMTP clients via authentication for the receiver. designated SecMTP port. A SecMTP client can connect to a SecMTP server via a SecMTP port a regular SMTP port, or Figure 2 depicts the timing diagram of a complete set of an SMTP over TSL port. Figure 1 shows the basic structure SecMTP connections from the sender to the sender’s SecMTP of SecMTP connections between mail clients and SecMTP server, to the receiver’s SecMTP server, and finally to the servers. The server-server connections are communicated as receiver. The rectangular blocks indicate the operations at client/server in the same manner as SMTP. Form node to node, the server. The dashed rectangular blocks refer to optional The source machine is designed as a client and the destination operations. machine is designed as a server. The certification is required in To remain compatible with current systems, a SecMTP all SecMTP compliant servers. The security mechanisms are client connects to a SecMTP server through the standard indicated in the user-to-server and server-to-server level. As SMTP port 25 by first establishing a TLS connection and then a result, it implicity achieved guarantee services in the user- authenticating using SASL; or by starting a TLS connection to-user level. Next, The details of security mechanisms over on port 465 and then authenticating. To use a regular email SecMTP are discussed. client with SecMTP, the client has to connect to a predefined SecMTP port (e.g., 416). The SecMTP server must recog- nize this action and enable implicit use of SecMTP options. D. The SecMTP Specification However, with this mechanism, the SecMTP will provide the Every communication channel in SecMTP uses TLS to default security level as defined by the server policy. Figure 3 guarantee confidentiality and integrity form user-to-server and illustrates the state diagram of starting a SecMTP connection. server-to-server. SMTP Service Extension for Authentication The transition edges show the commands that the client sends is automatically required by all communication channels and and the successful replies of the server. A SecMTP client can the authentication header will be automatically added to the connect to SecMTP port for predefined setting and switch to message by all intermediate servers with a digital signature. user setting SecMTP by issuing the SECMTP command. 4
Network Pre- Pre- SECMTP / SASL / / Pre-TLS cloud O O O L L H N Sender SecMTP server SecMTP server Receiver L I H . S E … 0 … P H . L A E 0 . 0 5 L 5 T S E 5 T 2 2 E T S P 2 M 2 C 2 0 R . 2 T H . . A C . . M . A . . w A . 2 T U E T Establish TSL 0 R U S e P T T lc / G T A H o S o T m L connection a S e h e / a d Lo g in Port 25 TLS SASL or i ze SECMTP A ut h SecMTP Client
Se Port 465 n d m e ss a ge Pre-SASL_ SECMTP/ SECMTP 220 welcome / O H L T A H U U Establish TLS connection E A N T I H 0 A 2 2 L P E H L O / SecMTP 2 2 0 w e l co m e t o Port Server: Add TLS_ SASL_ S E C M T P SECMTP authentication header SECMTP SECMTP (default)
Non-SecMTP Client Encrypt message SecMTP Client Enable receipt notification header Fig. 3. The State Diagram of Starting a SecMTP Connection. Add digital signature S en d me s s a g e Establish TLS connection here to strict security. Only transfer the mes- Lo g in sage through properly authenticated and certified A u th o ri ze SecMTP servers. es s ag e Re t ri ev e m 5) No additional SMTP verbs are defined by this extension. Retrieve local When a user connects directly to the SecMTP predefined private key and port, the server will provide SecMTP services with the default decrypt message options. The default options depend on the server policy. Verify message Figure 4 contains a full state diagram of a SecMTP connection S en d m es s a g e with all the major success and failure replies.
Start Fig. 2. The Timing Diagram of SecMTP. ( SECMTP port ) E H L O / 2 2 0 Start S 2 2 S E e 0 w C M c e l c T P M o m / RSET/ 250, e T t o S P Q E. Definition for SMTP Extension Service for Secure Mail e c NOOP / 250, U M T P VRFY / 250, I T / 2 Transfer Protocol (SecMTP) */501 2 1 We use SMTP Service Extension for Secure SMTP over HELO Q U I T / Transport Layer Security [2] to provide TLS communication NOOP / 250, 2 2 1 MAIL / 250 VRFY / 250, R S E T */501 channels. The SMTP Service Extension for Authentication / 2 5 0 QUIT / 221 R S QUIT [3] is used for authentication mechanism. We add the SMTP E T MAIL / 2 5 RCPT / 250, Service Extension for SecMTP to complete SecMTP services. 0 2 1 R RCPT / 501, / 2 S T E U I T RCPT / 250 NOOP / 250, Q The SMTP Extension Service for Secure Mail Transfer / 2 5 VRFY /250, 0 <