Claimchain: Improving the Security and Privacy of In-Band Key Distribution for Messaging
Total Page:16
File Type:pdf, Size:1020Kb
ClaimChain: Improving the Security and Privacy of In-band Key Distribution for Messaging Bogdan Kulynych Wouter Lueks Marios Isaakidis EPFL SPRING Lab EPFL SPRING Lab University College London [email protected] [email protected] [email protected] George Danezis Carmela Troncoso University College London EPFL SPRING Lab [email protected] [email protected] ABSTRACT collaboration of the service providers. The Autocrypt approach is 3 The social demand for email end-to-end encryption is barely sup- supported by key e-mail clients such as Thunderbird+Enigmail, ported by mainstream service providers. Autocrypt is a new commu- K-9 mail, and Mailpile, as well as a new messaging application for nity-driven open specification for e-mail encryption that attempts Android, DeltaChat. to respond to this demand. In Autocrypt the encryption keys are Similarly to in-band PGP [24], Autocrypt embeds the encryption attached directly to messages, and thus the encryption can be imple- keys into the e-mail messages, but uses pre-defined headers instead mented by email clients without any collaboration of the providers. of attachments. Furthermore, in the spirit of the PGP Web of Trust, The decentralized nature of this in-band key distribution, however, these headers also contain cross-references to the keys of other makes it prone to man-in-the-middle attacks and can leak the social users. The cross-references implicitly endorse the binding between graph of users. To address this problem we introduce ClaimChain, these keys and the corresponding user identities. a cryptographic construction for privacy-preserving authentica- This decentralized approach alleviates the privacy problem of 4 tion of public keys. Users store claims about their identities and centralized certification authorities, such as SKS Keyservers for keys, as well as their beliefs about others, in ClaimChains. These PGP keys, which can observe users’ key look-ups, and thus can infer chains form authenticated decentralized repositories that enable their communication patterns. However, since no one has a global users to prove the authenticity of both their keys and the keys of view of all the bindings in Autocrypt’s decentralized approach, ma- their contacts. ClaimChains are encrypted, and therefore protect licious users or providers can supply different user-to-key bindings the stored information, such as keys and contact identities, from to different recipients, effectively opening the doors to man-in-the- prying eyes. At the same time, ClaimChain implements mecha- middle attacks. nisms to provide strong non-equivocation properties, discouraging This attack, whereby Alice can show to Carol and Donald differ- malicious actors from distributing conflicting or inauthentic claims. ent versions of Bob’s key to manipulate encryption in her advantage, We implemented ClaimChain and we show that it offers reasonable is commonly known as equivocation. A solution to render equiv- performance, low overhead, and authenticity guarantees. ocation detectable and accountable could be to use CONIKS [15]. However, CONIKS’ transparency logs are maintained by providers, KEYWORDS and thus the scheme is not compatible with the Autocrypt principle of not requiring provider collaboration. E-mail encryption; Decentralization; Key distribution; Privacy In this paper we present ClaimChain, a cryptographic construc- tion that alleviates the authenticity and privacy problems of in-band 1 INTRODUCTION key distribution in the setting of Autocrypt.5 Similarly to CONIKS, Following the Snowden revelations it became clear that, given the ClaimChains consist of chained blocks. Instead of a global log, how- dependence of citizens, governments, and corporations on elec- ever, each user has their own ClaimChain that contains all the arXiv:1707.06279v6 [cs.CR] 12 Oct 2018 tronic communications, there is a strong need for highly secure information necessary to represent her claims about her own keys, end-to-end encrypted communications. That is, the content of com- and her beliefs about other users’ keys, i.e., her cross-references. munications must not be accessed by third parties, so as to shield Chaining of blocks enables tracking and authenticating the evolu- them from mass surveillance systems, domestic or foreign. Yet, so tion of beliefs and keys. Cross-references enable users to combine far we have only seen feeble and largely unsuccessful attempts by their contacts’ beliefs—represented by their ClaimChains—to estab- mainstream service providers such as GMail and Yahoo to support lish evidence about the binding between identities and keys. fully encrypted e-mail [1, 8, 13]. Only a few minor e-mail providers To address the privacy issues of the Web of Trust cross-reference 12 embrace end-to-end encryption. sharing model, ClaimChains use cryptographic access tokens to To fill this void, a recently launched community-driven initia- provide fine-grained control on who is allowed to read which claims. tive, Autocrypt, is developing a new open specification for e-mail Moreover, ClaimChains’ claim encoding schemes make it hard to encryption. The goal is to facilitate key handling by mail user agents so that encryption can be deployed without the need for 3https://github.com/autocrypt/autocrypt/blob/master/doc/install.rst 4https://sks-keyservers.net 1https://mailfence.com 5ClaimChains are currently being tested by the Autocrypt team (https://py-autocrypt. 2https://protonmail.com readthedocs.io/en/latest/) infer how users’ beliefs change over time. Finally, ClaimChains suitable for integrating with in-band key distribution. The purpose include mechanisms to reliably and efficiently prevent equivocation of the structure is to support key validation, i.e., help users estab- within a block, and a mechanism to detect equivocation across lish the authenticity of user-key bindings, as long as some users in blocks. In doing so, ClaimChains ensure non-equivocation while the system are honest. Furthermore, it must protect users’ privacy minimizing the leakage of users’ friendship networks. without relying on centralized parties. We prove the security and privacy properties provided by Claim- More concretely, we aim at providing the following properties. Chains. We also provide an implementation of ClaimChains and First, the structure must guarantee the integrity and authenticity of show that it scales to accommodate the needs of large groups identity-key bindings, i.e., it should not be possible to replace or at an acceptable overhead cost. We also simulate the usage of inject bindings without being detected. Second, we want to preserve ClaimChains for in-band key distribution using the Enron e-mail the privacy of cross-referenced information and the privacy of the dataset6 in a privacy-preserving way: ClaimChain owners reveal social graph. These properties ensure that only authorized users cross-references only if that does not leak more information about can access the key material in the structure and the identities of their social graph than is already revealed by the e-mails them- the bindings being distributed. Third, the structure must prevent selves. We quantify the degree to which in-band key distribution users from equivocating other users with respect to the identity-key can protect communication. We show that ClaimChains improve bindings that they share. That is, a user Owen should not be able privacy, without diminishing considerably the ability to encrypt to show to Alice and Bob different versions of a Charlie’s key, even e-mail, and enable the detection of incorrect key information. Our if he withdraws Alice’s access to see Charlie’s keys. In the latter main contributions are: case if Alice ever regains access, she must be able to detect Owen’s – We introduce ClaimChain, a cryptographic construction based misbehavior. Finally, our construction should not entail significant on authenticated data structures. ClaimChains store claims about computational or communication overhead for the end users and keys, thereby supporting key authentication in decentralized providers to enable adoption at large scale. environments in a secure and privacy-preserving way. – We define the properties that a decentralized and privacy-pre- Non-goals. In-band key distribution cannot ensure full availability serving key distribution system should offer and we formally of public encryption keys. The keys of one or more recipients may model them for ClaimChain. not be available to a sender at a time of sending a message, and thus, – We show that owners cannot equivocate about contact keys because of the opportunistic encryption operation, the message within blocks. Moreover, we provide a novel mechanism that would be sent in the clear. We are therefore not concerned with enables ClaimChain owners to prove that they have not equiv- ensuring 100% availability of keys. Instead, our goal is to secure the ocated across different blocks about a particular contact key. keys that are distributed without harming privacy. If guaranteeing Unlike other transparency-backed solutions [15], auditing the encrypted communication is absolutely necessary, parties must consistency of contact keys is possible without revealing their exchange keys in a reliable way, e.g. through a centralized service actual values in the ClaimChain history. or an out-of-band mechanism. – We provide an implementation of ClaimChain and show that its Furthermore, throughout this paper we consider that users have computation and bandwidth requirements are