Easy Email Encryption with Easy Key Management CUCS-004-18 John S. Koh Steven M. Bellovin Jason Nieh Columbia University Columbia University Columbia University New York, NY 10027 New York, NY 10027 New York, NY 10027 koh@cs:columbia:edu smb@cs:columbia:edu nieh@cs:columbia:edu Abstract as in the cases of cock.li and TorMail [24, 34], or compromise Email privacy is of crucial importance. Existing email encryp- them, such as in the Sony Pictures email leaks [36]. tion approaches are comprehensive but seldom used due to e common thread is that a compromise exposes the their complexity and inconvenience. We take a new approach entire history of aected users’ emails aer even a single to simplify email encryption and improve its usability by im- breach. With the explosive growth in cloud storage, it is easy plementing receiver-controlled encryption: newly received to keep gigabytes of old emails at no cost. e introduction messages are transparently downloaded and encrypted to a of Gmail with its massive storage capacity—up to 15 GB for locally-generated key; the original message is then replaced. free, or 30 TB for paid options [37]—opened up the possibility To avoid the problem of users having to move a single private of keeping email forever. Consequently, users oen email key between devices, we implement per-device key pairs: themselves to use their inbox as backup storage for important only public keys need be synchronized to a single device. information, thereby exacerbating the cost of a compromise. Compromising an email account or server only provides ac- Existing email encryption methods are eective but rarely cess to encrypted emails. We have implemented this scheme used and even more rarely used correctly. Examples include for both Android and as a standalone daemon; we show that Prey Good Privacy (PGP) [4], and Secure/Multipurpose it works with both PGP and S/MIME, is compatible with Internet Mail Extensions (S/MIME). Neither are widely used widely used mail clients and email services including Gmail as they are too complicated for most users; both senders and and Yahoo! Mail, has acceptable overhead, and that users recipients must comprehend public key cryptography and consider it intuitive and easy to use. its infrastructure. e current paradigm places too much of a burden on senders who must correctly encrypt emails and CCS Concepts •Security and privacy ! Key manage- manage keys [30, 35] so even technical users rarely encrypt ment; Public key encryption; Usability in security and their email. e problem is that existing approaches seek privacy; Web application security; absolute security via end-to-end encryption at the expense Keywords IMAP, email, applied cryptography, PGP, S/MIME, of usability, creating a chasm between protecting all email key management communications via PGP or S/MIME, and using no email protection at all. We introduce an approach to encrypted email that ad- 1 Introduction dresses the gaping void between unusable but absolute email Email accounts and servers are an aractive target for adver- security, and usable but no email security. We change the saries. ey contain troves of valuable private information problem from sending encrypted emails to storing encrypt- dating to years back, yet are easy to compromise. Some ed emails since it is a user’s history of emails that is most prominent examples include: the phishing aack on Hillary tantalizing to aackers. Our goal is to mitigate the kinds of Clinton’s top campaign advisor John Podesta [15], the 2016 aacks oen publicized in the news where email account email hack of one of Vladimir Putin’s top aides [38], the email credentials are compromised or entire servers are seized. e leaks of former Vice President candidate Sarah Palin and CIA aackers have access to emails stored on servers but do not Director John Brennan [11, 32], and other similar cases [18]. have access to individual devices. Most of the aacks are ese aacks targeted high prole individuals and organi- either simplistic phishing aacks for email account creden- zations to leak their emails and damage their reputations. tials or server breaches that include innocent users in the In the Podesta leaks, aackers perpetrated a spear-phishing collateral damage. All these compromised emails would have aack to obtain John Podesta’s Gmail login credentials, ac- been protected had they been encrypted prior to any breach cess his emails, and leak them to WikiLeaks. Sarah Palin was using a key inaccessible to the email service provider. We subjected to a simple password recovery and reset aack therefore seek a client-side encrypted email solution that which granted the aacker full access to her personal email can ensure that a user’s emails stored prior to a compromise account on the Yahoo! Mail website. John Brennan’s AOL remain safe. Furthermore, such a defense must be usable for web email account was compromised via social engineering. average people on a daily basis, and compatible with email Adversaries also sometimes seize entire email servers such correspondents who do not use encrypted email. 1 CUCS-004-18 We present Easy Email Encryption (E3) as the rst step present the results of a user study for E3 that show that users to lling this void. E3 provides a client-side encrypt-on- consider it simple, intuitive, and exible. receipt mechanism that makes it easy for users as they do not need to rely on public key infrastructure (PKI) or coordinate 2 reat Model with recipients. E3 protects all emails received prior to any e purpose of E3 is to protect all emails stored prior to any email account or server compromise for all of the emails’ email account or server compromise, with no soware or pro- lifetime, under similar threat modelassumptions made for tocol changes except for installing E3 itself on a recipient’s more complex schemes such as PGP and S/MIME; for ease devices. e primary risk we defend against is to stored mail of discussion we hereaer refer to PGP and S/MIME email on the IMAP server. If the account or server is compromised, as end-to-end encrypted email. all unencrypted mail is available to the aacker. E3 is designed to be compatible with existing IMAP servers We thus guard against future compromise of the user’s and IMAP clients to ease the adoption process. An E3 client IMAP account or server. We assume that the IMAP account downloads messages from an IMAP server, encrypts them in and server are initially secure, and that at some later time, a standard format, and uploads the encrypted versions. e one or both are compromised. We therefore assume that original cleartext emails are then deleted from the server. No email services are honest; the threat is external entities try- changes to any IMAP servers are necessary. Users require ing to access email account data. If email service providers only a single E3 client program to perform the encryption. are not honest, e.g. keeping separate copies of received Existing mail clients do not need to be modied and can be emails, then the platform is fundamentally insecure which used as-is alongside a separate E3 background app or add-on. is out of scope. However, a server aack may occur aer the If desired, existing mail clients can be retroed with E3 server is discarded by physically compromising the server’s instead of relying on a separate app or on an add-on. disks [13]—few organizations erase old disks before disposal. Users are free to use their existing, unmodied mail clients We assume the enemy is sophisticated but not at the level of to read E3-encrypted email as long as they support standard an intelligence agency, i.e., the enemy cannot break TLS. encrypted email formats. e vast majority of email clients We do not aempt to protect against compromise of the support encrypted emails either natively or via add-ons. Oth- user’s devices or mail clients. If those are compromised, er than the added security benets of encryption, all email the private keys used by E3 are available to the aacker no functionality looks and feels the same as a typical email maer when the encryption takes place. Standard end-to- client, including spam ltering and having robust client-side end encrypted email makes the same assumption. search capability. Key management, including key recovery, is simplied by 3 Usage Model a scheme we call per-device key (PDK) management which E3 works with any IMAP email service. To get started, all a provides signicant benets for the common email use case user does is install an E3 client. E3 clients appear to the user of having two or more devices for accessing email, e.g. desk- as either a separate one-time use app or as a new feature, top and mobile device mail clients. Users with multiple such as an add-on, in their mail client of choice. is depends devices leverage PDK with no reliance on external services. on the user’s platform, operating system, and mail client. Re- Users who truly only use a single device still benet from gardless of the exact implementation, the initial setup acts PDK’s key conguration and management capabilities, but like any normal mail client, including asking for email ac- rely on free and reliable cloud storage for recovery. E3 as count credentials. By default, the client will be congured to a whole is a usable solution for encrypted email that pro- operate in active mode, meaning that the client will encrypt tects a user’s history of emails while also providing a simple all email on receipt.