Security Basics mailing list archives
Digital signature to e-mail.
From: Roberto Alcantara <roberto () fortalnet com br>
Date: Wed, 1 Jun 2005 16:07:45 -0300 (BRT)
Guys, this is just one idea, and I would like know your comments about this.
I will write one sendmail milter to test, just to fun :) Regards, Roberto. http://www.eletronica.org/softlab/userkeys/userkeys_english.htm ** BETA TEXT VERSION ** Give me feedback about text :) Roberto Alcântara roberto () eletronica org 2005, May 15. Digital Signature to E-mail in Server Side Objective: Offer one way to provide server side authentication with digital signature, to return-path address ('MAIL FROM' argument, RFC2821). SMTP protocol was not developer with security objectives. Your idea it's great to delivery messages, but very bad to security purpose. The main STMP deficiency is not able to cryptography message and not have security origin identification. Our propose is solve origin identification problem, using asymmetric cryptography, MTA filters and DNS to store public key. Motivation: Some options was developed to solve identification and cryptographic problem, like PGP and GNUPG. Althought excellent options they had not become popular, therefore they need new software ('plugin') in client side and did not have safe and distribuided place for public keys publication. Other solution like Domain Keys[1] providers a mechanism for verifying both the domain of email sender and the integrity of the sent message, but not the sender. How it works: Setup: Each protected e-mail (user@domain) have one public and private key are stored in server side. Public key is stored in user.userkeys.domain in TXT DNS record (RFC1035). User names with dot will have some extra characters to fix url. Private key is stored in secure local database (User Key Database, UKD), with username/mail from/private key. Each client have one password to access your SMTP account (SMTP Authentication, RFC2554). Sending: e-mail client connect to SMTP server using authentication and send your message. Server will look in your UKD if this user have permission to send messages from informed 'MAIL FROM'. After this, server will sign message and add this signature in e-mail header. Receiving: When MTU delivery message to MX server, this will find signature header. One DNS query will be sent to user.userkeys.domain looking public key to user@domain address. With public key, server can check sender identification, adding result in message header or body. One additional flag in DNS entry say what e-mail owner recommend MX do when signature can't be found or signature check fail. Cryptographic problem can be solve with asymmetric keys but not with this solution, because comunication between Client and SMTP server it is not safe to envelope of a message. [1] http://antispam.yahoo.com/domainkeys
Current thread:
- Digital signature to e-mail. Roberto Alcantara (Jun 03)
- <Possible follow-ups>
- Re: Digital signature to e-mail. Thom O'Connor (Jun 06)