How to exchange email securely with Johnny who still can’t encrypt

Some of us might have had this experience: because of privacy concerns, we decided to use PGP or S/MIME for secure email communications. After making the effort to learn the concept of public key cryptography and generate key-pairs for ourselves, we realized that we could not proceed because most of...

Full description

Bibliographic Details
Main Author: Woo, Wing Keong
Language:English
Published: 2010
Online Access:http://hdl.handle.net/2429/18249
Description
Summary:Some of us might have had this experience: because of privacy concerns, we decided to use PGP or S/MIME for secure email communications. After making the effort to learn the concept of public key cryptography and generate key-pairs for ourselves, we realized that we could not proceed because most of our correspondents did not have a key to start with. It would be difficult to convince them to similarly adopt PGP or S/MIME. Eventually we dropped the idea and reverted to sending emails in the clear. This thesis presents a novel solution to this three decade old problem. All currently known solutions are greatly influenced by the traditional mindset of relying on the trusted distribution of public keys to achieve secure communications. Unfortunately, these solutions are faced with the difficult problems of public key distribution and revocation, and have not been commonly adopted as is evident from the predominance of clear emails we are still receiving today. We deviate from the traditional mindset and propose a new approach of using the concept of secure key exchange to design a secure email solution. We design a protocol called EKEmail to specifically cater for the non-interactive email environment which is complicated by the possibilities that email messages may be lost, not read in the order received, or not replied to at all. We have implemented our solution and demonstrated that it works seamlessly within the existing email infrastructure. To begin secure email communications, the only requirement is for the two communicating parties to agree on a one-time shared password. Users are allowed to choose any password of their choice, even if it is considered poor, without the worry of dictionary attack. In addition, EKEmail supports automatic and transparent key refresh with perfect forward secrecy, hence simplifying the use of short-lived keys. Besides providing privacy, EKEmail also supports the off-the-record property which is desirable for casual email conversations. Our solution allows users to enjoy secure email communications with minimal inconvenience. === Applied Science, Faculty of === Electrical and Computer Engineering, Department of === Graduate