A Formal Security Analysis of the pEp Authentication Protocol for Decentralized Key Distribution and End-to-End Encrypted Email

Vazquez Sandoval, Itzel; Lenzini, Gabriele

doi:10.1007/978-3-030-39749-4_11

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

A Formal Security Analysis of the pEp Authentication Protocol for Decentralized Key Distribution and End-to-End Encrypted Email

Vazquez Sandoval, Itzel; Lenzini, Gabriele

2019 • In Emerging Technologies for Authorization and Authentication

Peer reviewed

Permalink
https://hdl.handle.net/10993/40580

DOI
10.1007/978-3-030-39749-4_11

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

14.pdf

Author postprint (727.13 kB)

Download

The final authenticated version is available online at https://doi.org/10.1007/978-3-030-39749-4_11.

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

formal verification; authentication protocols; software security analysis; privacy-by-default; secure email; end-to-end encryption

Abstract :

[en] To send encrypted emails, users typically need to create and exchange keys which later should be manually authenticated, for instance, by comparing long strings of characters. These tasks are cumbersome for the average user. To make more accessible the use of encrypted email, a secure email application named pEp automates the key management operations; pEp still requires the users to carry out the verification, however, the authentication process is simple: users have to compare familiar words instead of strings of random characters, then the application shows the users what level of trust they have achieved via colored visual indicators. Yet, users may not execute the authentication ceremony as intended, pEp's trust rating may be wrongly assigned, or both. To learn whether pEp's trust ratings (and the corresponding visual indicators) are assigned consistently, we present a formal security analysis of pEp's authentication ceremony. From the software implementation in C, we derive the specifications of an abstract protocol for public key distribution, encryption and trust establishment; then, we model the protocol in a variant of the applied pi calculus and later formally verify and validate specific privacy and authentication properties. We also discuss alternative research directions that could enrich the analysis.

Disciplines :

Computer science

Author, co-author :

Vazquez Sandoval, Itzel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Lenzini, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

External co-authors :

Language :

English

Title :

A Formal Security Analysis of the pEp Authentication Protocol for Decentralized Key Distribution and End-to-End Encrypted Email

Publication date :

2019

Event name :

2nd International Workshop on Emerging Technologies for Authorization and Authentication - ESORICS International Workshops

Event place :

Luxembourg, Luxembourg

Event date :

27-09-2019

Audience :

International

Main work title :

Emerging Technologies for Authorization and Authentication

Publisher :

Springer

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

Additional URL :

https://doi.org/10.1007/978-3-030-39749-4_11

Available on ORBilu :

since 02 October 2019

Statistics

Number of views

198 (20 by Unilu)

Number of downloads

133 (4 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

Bibliography

OpenPGP. https://www.openpgp.org/
PGP word list. https://en.wikipedia.org/wiki/PGP word list
Signal technical specifications. https://signal.org/docs/
Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Acm Sigplan Notices, vol. 36, pp. 104–115. ACM (2001)
Basin, D., Cremers, C., Dreier, J., Meier, S., Sasse, R., Schmidt, B.: Tamarin prover. https://tamarin-prover.github.io/
Basin, D., Cremers, C., Meier, S.: Provably repairing the ISO/IEC 9798 standard for entity authentication. J. Comput. Secur. 21(6), 817–846 (2013)
Basin, D., Dreier, J., Hirschi, L., Radomirovic, S., Sasse, R., Stettler, V.: A formal analysis of 5G authentication. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1383–1396. ACM (2018)
Basin, D., Radomirovic, S., Schmid, L.: Modeling human errors in security protocols. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 325–340. IEEE (2016)
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop, pp. 82–96. IEEE (2001)
Blanchet, B.: Security protocol verification: symbolic and computational models. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 3–29. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28641-4 2
Clark, J., van Oorschot, P.C., Ruoti, S., Seamons, K., Zappala, D.: Securing email. arXiv preprint arXiv:1804.07706 (2018)
Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 451–466. IEEE (2017)
Cremers, C.: Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 315–334. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2 18
Dechand, S., Schürmann, D., Busse, K., Acar, Y., Fahl, S., Smith, M.: An empirical study of textual key-fingerprint representations. In: 25th {USENIX} Security Symposium ({USENIX} Security 16), pp. 193–208 (2016)
Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, SFCS 1981, pp. 350–357. IEEE Computer Society, Washington, DC (1981)
Dreier, J., Hirschi, L., Radomirovic, S., Sasse, R.: Automated unbounded verification of stateful cryptographic protocols with exclusive OR. In: 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 359–373. IEEE (2018)
(IETF), I.E.T.F.: IANA registration of trustword lists. https://tools.ietf.org/html/draft-birk-pep-trustwords-03
(IETF), I.E.T.F.: pretty Easy privacy (pEp): privacy by default. https://www.ietf. org/id/draft-birk-pep-03.txt
Lowe, G.: Breaking and fixing the Needham-Schroeder Public-Key Protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147– 166. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61042-1 43
Lowe, G.: A hierarchy of authentication specifications. In: Proceedings 10th Computer Security Foundations Workshop, pp. 31–43. IEEE (1997)
Mauw, S., Cremers, C.: Operational Semantics and Verification of Security Protocols. Springer, Heidelberg (2012)
Pretty Easy Privacy: pep source code. https://pep.foundation/pep-software/index. html
Pretty Easy Privacy: pep user documentation. https://www.pep.security/docs/index.html
The Radicati Group: Email Statistics Report, 2018–2022. Technical report (2018)
Unger, N., et al.: SoK: secure messaging. In: 2015 IEEE Symposium on Security and Privacy, pp. 232–249. IEEE (2015)
Vazquez-Sandoval, I., Lenzini, G.: Experience report: how to extract security pro-tocols’ specifications from C libraries. In: IEEE 42nd Annual COMPSAC 2018, Tokyo, Japan, Vol. 2, pp. 719–724 (2018)
Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: USENIX Security Symposium, vol. 348 (1999)
Zimmermann, P.R.: The Official PGP User’s Guide. MIT Press, Cambridge (1995)