A Formal Security Analysis of the pEp Authentication Protocol for Decentralized Key Distribution and End-to-End Encrypted Email

08/29/2020
by   Itzel Vazquez Sandoval, et al.
0

To send encrypted emails, users typically need to create and exchange keys which later should be manually authenticated, for instance, by comparing long strings of characters. These tasks are cumbersome for the average user. To make more accessible the use of encrypted email, a secure email application named pEp automates the key management operations; pEp still requires the users to carry out the verification, however, the authentication process is simple: users have to compare familiar words instead of strings of random characters, then the application shows the users what level of trust they have achieved via colored visual indicators. Yet, users may not execute the authentication ceremony as intended, pEp's trust rating may be wrongly assigned, or both. To learn whether pEp's trust ratings (and the corresponding visual indicators) are assigned consistently, we present a formal security analysis of pEp's authentication ceremony. From the software implementation in C, we derive the specifications of an abstract protocol for public key distribution, encryption and trust establishment; then, we model the protocol in a variant of the applied pi calculus and later formally verify and validate specific privacy and authentication properties. We also discuss alternative research directions that could enrich the analysis.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
11/14/2022

Exchanging Keys with Authentication and Identity Protection for Secure Voice Communication without Side-channel

Motivated by an increasing need for privacy-preserving voice communicati...
research
08/01/2018

Effective Caching for the Secure Content Distribution in Information-Centric Networking

The secure distribution of protected content requires consumer authentic...
research
03/24/2023

One Protocol to Rule Them All? On Securing Interoperable Messaging

European lawmakers have ruled that users on different platforms should b...
research
08/16/2021

Happy MitM: Fun and Toys in Every Bluetooth Device

Bluetooth pairing establishes trust on first use between two devices by ...
research
01/03/2018

New Directions for Trust in the Certificate Authority Ecosystem

Many of the benefits we derive from the Internet require trust in the au...
research
04/29/2022

Semi-Assisted Signal Authentication based on Galileo ACAS

A GNSS signal authentication concept named semi-assisted authentication ...
research
07/12/2023

Benchmarking the Security Protocol and Data Model (SPDM) for component authentication

Efforts to secure computing systems via software traditionally focus on ...

Please sign up or login with your details

Forgot password? Click here to reset