People widely use electronic mails (e-mails) to communicate with each other via the Internet. Delivering an e-mail in the Internet, people can exchange not only normal text-based letter but also sensitive rich electronic files. Because of the popularity, e-mail systems become an adversary's or a malicious user's targets. Among e-mail security issues, basic and primary concerns are e-mails' confidentiality and authentication . Some of data cryptosystems can satisfy these concerns. Users can utilize a specific interactive key to encrypt or verify their e-mails. However, an e-mail system is a kind of store-and-forward system in which e-mail servers act as a proxy to accept, forward, and store users' e-mails. User does not need continuously online to connect with an e-mail server. Only when user wants to obtain the e-mails received and stored in e-mail server, he or she needs to access the e-mail server. The operations of an e-mail system are briefly indicated in Figure 1. Assume that a user B, called as a sender, intends to send an e-mail to another user A, called as a receiver. The sender B firstly sends the e-mail to the e-mail server SB, and then the e-mail server SB forwards the e-mail into the receiver's A e-mail server SA. Next, the e-mail server SA stores the e-mail into the memory. As the receiver A connects to the e-mail server SA, the receiver A sends a request for asking new e-mails, and the e-mail server SA forwards the stored e-mail into the receiver A. Because of this feature, it is obvious that users are not always online. This causes challenges for authentication and key distribution of e-mail users. Public key systems provide a solution for these challenges. However, public key systems need costly time delay to encrypt or decrypt the e-mail. Therefore, it prefers to use hybrid cryptosystems  to prevent the high computation cost. Pretty Good Privacy (PGP) was implemented in 1991 and is a well-known secure e-mail protocol that provides data confidentiality between sender and receiver. It is available on almost any platform that was aimed to be used within existing e-mail systems [3-6]. PGP protocol  utilized the idea in the hybrid cryptosystems to securely transfer a session key to a pair of a sender and a receiver. A sender in the PGP system is given a certificated public key. The certificated public key can support a secure channel to transfer the session key. For a single sender and receiver, a session key, used for encrypting their e-mail, can be transferred by adopting the approaches mentioned before. PGP is designed for a distributed network of individuals. It depends on an internet of trust. That is, you can certify public keys of your e-mail receiving users. A user cannot verify the validity of each other PGP key, and one probably will not ever trust most users. However, under many circumstances, a sender needs to send a single e-mail. How to transfer a session key to a multireceiver is a challenge for securing e-mail systems.
As a user usually needs to send an e-mail to a group of users, in the exiting e-mail protocols such as Simple Mail Transfer Protocol, the e-mail server forwards the copies of this e-mail into the receivers. We briefly show this operation in Figure 2. As a sender B intends to deliver an e-mail to the receivers A, C, and D, he or she firstly sends the e-mail to his or her e-mail sever SB. Then, the e-mail sever SB forwards copies of this e-mail into the receivers' mail servers SA, SC, and SD, respectively. Next, the mail servers SA, SC, and SD wait for the request for asking new e-mails from the receivers. For example, if the SC receives a request sent by the receiver C, the SC forwards the copy of the e-mail into the receiver C. In the repeated transmission, there are redundant computations that cause significant time delay. In this paper, we propose a secure multicast key protocol for e-mail systems to provide a solution for distributing a session key to a multicast group. Our scheme is based on the Chinese Remainder Theorem (CRT) , the RSA public key system, and a cryptographically secure one-way hash function. The related works about securing e-mail systems were proposed to resist against other security issues, such as perfect forward secrecy problem. The perfect forward secrecy problem was pointed out by Sun et al. in 2005. The detail of the perfect forward secrecy problem is described in the later paragraph. We will show that our protocol can not only satisfy the multicast requirements but also resist against these security problems. According to the previously proposed schemes [9-11], an e-mail server is required to repeatedly operate the same procedures to multicast an e-mail for the different receivers.
The rest of this paper consists of the following parts. In Section 2, we will present the background knowledge and an overview of the related works. In Section 5, we will introduce our scheme. Then, in Section 4, we will indicate the security analysis and computation complexity. Finally, in Section 5, we will conclude our scheme.
2 BACKGROUND AND RELATED WORKS
In this section, we introduce the CRT. Then, we will briefly introduce the schemes by Sun et al. , Lin et al. , Kim et al. , and Chang et al. .
2.1 The Chinese Reminder Theorem
In Number Theory, the CRT is a famous theorem proposed by Han Xin who was one of ancient excellent Chinese generals. The basic definition  is introduced as the following.
Fact 1. If integers m1, m2, …, mk are pair-wise relatively primes, then the system of simultaneous congruences
has one, and only one, solution (modulo m = m1 × m2 × ⋯ × mk).
2.2 Related works
Abadi et al.  proposed a certified e-mail protocol on the basis of online trusted third party in 2002. The online trusted party is assigned to verify e-mail transmitted between sender and receiver with a predetermined public key. With the population of e-mail systems, many multiparty-certified e-mail protocols have been proposed to solve security issues of multiparty e-mail protocols. In 2004, a modified multiparty-certified e-mail protocol was proposed by Zhou  on the basis of one-way hash function and public key systems. In the protocol, evidence of e-mail can be verified by the intended party alone. In 2005, Sun et al. proposed two secure e-mail protocols, which aimed to satisfy the requirements of the perfect forward secrecy. The first protocol is based on the Diffie–Hellman key exchange protocol . The second protocol is based on a cryptographic primitive called as “Certificate of Encrypted Message Being a Signature” . In , Dent pointed out that the second protocol cannot satisfy the perfect forward secrecy. Moreover, Phan showed that the scheme by Sun et al. is vulnerable to unknown key-share attacks and replay attacks . In 2006, the scheme by Lin et al.  was proposed to improve the problems of the scheme by Sun et al. The main idea in the scheme by Lin et al. is that the receiver's password used for accessing into e-mail services will be refreshed at different time. The receiver can derive ephemeral interactive keys (short-term keys) through these refreshed passwords. Essentially, their scheme cannot satisfy the perfect forward secrecy because the refreshed passwords are updated using a specific initial password. Once this initial password is compromised, the refreshed passwords are compromised as well. Then, the ephemeral interactive keys will be disclosed. Besides, of the perfect forward secrecy problem, their scheme has also suffered from an insider attack, which means that malicious operators of an e-mail server can learn the ephemeral interactive keys and then eavesdrop e-mail content. In 2006, Kim et al.  also proposed their solution, in which an e-mail server acts as a proxy to establish and deliver the short-term session keys, for perfect forward secrecy problem. In , Yoon and Yoo pointed out that the scheme by Kim et al. cannot resist against sender impersonation attacks and e-mail server impersonation attacks. The scheme by Chang et al. , proposed in 2008, utilized a three-party password-authentication key exchange  to deal with the aforementioned security problems. However, their scheme has still suffered from the sender impersonation attack and the e-mail server impersonation attack because the messages transmitted in the e-mail system cannot be authenticated by a sender or receiver. Therefore, an adversary can copy information transmitted on the channel to impersonate some user. In this paper, we proof that our scheme not only reduces the computation complexity of e-mail multicasting but also deals with the perfect forward secrecy and the aforementioned attacks. Our scheme makes use of the CRT to reduce computation complexity. Our scheme utilizes the RSA public key system  and a cryptographically secure one-way hash function to deal with the perfect forward secrecy and aforementioned problems.
3 OUR SCHEME
In this section, we introduce details of our scheme. Our scheme is divided into two protocols: single receiver and multireceivers. The single receiver means the procedures that a sender delivers an e-mail into single receiver. The multireceivers means the procedures that a user sends an e-mail into multiple receivers. Each protocol has three phases: precomputation phase, sending phase, and receiving phase. In the following description, we omit the transmission between the user's and receivers' mail servers for simplicity. We make use of a mail server to stand for the transmission. The parameters used in this paper are employed as follows:
The ith user in an e-mail system
The mail server
A public key for a user Ui
A secret key corresponding to the PKi for a user Ui
The identification of user Ui that is a big and a uniquely prime number
The asymmetric encryption function using a key k′
The asymmetric decryption function using a key k′
A signature function generated from the message m using the private key k′
A one-way collision-resistant hash function
The catenation of messages m1 and m2
The content of the e-mail
A → B
A symbol indicating that certain messages sent from an entity A to another entity B
In the e-mail system, a user Ui is predistributed a public key PKi and the corresponding secret key SKi by the system. Note that we only focus on distribution of the short-term session keys. Authentication of the public key and secret key can be achieved by ID-based cryptosystems . For simplicity, we call the public key and the corresponding secret key as a pair of public key and secret key or a pair of public key and the corresponding secret key in this paper.
3.3 Single receiver
Step S1Ui → S: ei, , IDi.
A user Ui generates another pair of public key and secret key (ei, di), where ei ⋅ di ≡ 1 mod φ(IDi). This pair of public key and secret key is not related to the pair of public key PKi and secret key SKi predistributed by the system. The user Ui sends ei and to the e-mail server. Note that this procedure is executed after the user Ui finished receiving an e-mail.
3.3.2 Sending phase
Assume that a sender U1 intends to send an e-mail to a receiver U2. The sender U1 executes the following procedures:
Step S2S → U1: e2, , ID2.
Step S3The sender U1 chooses two random primes p and q. Next, the U1 computes n = p × q. Then, he or she computes another pair of a public key and the corresponding secret key , where .
Step S4The sender U1 chooses arbitrary nonrepeated primes p1, p2, …, pk, where k is a small number depending on the requirement of security level of the system. Note that n < p1, p2, …, pk. Next, the sender U1 computes pairs of public keys: (α1, β1), (α2, β2), …, (αk,βk), where α1 × β1 ≡ 1 mod p1, α2 × β2 ≡ 1 mod p2, …, and αk × βk ≡ 1 mod pk.
Step S5Then, the sender U1 computes the following congruous equations:
where L ≡ ID1 × ID2 × p1 × ⋯ × pk, , and (L/pl) × hl = 1 mod pl. From the aforementioned equation, it is easy to derive the properties, by according to Fact 1, as follows:
Step S6U1 → S: X, L, V, W, Y, t, n, where , , and . The parameter t is a timestamp at that time.
3.3.3 Receiving phase
As the receiver U2 connects to his or her mail server, the following procedures are executed:
Step S7U2 → S: Request for asking new e-mails.
Step S8S → U2: X, L, V, W, Y, t, n, ID1, ID2.
Step S9Receiver U2 derives the value by computing . Then, the receiver U2 checks if equals to the value . If it does, the receiver U2 computes the content . Upon deriving the content M′, the receiver U2 computes the value and checks if Y′ equals to the value in the signature Y.
Step M1Ui → S: ei, , IDi. Note that this step is the same with Step S1.
3.4.2 Sending phase
Assume that the sender U1 intends to send an e-mail to the receivers U2, U3, …, and Un. The sender U1 executes the following procedures:
Step M3The user U1 executes aforementioned Step S3 to choose a new (,). Then, the U1 computes the following value, by according to Fact 1, as
where L = ID1 × ID2 × ⋯ × IDn and (L/IDi) × hi = 1 mod IDi.
Step M4Us → S: X, L, V, W, Y, t, n, where ,, and The parameter t is a timestamp at that time.
3.4.3 Receiving phase
When the receiver Ur connects to his or her mail server, where r ∈ [2, …, n], he or she sends a request for asking new e-mails. Then, the following procedures are executed:
Step M5S → Ur: X, L, V, W, Y, t, n, ID1, ID2, …, IDn.
Step M6Receiver Ur computes the value .
Step M7Receiver Ur computes the value and checks if this value equals to ds '.
Step M8If the verification in Step M7 is valid, the receiver Ur computes the content . Then, the Ur computes the value and checks if Y ' equals to the value in the signature Y.
4 SECURITY AND COMPLEXITY ANALYSIS
In this section, we analyze the security and the computation complexity in our scheme. In the security analysis, we discuss the resistance of perfect forward secrecy , unknown key-share attacks , replay attacks , forgery attacks , and insider attacks. In the analysis of computation complexity, we evaluate the complexity with the metrics termed as rounds of modular exponential operation, one-way hash function, encryption operation, and decryption operation.
Before the security analysis, Fact 2 and Definition 1 are given as follows:
Fact 2. Let n = pq, where p and q are big primes. For e ⋅ d ≡ 1 mod n, where . Given public key (n, e), the problem of computing value d is computationally equivalent to the problem of factoring n. There is not sufficient algorithm for the problem of factoring n .
Proof. This fact was proved in the description of RSA cryptosystem in .
Definition 1. In a protocol, if compromise of long-term key does not compromise session, it is said that the protocol has perfect forward secrecy .
In the scheme by Sun et al. , each user uploads an exponential of a random number on a mail server when he or she connects with that mail server. When a user intends to send an e-mail to a receiver, he or she queries for the exponential of the random number, previously given by the receiver. Then he or she executes Diffie–Hellman key exchange protocol to derive a session key used for encrypting the e-mail. Because users refresh a new random for the exponential value on the e-mail server, an adversary cannot derive the session keys establish by the Diffie–Hellman key exchange protocol even if the adversary compromises users' long-term key. Therefore, the confidentiality of the information in the e-mail can be maintained even if the user's long-term key is compromised. In the following, we will show that our protocol can achieve perfect forward secrecy.
4.1 Security analysis
4.1.1 Perfect forward secrecy
The scheme by Sun et al.  was considered as the first scheme to deal with the perfect forward secrecy for e-mail systems. However, according to the description in , it cannot completely satisfy the perfect forward secrecy. The short-term session keys in our scheme are randomly chosen by the sender. According to Fact 2 mentioned before, the distribution of the short-term session keys is protected by RSA public key system . Even if the receiver's secret key is compromised, the short-term keys will not be disclosed because the session keys have no relationship with the secret key. Therefore, according to Definition 1, our scheme can satisfy perfect forward secrecy. The scheme by Lin et al.  cannot satisfy the perfect forward secrecy because an ephemeral key can be derived by compromising the receiver's passwords. Even if the passwords are refreshed at different time, compromising the initial password causes the disclosure of the refreshed password. The scheme by Kim et al. cannot satisfy the perfect forward secrecy, neither. The reason was described in . Although the scheme by Chang et al.  can satisfy the resilience of the perfect forward secrecy, it still has the insider attacks problems.
4.1.2 Unknown key-share attack
The unknown key-share attack was presented in . This attack can be considered as a special case of impersonation attacks. An adversary makes copies of the preceding authentication messages transmitted between the sender and receiver to cheat a victim user to construct a short-term key. Then, the victim user considers the adversary as an authorized user and sends him messages, confined to specific authorized users. In our scheme, the sender signs on a digest related to the e-mail in Step S6 and Step M4. The input value of the signature Y includes the sender's and receiver's identifications, the content in the e-mail, and the timestamp t. According to the properties of a cryptographically secure one-way hash function , it is hard to reversely derive the input and find a collision. Moreover, the short-term session key is encrypted by the receiver's public key. If an adversary tries to impersonate the sender with the preceding authentication messages, users can check the signature Y to discover the adversary.
4.1.3 Replay attack
The replay attack on e-mail systems was presented in . The replay attack on e-mail systems means that a certain user who previously established a common key with the sender exploits preceding key materials to evade victim users' verification procedures. Then, the victim users will receive the bogus information from this malicious user without discovering the misbehavior. In our scheme, the messages in Step S8 and M4 contain the time stamp t. The sender and receivers store these time stamps in their memory or storage devices. When a repeated time stamp is found on the received message, receivers can find out this misbehavior and discard the received messages. In addition, the receiver can check if the content in signature Y equals to the value derived by his or her ei. The preceding key materials will not derive the same value. Hence, malicious users cannot engage replay attack successfully.
4.1.4 Sender impersonation attack
The sender impersonation attack was presented in . It means that an adversary impersonates a legitimate sender to send a forged message to a receiver. In our scheme, the receiver checks the signature Y signed on by the sender in Step S6 and M4. Because of the properties of cryptographically secure one-way hash function, it is hard to find a collision corresponding to the forged content. In addition, an adversary who does not learn the sender's secret key cannot produce a correct signature for the forged message. Therefore, the sender impersonation attack cannot be engaged successfully.
4.1.5 E-mail server impersonation attack
The e-mail server impersonation attack was presented in . An adversary impersonates a legitimate e-mail server to derive all messages transmitted between senders and receivers. In our scheme, the e-mail server only plays a role that relays the message sent by the sender. Even if an adversary tries to cheat the receiver, the adversary only derives ciphers of the content and the short-term session key secured by the receiver's public key. Because of the properties of the RSA public key system , the adversary cannot derive the content encrypted by the receiver's public key. Thus, our scheme can resist against the e-mail server impersonation attack.
4.1.6 Forgery attack
The forgery attack was presented in . The forgery attack on e-mail systems means that an adversary sends bogus messages for authentication. In our scheme, the sender sends the message in Step S6 and M4, which are signed on by the sender's secret key. The receiver can check the validity of the messages through the sender's public key. Hence, any adversary cannot successfully engage a forgery attack in our scheme.
4.1.7 Insider attack
The insider attack means that malicious operators of e-mail servers can learn the short-term session key shared between the sender and receiver. The malicious node can use the short-term session key to eavesdrop the e-mail content or send the bogus message. In our scheme, the short-term session key is only known to the sender and receiver. Even if a malicious operator of the e-mail server collects the messages transmitted between the sender and receiver, he or she cannot derive the short-term session key.
We summarize the resistance of aforementioned security for the previously proposed schemes [7, 9-12] in Table 1. “О” means good resistance for the corresponding attack, whereas “Х” means nonresistance for the corresponding attack. “▵” means incomplete resistance against the corresponding attack.
Table 1. Security analysis of the secure e-mail protocols.
Table 1 shows that the scheme by Sun et al. can only partially satisfy the perfect forward secrecy because the second protocol in their scheme does not satisfy perfect forward secrecy. Neither of the schemes by Lin et al. and Kim et al. cannot completely satisfy the perfect forward secrecy. The main reason is that the receiver's secret key or password is involved in the procedures of establishing or deriving the short-term session key.
In Table 1, the scheme by Sun et al.  cannot resist against the aforementioned attacks because an adversary can make use of preceding messages transmitted between the sender and receiver to cheat verifiers. The sender and receiver cannot distinguish preceding key materials from current ones. In Table 1, the schemes by Lin et al. and Kim et al. have suffered from the aforementioned attacks because of the same problem that happens in the scheme by Sun et al. For the scheme by Chang et al., the compromising user's password may cause security flaws. Hence, their scheme only can resist against some of the attacks. Note that PGP  and the scheme by Sun et al. can resist against the insider attacks because the e-mail server does not involve the establishment of the short-term session key. The schemes by Lin et al. and Kim et al. cannot resist the insider attack because the e-mail server can learn the interactive key shared between the sender and receiver.
4.2 Computation complexity
In this section, we analyze computation complexity in our scheme. We evaluate the complexity with the metrics termed as rounds of modular exponential operation, one-way hash function, encryption operation, and decryption operation. In this paper, we only focus on the complexity of the sending phase and receiving phase.
We assume that the sender needs to send the e-mail to the k receivers. The sender in our scheme needs k + 2 rounds of exponential operation for computing the message X in Step M3 except for the verification of signatures. In addition, the sender needs single one-way hash function operation and an operation of computing signature. The computation for the digest of the e-mail content is considered as one round of one-way hash function operation. We summarize the computation cost of PGP, of the schemes by Sun et al., Lin et al., Kim et al., Chang et al., and of our scheme in Table 2. “E”, “S,” and “R” denote the e-mail server, the sender, and one of the receivers, respectively. In Table 2, it is shown that our scheme only needs to sign the short-term session key once compared with the schemes by Sun et al., Kim et al., and Chang et al.
Table 2. Computation comparison of the e-mail security protocols.
We propose a secure multicast key protocol for e-mail systems to deal with the computation complexity and the security problems for transmitting a sensitive electronic mail to a group of users. Our scheme utilizes the CRT to encapsulate the key materials of the short-term session key into a single transmission. Therefore, the distribution of the short-term session key is similar with the original operations in present e-mail protocols. An e-mail sender can save the computation cost and time delay for signing on the short-term session key. Via the security analysis, we showed that our scheme can satisfy the perfect forward secrecy. In addition, our scheme can resist against unknown key-share attacks, replay attacks, e-mail server impersonation attacks, forgery attacks, and insider attacks. We analyzed the computation complexity of our scheme, and we compared our scheme with the previously proposed schemes [7, 9-12]. The result showed that our scheme prevent redundant computation compared with the other schemes. With the increases of the applications on e-mail systems, the security challenges of multicast of electronic mails are unavoidable. Our scheme can ensure the authentication and confidential for the group transmission for electronic mail systems and satisfy other requirements in the real world.
This work was supported in part by Asia University, Taiwan, under Grant 100-asia-34 and also by the National Science Council, Taiwan, China, under Grant NSC99-2221-E-468-011.