510 IEEE COMMUNICATIONS LETTERS, VOL. 10, NO. 6, JUNE 2006 Robust E-Mail Protocols with Perfect Forward Secrecy Bum Han Kim, Jae Hyung Koo, and Dong Hoon Lee Abstract— Recently, Sun et al. proposed a practical e-mail protocol providing perfect forward secrecy, but Dent showed that their protocol does not actually provide perfect forward secrecy. In this letter, we propose two new robust e-mail protocols which indeed guarantee perfect forward secrecy. Index Terms—Cryptography, e-mail, network security, perfect forward secrecy. I. I NTRODUCTION P ERFECT forward secrecy (PFS) means that the exposure of sender’s or recipient’s long-term secret keys does not compromise previous session keys. PFS is usually provided by an interactive key agreement scheme such as the ephemeral Diffie-Hellman key agreement scheme. But it is difficult to adapt it to a store and forward system like an e-mail system, since a sender cannot maintain the correspondence with a recipient in the protocol. Recently, Sun et al. proposed two e-mail protocols provid- ing perfect forward secrecy [4]. The first protocol requires the receiver to hold a portable device, hence it is not practical. The second protocol is based on the Certificate of Encrypted Message Being a Signature (CEMBS) [1]. In the second protocol, a session key is established between a sender and a recipient using two keying materials. These keying materials are transmitted to the recipient in such a way that one is encrypted by the recipient’s long-term public key and the other is encrypted by a long-term key shared between the e-mail server and the recipient. Consequently, as shown by Dent in [2], the exposure of the recipient’s two long-term keys directly reveals all previous session keys. In this letter, we propose two practical e-mail protocols providing PFS in which an additional short-term key is es- tablished between an e-mail server and a recipient using the Diffie-Hellman key exchange. The e-mail server sends to the recipient the keying material using this short-term key. Hence, the exposure of long-term keys does not affect the secrecy of previous session keys. II. ROBUST E-MAIL PROTOCOLS WITH PERFECT FORWARD SECRECY In this section, we describe two protocols providing PFS. Protocol 1 is an improved version of Sun et al.’s second Manuscript received December 22, 2005. The associate editor coordinating the review of this letter and approving it for publication was Prof. Iakovos Ve- nieris. This research was supported by the MIC (Ministry of Information and Communication), Korea, under the ITRC (Information Technology Research Center) support program supervised by the IITA (Institute of Information Technology Assessment). The authors are with the Graduate School of Information Security, CIST, Korea University, Seoul, Korea (e-mail: donghlee@korea.ac.kr). Digital Object Identifier 10.1109/LCOMM.2006.06005. TABLE I NOTATION USED IN PROTOCOLS A, B, S The sender, the recipient and the e-mail server, respectively. idX An identity of X (e.g., e-mail account). pk X A public key of X. skX A secret key of X corresponding to pk X . a, b, s Signing keys of A, B, and S, respectively. k A short-term key. t, w, x, y, z Random numbers. p, q Large prime numbers. m A message. Ss(m) A signature with signing key s on a message m. E k (m) A symmetric encryption of a plaintext m using a symmetric key k. E pk X (m) A public encryption of a plaintext m using a public key pk X . MAC k (m) A message authentication code on m using a secret key k. PRF (k) A pseudo-random value of k using a pseudo-random function PRF . (Sending Phase) A S id A -→ ←- g y E pk B (g x ),E k (m), -→ S a (g y ||E pk B (g x )||E k (m)) (Receiving Phase) S B ←- id B ,g z E k τ (y),g w , E pk B (g x ),E k (m), -→ Sa(g y ||E pk B (g x )||E k (m)) Fig. 1. Protocol 1 protocol and follows a modular approach, i.e. any public key cryptosystem can be employed. Protocol 2 is more efficient than the first one using a concept of the well-known sign- cryption of Zheng [5]. Throughout the letter, we employ the notation in Table 1. A. Protocol 1 (Sending Phase) When A wants to send an e-mail to B, A sends its identity id A to S. Upon receiving id A , S randomly selects y, computes g y mod p, and sends it to A. A randomly chooses x and computes a session key k =(g y ) x mod p. Next, A encrypts e-mail contents m with k and g x mod p with pk B , then signs on g y ||E pk B (g x mod p)||E k (m). Fi- nally, A transmits E pk B (g x mod p), E k (m), and S a (g y 1089-7798/06$20.00 c  2006 IEEE