[pycrypto] Quick and Easy Email Authentication

David MacQuigg macquigg at ece.arizona.edu
Wed Feb 11 09:41:54 CST 2009 

I think there is a fundamental problem with what I am proposing below.
The cipher text (authcode) has to be much longer than the four bytes I've
shown in the example, or it will be trivial to break.  Before giving up
on this approach, I thought I would check with the crypto experts on this
list.  Am I missing something simple, maybe a different algorithm than
RSA, maybe some way to do this with hashcodes?  If we can solve this
problem, it could lead to a robust, no-exceptions policy on
authentication of SMTP mail sessions.

Let me try to state the problem in more fundamental terms.  A stranger
says HELO this is f33faf76.mailout09.arizona.edu.  The only other
information you have to verify that claim is a DNS text record at
mailout09.arizona.edu. That record can hold up to 480 bytes of text.

The authcode can be a little longer than f33faf76, but the longer we make
it, the less likely senders will use it in their HELO commands.  The
shorter we make it, the more likely forgers will be able to produce a
valid authcode by brute force methods.  A lot depends on how long we
expect the authcode to remain valid.  The scheme I suggested below
returned a timestamp valid for only a few seconds, making it impractical
to try 2**32 possible authcodes. Yes, I know it can be done with
massively parallel processors, but our requirement is only enough
security to quickly screen out 99% of the forged IDs presented by petty
criminals.  More secure sites can add additional checks, including a
digital signature on the entire message.

-- Dave
************************************************************     *
* David MacQuigg, PhD    email: macquigg at ece.arizona.edu   *  *
* Research Associate                phone: USA 520-721-4583   *  *  *
* ECE Department, University of Arizona                       *  *  *
*                                 9320 East Mikelyn Lane       * * *
* http://purl.net/macquigg        Tucson, Arizona 85710          *
************************************************************     *


At 04:30 PM 2/1/2009 -0700, David MacQuigg wrote:

>I'm working on an email authentication system that needs a little more
>security.  The idea is that a sender will include an authentication code
>in the very first command to request an email session.  For example,
>arizona.edu might include the code 'f33faf76' as in:
>.
>.   HELO IDf33faf76.mailout09.arizona.edu
>.
>The receiver can then verify that this is not a forgery by getting a DNS
>record from mailout09.arizona.edu.  The simplest way to do this is for
>arizona.edu to publish that code verbatim, and change it frequently.  It
>won't take long, however, for the crooks to modify their zombies to query
>the DNS records at the victim domain, and use the same code in their
>forged HELO commands.
>
>So what we really need in the sender's DNS record is not the actual code,
>but a public key that can be used to decrypt the code and prove not only
>that it was generated by the alleged sender, but it was generated
>recently, like within a few seconds of when the HELO command was sent.
>
>I'm trying to figure out how to do this with PyCrypto, but the API
>documentation is not much help.  It would be nice to have an example
>showing encryption and decryption using RSA.
>
>Here are the stub functions I'm using:
>.
>.   def encrypt(plaintext, privkey):
>.       return 'f33faf76'
>.
>.   def decrypt(authcode, pubkey):
>.       return '315:14:45:03'     # day:hour:minute:second
>.
>Help will be greatly appreciated.  I'll be glad to help with
>documentation, once I understand how this package is used.

More information about the pycrypto mailing list