Elsevier

Computers & Security

Volume 32, February 2013, Pages 207-218
Computers & Security

A universal system for fair non-repudiable certified e-mail without a trusted third party

https://doi.org/10.1016/j.cose.2012.11.006Get rights and content

Abstract

Certified e-mail delivery is a quickly emerging field with significant legal benefits for e-commerce and e-government. Existing service-providers provide individual solutions that rely on a trusted third party and are in general limited in their scope and interoperability; as a consequence, they are unsuitable for cross-border application as required by transnational unions like the EU.

In contrast to existing service-providers, we present a working system for certified e-mail that does not rely on a trusted third party for fair non-repudiation of receipt. We achieve fair non-repudiation of receipt through a novel protocol that involves splitting an encrypted message into a chain of parts, which the addressee gradually acquires, generating proof-of-receipt for each individual part. The protocol cryptographically prevents the addressee from obtaining the message in case they terminate the protocol prematurely.

The universality of the presented system makes it feasible for unobtrusive operation using existing user agents and e-mail providers. The system is presented as a proof-of-concept implementation for the open-source Mozilla Thunderbird user agent.

Introduction

Certified e-mail systems (CMS) are electronic imitations of certified mail in the physical world. In the physical world, we are accustomed to transmitting letters, documents and other items to the addressee using certified mail, as it gives us a valid-before-court proof that our item was dispatched and ultimately received by the person addressed. In the physical world, the addressee is handed the item upon confirming its receipt with their signature – this process of delivering the message and returning a proof-of-receipt is handled by the postal service provider, a third party which both the sender and receiver of the message trust. A fundamental purpose of CMS is to provide non-repudiable proof-of receipt that the sent message was received by the person to whom it was addressed.

Achieving non-repudiation of receipt is a relatively trivial issue, provided that the addressee is honest and confirms the receipt of the message by e.g. an electronically signed token. However, assuming such honesty in every case would be a rather naïve approach, as the sender and receiver often do not trust each other and it might be in the receiver's interest to deny its receipt.

To resolve this, various protocols for fair non-repudiation have been developed since the 1990s (Kremer et al., 2002), which either do or do not involve a trusted third party (TTP) as the mediator between the sender and receiver of communication. Fair non-repudiation protocols prevent either party from gaining unfair advantage and ensure that the addressee obtains the message if, and only if, the sender receives a proof-of-receipt. Fair non-repudiation is essential for CMS.

Over the last few years, European governments fostered the development of CMS, which are required in an increasingly paperless e-government. However, Tauber's recent survey of European CMS providers (Tauber, 2011) reveals that there is not a common view on their security properties, and that all CMS systems are autonomous, mostly closed systems which all utilize TTPs to provide their paying clients with the desired functionality.

Tauber (2011) identifies this lack of interoperability as a significant issue with regard to the EU Services Directive (2006/123/EC), which as he notes, “forces EU Member States to make national eGovernment infrastructures interoperable.” Furthermore, he identifies the presence of many heterogeneous and incompatible CMS as a burden for users, who “want to have one single mailbox, as in the e-mail world [and] should not be burdened with additional registrations, costs and familiarization with new systems when sending deliveries to recipients registered in different CMS.”

CMS are often required by business exclusively for communication with governments, hence “businesses, which operate in multiple countries and take part in competitive tendering procedures or communicate with foreign public agencies, are forced to register accounts with multiple CMS.” (Tauber, 2011) Thus, it is the individual governments who require companies to use these services, so that governmental agencies obtain either non-repudiable proof-of-receipt or proof-of-delivery. Furthermore, many government-driven CMS providers, such as the Austrian Document Delivery System (Tauber, 2011) or the Slovenian System for Secure Electronic Delivery (SVEV)1 only allow for one direction of message flow, namely from a governmental agency to the receiver.

To provide users with a homogenized CMS landscape, Tauber et al. (2012) propose and demonstrate a new interoperability standard, which uses electronic delivery-gateways to achieve interoperability between heterogeneous CMS in terms of technology, semantics and required procedures. This standard would allow users to register with only one CMS provider, but be able to send and receive messages dispatched from within other systems. A different, clean-slate approach, has been proposed by Gennai et al. (2012).

The interoperability approach chosen by Tauber et al. (2012) is related to the system-of-systems approach used for bridging the incompatibilities of heterogeneous electronic-identity (e-ID) providers in Europe; in fact, both interoperability research endeavors are funded by the STORK2 project. Both e-ID and CMS solutions share common similarities: in both fields, national governments are an important driver behind the development of closed, non-standardized systems, which must be used by citizens and businesses to interact with the state for certain operations. The developments in both fields are based on ambiguous legislation and have yielded a variety of proprietary systems, which are not interoperable.

Research in the e-ID field has revealed that the available systems are highly unpopular, with a voluntary user-uptake of only 0–2% (Rissanen, 2010; Kubicek, 2011). Although scientific research on the user-uptake of CMS does not yet (to the best of our knowledge) exist, there seems to be informal consensus among researchers that many CMS “struggle to take off” (Gennai et al., 2012) – inter alia due to “different paradigms of use compared to what users are used to” (Gennai et al., 2012).

Information technology history suggests that the key to success of new technologies lies in their simplicity of use and the significance of the added value they provide. However, unlike pioneering technologies in the early 1990s – e.g. the Web (Berners-Lee et al., 1992) as an early interoperability technology, which targeted an open professional audience, modern users are less welcoming in adopting new technology in order to achieve results that are similar to what they can achieve already. Interesting data in this regard comes from Finland, where research shows that 99.9% of users prefer using a well-established private e-banking e-ID credential system for e-government applications over the more complex and secure national e-ID (Rissanen, 2010).

Virtually everyone who is online has an e-mail address and uses e-mail to communicate with friends, family and businesses. Virtually any company, NGO and government agency makes their e-mail address available as part of their web presence – in the case of governmental organizations this is frequently a requirement imposed by law. According to estimates from The Radicati Group (2012), as of 2012 there are more than 3.3 billion active accounts, with 22% (ca. 726 million) of them belonging to Europeans. These numbers suggest that replacing traditional e-mail for a novel, more complex system is not a viable option.

In this article we developed and instantiated a novel certified electronic mail (CEM) protocol that uses existing e-mail systems for certified e-mail delivery. Due to the reasons described beforehand, we chose not to rely on a TTP to achieve fair non-repudiation of receipt. Through this, we not only prevented the conspiracy problem where a fraudulent TTP would misuse its position, but also allowed for the users to continue using their existing tools without obtrusion.

In section 3 we will describe how the developed protocol was instantiated as a system for the Microsoft .NET platform and the Mozilla Thunderbird e-mail client; in section 4 we will evaluate our solution in the context of Slovenian law to evaluate its suitability under realistic requirements.

Finally, in section 5 we will conclude with a discussion on the feasibility of using probabilistic protocols for certified e-mail delivery.

The research presented in this article is part of a wider study towards the development of a sustainable system for non-bureaucratic governance of legal relations. In this article we aim to define a sustainable platform for universal message exchange in such system.

Section snippets

Certified electronic mail

The requirements for certified electronic mail (CEM) protocols are a well-researched topic. Thus, in a survey of these requirements Ferrer-Gomilla et al. (2010) found that “almost everybody agrees [that certified electronic mail protocols] must support evidence of message origin [NRO] and evidence of submission [NRS]. Other kinds of evidence are not as consensual, as the evidence of notification to the recipient of the availability of a dropped message or the evidence of delivery/download.”

The protocol

Known probabilistic protocols (Markowitch and Roggeman, 1999; Mitsianis, 2001) require the synchronous involvement of both the originator and the addressee during the execution of the protocol. However, synchronous interaction would be an unrealistic prerequisite for CMS systems. This is because e-mail communication relies on the assumption that one human partner is off-line while the other is active.

For our protocol, we assume a human originator/sender Alice, a human addressee Bob, and an

Evaluation

The proposed protocol and its experimental instantiation in the form of the presented prototype represents a novel system, which significantly differs from other known systems for certified e-mail exchange.

To the best of our knowledge, no other solution for certified e-mail exchange exists, which would not actively involve a trusted third party. Therefore, it is impossible to argue the feasibility of our protocol in terms of directly improved performance in comparison with other CMS systems.

To

Security discussion

Our solution crucially relies on a public information system – the “pub”, which is under the sole control of the sending party. Our pub discloses separate parts of the transmitted message to the addressee, based on their request. Each request for a part of the message includes a non-repudiable confirmation of possession of the previous part, which is the NRR evidence for the previous part.

The utilization of a pub has already been proposed before (Han, 1996), however this approach has been

Conclusion

In this paper, we described a novel probabilistic protocol for fair non-repudiable message exchange using existing e-mail infrastructure. We described an instantiation of this protocol for the Mozilla Thunderbird client and demonstrated that the proposed solution can handle the same requirements as established CMS systems.

To the best of our knowledge, our solution is the first and so far only attempt, to use a probabilistic fair non-repudiation protocol in a CMS system and thus the only CMS

Acknowledgments

The authors thank Christoph Thuemmler, Marko Hölbl and Sahar Sahebdivan for their support in the creation of this article and Michael Manske for proof reading. Furthermore, the authors acknowledge the European funded Project UNITE (FP7 248583), namely its secondment programme coordinated by UNINOVA-GRIS, that supported the development of various ideas and concepts presented in this paper.

Alois Paulin is PhD student of informatics at the Institute of Informatics at the Faculty of Electrical Engineering and Computer Science, University of Maribor, Slovenia and research secondee at the Institute for Informatics & Digital Innovation at Edinburgh Napier University, United Kingdom. His main research interest is the development of advanced governance of legal relations and electronic legal subjectivity in the Future Internet domain. Alois Paulin has appeared at a significant number of

References (38)

  • DE-BT

    Verwaltungsverfahrensgesetz, BGBl. I

    (2003)
  • J. Feng et al.

    Fair non-repudiation framework for cloud storage: part II

  • F. Gennai et al.

    Certified electronic mail – draft-gennai-appsawg-cem-01

    (2012)
  • Y. Han

    Investigation of non-repudiation protocols

  • ITU-T

    Recommendation F.400/X.400 – series X: data networks and open system communications, message handling system and service overview

    (1999)
  • H. Kubicek

    Akzeptanzprobleme sicherer elektronischer Identitäten

    Datenschutz und Datensicherheit – DuD

    (2011)
  • O. Markowitch et al.

    Probabilistic non-repudiation without trusted third party

  • MDN

    Mozilla developer network – gloda [WWW document]

    (2011)
  • MDN

    Mozilla developer network – thunderbird [WWW document]

    (2012)
  • Cited by (26)

    View all citing articles on Scopus

    Alois Paulin is PhD student of informatics at the Institute of Informatics at the Faculty of Electrical Engineering and Computer Science, University of Maribor, Slovenia and research secondee at the Institute for Informatics & Digital Innovation at Edinburgh Napier University, United Kingdom. His main research interest is the development of advanced governance of legal relations and electronic legal subjectivity in the Future Internet domain. Alois Paulin has appeared at a significant number of international conferences worldwide, contributing to development of e-Governance, Liquid Democracy, Open Data and Cyberlaw; his research was noticed by national and international popular and professional media.

    Tatjana Welzer is full professor in informatics and head of the Data Technology Laboratory at the Institute of Informatics at the Faculty of Electrical Engineering and Computer Science, University of Maribor, Slovenia. Her research interests include computer security, cultural and human factors of computer security, databases, database modeling and cultural issues at database modeling.

    View full text