+% begin text
+
+\banner
+
+\section{Introduction}
+Initially,
+a brief model of a user community employing a trusted mail service is
+introduced.
+Following this introduction,
+a prototype system is described which attempts to meet the needs of a user
+community.
+Finally,
+open issues are discussed,
+which are currently not satisfied by the prototype system or its model of
+operation.
+
+Two or more entities,
+called {\it users},
+wish to communicate in a {\it secure} environment.
+Depending on their available resources,
+different levels of security are possible.
+At the extreme,
+two parties with substantial resources may wish to communicate in a fashion
+which prevents any third parties,
+known as {\it adversaries},
+from observing their communication.
+At this level,
+not only is an adversary unable to capture the communication for analysis,
+but in fact, the adversary is unaware that any communication is occurring at
+all.
+In most applications,
+this level of security is prohibitively expensive.
+A more economic method is to translate messages into a form which is useless
+to an adversary and then to communicate those messages on an insecure medium.
+
+This latter method requires the two users to have some sort of {\it key}
+with which to ``lock'' the plaintext into ciphertext when transmitting,
+and then to ``unlock'' the ciphertext back into useful form when receiving.
+Hence, there are two central issues to deal with:
+\underbar{first},
+keys must be generated, distributed, and maintained in a secure fashion;
+and,
+\underbar{second},
+the keys must be ``intricate'' enough so that sense can't be made out of the
+ciphertext without knowledge of the key.
+The first part is handled by a {\it key distribution center} (\KDC/),
+which maintains a list of users and a set of keys for each pair of users.
+The second part relies on sophisticated encryption and decryption algorithms.
+It is beyond the scope of this paper to describe cryptographic techniques in
+detail.
+For a detailed survey of this area, the reader should consult \cite{VVoyd83}.
+
+\tagfigure{1}{The \MTS/ Model}{mtsmodel}
+In the context of our discussion (using the terminology of \cite{X.400}),
+the medium used to transport is supplied
+by a {\it message transport system} (\MTS/),
+which is composed of one or more {\it message transport agents} (\MTA/s).
+Usually,
+the entire \MTS/ is distributed in nature,
+and not under a single administrative entity;
+in contrast, an \MTA/ is usually controlled by a single administration and
+resides in a particular domain.
+At every end-point in the medium,
+a {\it user agent} (\UA/) acts on behalf of a user and interfaces
+to a local \MTA/.
+This model is briefly summarized in Figure~\mtsmodel.
+
+A message, in our context, consists of two parts:
+the {\it headers} and the {\it body}.
+The headers are rigorously structured;
+they contain addressing information and other forms useful to a \UA/.
+The body is freely formatted and is usually not meaningful to a \UA/.
+
+When a message is sent from one user to another,
+the following activities occur:
+The originating user indicates to the \UA/ the address of the recipient;
+the \UA/ then posts the message through a {\it posting slot} to an \MTA/,
+which involves a posting protocol in which the validity of the address
+and the syntax of the message are considered.
+Upon successful completion of the protocol,
+the \MTA/ accepts responsibility for delivering the message,
+or if delivery fails, to inform the originating user of the failure.
+The \MTA/ then decides if it can deliver the message directly to the
+recipient;
+if so, it delivers the message through a {\it delivery slot} to the
+recipient's \UA/,
+using a delivery protocol.
+If not, it contacts an adjacent \MTA/, closer to the recipient,
+and negotiates its transfer (using a protocol similar to the posting protocol).
+This process repeats until an \MTA/ is able to deliver the message,
+or an \MTA/ determines that the message can't be delivered.
+In this latter case,
+a failure notice is sent to the originating user.
+
+\tagfigure{2}{Mappings in the \MTS/ model}{mappings}
+It is important to note that there are two mappings which occur here.
+The first, which is performed implicitly by the originating user,
+maps the name of the recipient into the recipient's address;
+the second, which is performed explicitly by the \MTS/,
+maps the address of the recipient into a route to get from the originator's
+\MTA/ to the recipient's \MTA/.
+These mappings are depicted in Figure~\mappings.
+
+Obviously, there is no guarantee that the \MTS/ can be made secure,
+in {\it any} sense of the word.
+This is particularly true if it is under several administrations.
+Regardless of the number of administrations in the \MTS/,
+this problem quickly degenerates to a problem of
+Byzantine generals\cite{LLamp82}.
+Further, trying to secure each \MTA/ in the path that a message travels is
+equally questionable.
+
+\tagfigure{3}{Modifications to the \MTS/ model}{tmodel}
+To support secure communications in this environment,
+a new entity,
+the {\it trusted mail agent} (\TMA/) is introduced into our model.
+A solution is to have the \UA/ interact with this entity
+both when posting a message and when taking delivery of a message.
+The \UA/ first contacts a \TMA/ to encrypt the body of the message for the
+recipient,
+prior to pushing it through the posting slot.
+Upon receipt from the destination \MTA/,
+the \UA/ examines the message and contacts
+the \TMA/ to decipher the body of the message from the source.
+An overview of the relationship between the standard \MTS/ model
+and the augmentations made for the \trustedmail/ system is shown in
+Figure~\tmodel.
+
+To achieve these tasks,
+the \TMA/ interacts with a {\it key distribution service} (\KDS/),
+which manages keys between pairwise users.
+At this point, a third mapping takes place:
+the \UA/ must be able to map addresses into the identifier(s)
+by which the originator and recipient are known by the \TMA/ and \KDS/.
+These identifiers are known as \KDS/ IDs, or simply IDs.
+Usually, a fourth mapping also occurs,
+which maps the ID of a user into the name of a user.
+In our context,
+there is an exact one-to-one mapping between the name of a user and the ID
+of that user.
+In contrast,
+there may be a one-to-many mapping between the name of a user and
+that user's address in the \MTS/.
+Further, there are usually many different routes which a message may traverse
+when going from an originating user to a recipient user.
+
+The \TMA/ is said to be {\it trusted} because it can be relied on to perform
+only those actions specifically requested by the user.
+In the context of this paper,
+this means, given proper construction and maintenance of the \TMA/,
+that the software will communicate with the \KDC/ in some secure fashion to
+negotiate key relationships and that it will not disclose those key
+relationships to other parties.
+Furthermore,
+the body of mail messages exchanged between users which employ
+a trusted mail agent will be unintelligible to other parties.
+Finally,
+a recipient of a message receives authenticated information from the
+trusted mail agent as to the identify of the sender.
+
+Hence,
+when each user employs a \TMA/,
+end-to-end encryption occurs at the \UA/ level
+(to avoid any problems with malicious \MTA/s).%
+\nfootnote{Note that in the scope of this system,
+the end-points are the user agents, not the hosts they reside on.
+In fact,
+it may very well be the case that the user agent and the local message
+transport agent do not reside on the same host.}
+Any adversary listening in on the \MTS/,
+may observe messages,
+but make no sense out of them
+(other than rudimentary traffic analysis).
+Note, however,
+that since the medium itself is not secure,
+an adversary may still introduce new messages,
+corrupt messages,
+or remove messages,
+as they traverse the \MTS/.
+In the first two cases, however,
+the recipient would be suspicious
+because the adversary lacks the encrypting key employed by the source user.
+In the third case,
+the source user can retransmit the message after a suitable time.
+Of course,
+there is no built-in retransmission policy~---~this aspect depends on the
+user's sending mail and is beyond the scope of the system.
+
+It is important to understand the target community for the \trustedmail/ system
+described herein.
+In particular,
+the \TMA/ is intended for a commercial and not a military environment.
+This distinction is important,
+since it is the {\it fundamental} assumption of this paper that
+the latter community has much stricter requirements than the former.
+Because of this,
+the prototype system is able to make certain simplifying assumptions which
+permit it to operate in a mode which is less secure than military
+applications would permit.
+Although these issues are explored in greater detail at the end of the paper,
+for the moment recall that, like most qualities, trustedness is not absolute:
+there are varying degrees of trustedness,
+and as a system becomes more trusted,
+it becomes more expensive, in some sense, to operate and maintain.
+
+It is perhaps instructive at this point to consider why the introduction of a
+key distribution center is appropriate in this environment,
+and why the {\it fundamental} assumption that trusted mail agents do not
+directly communicate with each other is necessary.
+Although a user agent is able to converse with the local message transport
+agent in real-time,
+it is frequently not able to communicate with other user agents in real-time.
+Furthermore,
+considering the vast problems and overhead
+of trying to establish secure communications from ``scratch''
+(a problem far beyond the scope of this paper),
+it is would not be a good idea to try and communicate key relationships with
+other user agents,
+even if it were always possible to do so.
+In addition,
+by separating the trusted aspects of the message transport system from the
+system itself,
+many other advantages can be seen.
+These are presented in greater detail at the end of the paper.
+
+The discussion thus far has considered only a single recipient.
+In practice, a user might wish to send to several others,
+using a different key for each.
+Hence each copy of the message is encrypted differently,
+depending on the particular recipient in question.
+Note that this has the effect of {\it un-bundling} message transfer in the
+\MTS/,
+as advanced \MTA/s tend to keep only a single copy of the message for any
+number of recipients in order to save both cpu, disk, and I/O resources.
+
+For example,
+in some existing mail systems,
+if a message was sent to $n$ users on a remote system,
+then the $n$ addresses would be sent from the source \MTA/ to the remote \MTA/
+along with one copy of the message.
+Upon delivery,
+the remote \MTA/ would deliver a copy to each of the $n$ recipients,
+but the virtual wire between the source \MTA/ and the recipient \MTA/ was
+burdened with only one copy of the message.
+But in a secure environment,
+since a different key is used by the source user when communicating with each
+of the $n$ recipients,
+$n$ different messages will be posted with the local \MTA/,
+and the advantages of recipient bundling are lost.
+
+Along these lines however,
+private discussion groups may wish to avoid this problem by establishing
+access to a single ID for their use.
+In this case,
+a subscriber to the \KDS/ may actually have more than one ID,
+one for ``personal'' use and one for each discussion group.
+The appropriate ID is used when posting messages to the discussion group.
+Naturally the administrative policy for deciding who is allowed to use the
+\KDS/ ID of a discussion group is left to the moderator of the group.
+Observant readers will note that this vastly decreases the aspect of
+secure communications for the discussion group.
+This method is suggested as a compromise
+which permits the bundling of messages for multiple recipients
+to reduce \MTS/ traffic.
+The price is high however,
+as a compromise on behalf of {\it any} member of the discussion group
+compromises the entire group.
+For large discussion groups and a bandwidth limited \MTS/,
+this price may be worth paying.
+The prototype implementation of the \TMA/ supports multiple recipients but
+not multiple \KDS/ IDs.
+
+Having described this environment for communication,
+the designs of a \KDS/ and \TMA/ which form the heart of the \TTI/
+\trustedmail/ system are discussed.
+The prototype system was developed on a \vax/-11/780 running 4.2\bsd/ \unix/.
+The system is based on the \ansi/ draft\cite{FIKM}
+for financial key management,
+but diverges somewhat in operation
+owing to the differences between the electronic mail (CBMS)
+and electronic funds (EFT) environments.
+Note however that the \ansi/ data encryption algorithm\cite{DEA,FIPS46} is
+used in the current implementation.
+A public-key cipher system was not considered as the basis for the prototype
+since, to the authors' knowledge,
+an open standard for a public-key system has yet to be adopted by the
+commercial community.
+In contrast,
+the \ansi/ draft for financial key management appears to be receiving
+wide support from the commercial community.
+
+\tagtable{4}{Abbreviations used in this paper}{terms}
+In the description that follows,
+a large number of acronyms are employed to denote commonly used terms.
+In order to aid the reader,
+these are summarized in Table~\terms.
+
+\section{The Key Distribution Service}
+The prototype version of the \KDS/
+was designed to provide key distribution services for
+user agents under both the same or different administrations.
+As a result,
+the means by which a trusted mail agent connects to a key distribution server
+is quite flexible.
+For example,
+the prototype system supports connections via
+standard terminal lines,
+dial-ups (e.g., over a toll-free 800 number),
+\unix/ pipes,
+and over TCP sockets\cite{IP,TCP}.
+In the interests of simplicity,
+for the remainder of this paper,
+a TCP/IP model of communication is used.
+Initially,
+a server on a well-known service host in the ARPA Internet community
+listens for connections on a well-known port.%
+\nfootnote{The term {\it well known} in this context means that the
+location of the service is known {\it a priori} to the clients.}
+As each connection is established,
+it services one or more transactions over the lifetime of the session.
+When all transactions for a session have been made,
+the connection is closed.
+If the necessary locking operations are performed by the server
+to avoid the usual database problems,
+then more than one connection may be in progress simultaneously.
+Of course,
+a time-out facility should also be employed to prevent a rogue agent from
+monopolizing the key distribution server.
+
+Once a session has been started,
+the client (a.k.a.~\TMA/) initiates transactions with the server
+(a.k.a.~\KDS/).
+Each transaction consists of the exchange of two or three
+{\it cryptographic service messages} (\CSM/s):
+the client sends a request,
+the server attempts to honor the request and sends a response,
+and,
+if the server responded positively,
+the client then acknowledges the transaction.
+By exchanging these cryptographic service messages,
+the \KDS/ and the \TMA/ are able to communicate key relationships.
+Obviously, the relationships themselves must be transmitted in encrypted
+form.%
+\nfootnote{Otherwise an adversary could simply impersonate a \TMA/ and ask
+for the desired key relationships.
+Similarly, this also prevents an adversary from successfully impersonating a
+key distribution server.}
+Hence, not only are key relationships between two \TMA/s communicated,
+but key relationships between the \KDS/ and the \TMA/ are communicated as well.
+
+This leads us to consider the key relationships that exist
+between a \TMA/ and the \KDS/.
+A client usually has three keys dedicated for use with the server.
+The first is the {\it master key} (denoted MK),
+which has an infinite cryptoperiod, and is rarely used.
+This key is distributed manually.
+The second is the {\it key-encrypting key} (denoted KK),
+which has a shorter cryptoperiod.
+Whenever a KK is transmitted to the \TMA/,
+it is encrypted with the master key.
+The third is the {\it authentication key} (denoted KA),
+which is used to authenticate transactions that do not contain data keys
+(a count field is also used to avoid play-back attacks).
+Whenever a KA is transmitted to the \TMA/,
+it is encrypted with the key-encrypting key.
+When transactions contain keys,
+an associated count field is included to indicate the number of
+keys encrypted with the key-encrypting key used.
+Although not used by the prototype implementation,
+a production system would employ audit mechanisms to monitor usage histories.
+
+Currently four types of requests are honored by the \KDS/:
+two key relationship primitives, and two name service primitives.
+The type is indicated by the {\it message class} (MCL) of the first
+cryptographic service message sent in the transaction.
+As each message class is discussed,
+the appropriate datastructures used by the \KDS/ are introduced.
+Space considerations prevent a detailed description of the information
+exchanged in each transaction.
+Appendix~B of this paper presents a short example of an interaction between
+the \KDS/ and a \TMA/.
+
+The first two requests are used to create (or retrieve) key relationships,
+and to destroy key relationships:
+
+The {\it request service initialization} (RSI) message class
+is used to establish a {\it key-encrypting key} (KK) relationship
+between the \TMA/ and another \TMA/,
+or between the \TMA/ and the \KDS/.
+As implied by the name,
+a key-encrypting key is used to cipher keys which are used to cipher data
+exchanged between peers.
+These other keys are called {\it data keys} (KDs).
+
+The {\it disconnect service message} (DSM) message class
+is used to discontinue a KK-relationship
+between the \TMA/ and another \TMA/,
+or between the \TMA/ and the \KDS/.
+This prevents keys which are felt to have been compromised,
+or are vulnerable to compromise,
+from receiving further use in the system.
+It should be noted that,
+owing to mail messages (not \CSM/s) in transit,
+a discontinued key relationship
+may be needed to decipher the key used to encipher a mail message.
+The prototype \KDS/ supports this capability.
+
+In addition to maintaining an MK/KK/KA triple for each \TMA/,
+the \KDS/ also remembers KK-relationships between \TMA/s.
+The reason for this stems from a fundamental difference between the
+electronic funds transfer and computer-based message system worlds.
+The \KDS/ assumes that no two arbitrarily chosen \TMA/s can communicate in
+real-time,
+and as a result,
+\TMA/s do not exchange cryptographic service messages.
+(See Appendix~C for a more detailed discussion.)
+This means that when a \TMA/ establishes a KK-relationship with another \TMA/,
+the former \TMA/ may start using the KK before the latter \TMA/ knows of the
+new KK-relationship.
+In fact,
+it is quite possible for a KK-relationship to be established,
+used,
+and then discontinued,
+all unilaterally on the part of one \TMA/.
+It is up to the \KDS/ to retain old cryptographic material
+(possibly for an indefinite period of time),
+and aid the latter \TMA/ in reconstructing KK-relationships as the need arises.
+Naturally,
+discontinued KKs are not used to encode any new information,
+but rather to decode old information.
+(Again, refer to Appendix~C for additional details.)
+
+The other two requests are used to query the directory service aspects of the
+key distribution server:
+
+The {\it request user identification} (RUI) message class
+is used to identify a subscriber to the \KDS/.
+Both the \KDS/ and \TMA/ are independent of any underlying mail transport
+system (\MTS/).
+As a result,
+a subscriber to the \KDS/ is known by two unique attributes:
+a ``real-world'' name,
+and a \KDS/ identifier (ID).
+The user of a mail system,
+or the \UA/,
+is responsible for mapping an \MTS/-specific address
+(e.g., {\tx MRose@UDEL.ARPA})
+to the person associated with that maildrop
+(e.g., \eg{Marshall\ T.\ Rose}).
+When conversing with the \KDS/,
+the \TMA/ uses the \KDS/ ID of another user to reference that person's \TMA/.
+Since it is inconvenient to remember the IDs (as opposed to people's names),
+the \KDS/ provides the RUI message class to permit a \TMA/ to query the
+mapping between names and IDs.
+If the \KDS/ cannot return an exact match,
+it may respond with a list of possible matches
+(if the identifying information given was ambiguous),
+or it may respond with a response that there is no matching user.
+
+Finally,
+the {\it request identified user} (RIU) message class
+performs the inverse operation:
+given a \KDS/ ID, a ``real-world'' name is returned.
+This request is useful for disambiguating unsuccessful RUI requests
+and in boot-strapping a \TMA/.
+
+The \KDS/ maintains two directories:
+a private directory and a public directory.
+The private directory contains all information on all clients to the \KDS/.
+The public directory is a subset of this,
+and is used by the \KDS/ when processing RUI and RIU requests.%
+\nfootnote{In the prototype implementation,
+the two directories are, for the moment, identical.}
+As a result,
+certain clients of the \KDS/ may have unlisted IDs and names.
+
+\section{The Trusted Mail Agent}
+The prototype version of the \TMA/
+was designed to interface directly to the user agent in order to maximize
+transparency to the user.
+In present form,
+the \TMA/ is available as a load-time library under 4.2\bsd/ \unix/,
+although efforts are currently underway to transport the \TMA/ to a PC-based
+environment.
+
+The software modules which compose the \TMA/ contain a rich set of interfaces
+to the \KDS/.
+In addition,
+the \TMA/ manages a local database,
+so responses from the \KDS/ may be cached and used at a later time.
+In all cases,
+the \KDS/ is consulted only if the information is not present
+in the \TMA/ database,
+or if the information in question has expired (e.g., KK-relationships).
+This caching activity minimizes connections to the \KDS/.
+Although connections are relatively cheap in the ARPA Internet,
+substantial savings are achieved for PCs which contact the \KDS/ over a
+public phone network (dial-up) connection.
+
+The \TMA/ performs mappings between pairs of the following objects:
+user names, \KDS/ IDs, and \MTS/ addresses.
+The \TMA/ considers all trusted mail agents, including itself,
+as a user name, \KDS/ ID, and one or more \MTS/ addresses.
+Although the \TMA/ does not interpret addresses itself,
+in order to simplify mail handling,
+the \TMA/ remembers the relationship between these objects so the user enters
+this information only once.
+
+Initially,
+when a \TMA/ is booted,
+the user supplies it with the master key and the user's \KDS/ ID.
+Both of these quantities are assigned by the personnel at the key
+distribution center,
+and subsequently transmitted to the user via an alternate, bonded service.%
+\nfootnote{In this fashion,
+the problems of boot-strapping over an unsecure medium are avoided.}
+The \TMA/ connects with the \KDS/ and verifies its identity.
+From this point on,
+the \TMA/ manages its KK-relationships between the \KDS/ and other \TMA/s
+without user intervention.
+
+The current implementation of the \TMA/ assumes a ``general memo framework''
+in the context of the Standards for ARPA Internet Text Messages\cite{DCroc82}:
+\smallskip
+{\advance\leftskip by\parindent
+\item{1.} A message consists of two parts:
+the {\it headers} and the {\it body}.
+A blank line separates the headers from the body.
+
+\item{2.} Each (virtual) line in the headers consists of a keyword/value
+pair, in which the keyword is separated from the value by a colon (:).
+The headers are rigorously structured in the sense that they contain
+addressing and other information useful to a user agent.
+
+\item{3.} The body is freely formatted and must not be meaningful to a
+user agent.
+However, as will be seen momentarily,
+the body of encrypted messages must have an initial fixed format which the
+\TMA/ enforces.
+\smallskip}
+\noindent
+This format is widely called ``822'' after the number assigned to the
+defining report\cite{DCroc82}.%
+\nfootnote{Although an 822--style framework is employed by the \TMA/ prototype,
+the 822 \eg{Encrypted:} header is not currently present in encrypted messages.
+This is due to a design decision which assumes that nothing in the headers of
+a message is sacred to the transport system,
+and that ``helpful'' munging might occur at any time.
+In the real world, such helpfulness is often a problem.}
+
+To support the cipher activities described below,
+the \TMA/ contains internal routines to perform the following DES functions:
+electronic code book (ECB) for key encryption,
+cipher block chaining (CBC) for mail message encryption,
+checksumming (CKS) for mail message and \CSM/ authentication.
+Readers interested in these different modes of operation for the DES should
+consult \cite{FIPS81}.
+
+\subsection{Encrypting Mail}
+To encipher a message, the method used is a straightforward adaptation
+of the standard encrypting/authentication techniques
+(though the terminology is tedious).
+Consider the following notation:
+\smallskip
+{\advance\leftskip by\parindent
+\itemm $a_x(s)$ the checksum of the string $s$ using the key $x$
+(DEA~{\it checksumming} authentication)
+
+\itemm $a_{x+y}(s)$ the checksum of the string $s$ using the exclusive-or
+of the two keys $x$ and $y$
+
+\itemm $e_x(y)$ the encryption of the key $y$ using the key $x$
+(DEA~{\it electronic code book} encryption)
+
+\itemm $e_{x,y}(s)$ the encryption of the string $s$ using the key $x$
+and initialization vector $y$
+(DEA~{\it cipher block chaining} encryption)
+
+\itemm $h$ the headers of the message
+
+\noindent and,
+
+\itemm $b$ the body of the message
+\smallskip}
+\noindent
+For each message to be encrypted,
+a data key, initialization vector, authentication key (KD/IV/KA)
+triple is generated by a random process.
+(It goes without saying that the integrity of the system depends on the
+process being {\it random\/}).
+Then, for each user to receive a copy of the encrypted message,
+the following actions are taken:
+
+First, the headers of the message are output in the clear.
+Then, a {\it banner} string, $i$, is constructed and placed at the beginning
+of the body of the message:
+\example ENCRYPTED MESSAGE: TTI TMA\endexample
+which identifies the message as being encrypted by the \TTI/ \TMA/.
+Following the banner string is a structure, $m$,
+which takes on the syntax and most of the semantics of a cryptographic
+service message:
+$$\displayindent=\leftskip \advance\displayindent by1.5\parindent
+ \halign{\hfil#/& \enspace#\hfil\cr
+ MCL& MAIL\cr
+ RCV& rcvid\cr
+ ORG& orgid\cr
+ IDK& kkid\cr
+ KD& $e_{kk}(ka)$\cr
+ KD& $e_{kk}(kd)$\cr
+ IV& $e_{kd}(iv)$\cr
+ MIC& $a_{ka}(b)$\cr
+ MAC& $a_{kd+ka}(m)$\cr
+}$$
+After this, the encrypted body is output, $e_{kd,iv}(b)$.
+In short, the entire output consists of
+$$h+i+m+e_{kd,iv}(b).$$
+
+The purpose of the structure $m$ is many-fold.
+The MCL field indicates the structure $m$'s type;
+currently only the type MAIL is generated and understood.
+The RCV and ORG fields identify the intended recipient of the message
+and the originator.
+The IDK field identifies the key-encrypting key, KK,
+used to encrypt the next two fields.
+The first KD field has the encrypted authentication key, KA,
+used to calculate the MIC of the plaintext of the body of the message.
+After the body of the message is deciphered, $a_{ka}(b)$ is calculated and
+compared to the value of the MIC field.
+Hence, the MIC field authenticates the message body.
+The second KD field has the encrypted data encrypting key, KD,
+which along with the encrypted initialization vector in the IV field
+was used to generate the ciphertext of the body.
+Finally, the MAC field authenticates the $m$ structure itself.
+The use of a data key, initialization vector, authentication key (KD/IV/KA)
+triple permits us to perform key distribution in a hierarchical fashion and
+allows the system to use a KK-relationship over a longer cryptoperiod
+without fear of compromise.
+
+The \TMA/ provides three primary interfaces to a \UA/ to send encrypted mail:
+the first takes a file-descriptor to a message
+and returns a structure $g$ (called a {\it group})
+describing the ciphertext version of the body
+(this structure contains a KD, IV, and KA generated at random,
+along with a file-descriptor to the plaintext headers,
+a file-descriptor to the ciphertext body,
+and the checksum of the plaintext body);
+the second takes a user entry (or \MTS/ address) and $g$,
+and returns a file-descriptor to the encrypted message
+for that user (or \MTS/ address);
+the third takes $g$ and performs clean-up operations.
+The chief advantage to this scheme of encryption
+is that if the message is to be sent to more than one recipient,
+then the MIC and the encrypted body need only be calculated once,
+since the KD, IV, and KA remain constant
+(only the KK's change with each recipient,
+hence for each copy of the encrypted message,
+only the structure $m$ need be re-calculated).
+
+There are, however, a few subtleties involved:
+\underbar{first},
+the \MTS/ usually accepts only 7--bit characters,
+so the encrypted text is exploded to consist of only printable characters;%
+\nfootnote{%
+As a rule, in all \CSM/s,
+when encrypted information is transmitted,
+it is exploded after encryption by the sender,
+and imploded prior to decryption by the receiver.}
+\underbar{second},
+since the \MTS/ may impose limits on the length of a line,
+each line of output is limited to 64~characters;
+and,
+\underbar{third},
+since the body may require trailing padding,
+during encryption
+one last unit of 8~bytes is written (and encrypted),
+naming the number of characters (presently, nulls) padded in the
+previous 8~bytes ($0\tdots7$).
+
+\subsection{Decrypting Mail}
+To decipher a message, the method is also straightforward:
+The headers are output in the clear.
+The banner string is essentially ignored,
+and the structure $m$ is consulted to identify the correct key-encrypting key.
+The \TMA/ checks to see if it knows of that KK.
+If not, it asks the \KDS/ to supply it.
+From that point,
+the KA, KD, and IV are deciphered.
+The $m$ structure is then authenticated.
+With the correct key,
+the remainder of the body is deciphered,
+and all except for the last 16~bytes are output.
+The last 8~bytes indicate how many of the previous 8~bytes should be output.
+So,
+the appropriate number of bytes is output,
+and the plaintext body is authenticated and compared to the MIC.
+Needless to say,
+as the body is deciphered,
+it is imploded back to 8--bit characters and lines are restored to their
+previous lengths.
+To indicate that the message was correctly deciphered,
+a new header of the form
+\example X-KDS-ID: orgid (originator's name)\endexample
+is appended to the headers of the message.
+Note that this provides an authentication mechanism.
+Note, further,
+that the \UA/ did not have to know the identity of the sender of the message.
+
+\section{Modifications to MH}
+\MH/ is a public domain \UA/ for \unix/,
+which is widely used in dealing with both a large number of electronic mail
+application and a large number of messages.
+Although this document does not intend to describe \MH/,
+parts of the system are described as they relate to the \TMA/.
+Readers interested in \MH/ should consult either the user's
+manual\cite{MRose85a} for a detailed description,
+or \cite{MRose85d} for a higher-level description.
+
+To modify \MH/ in order to make use of a \TMA/,
+three programs were changed (with a high degree of transparency to the user),
+and two new programs were introduced.
+
+In \MH/,
+when a user wishes to send a composed draft
+(which may be an entirely new message,
+a re-distribution of a message,
+a forwarding of messages,
+or a reply to a message),
+the user invokes the \pgm{send} program.
+This program performs some minor front-end work for a program called
+\pgm{post} which actually interacts with the \MTS/.
+A new option to the \pgm{send} and \pgm{post} programs,
+the \switch{encrypt} switch,
+is introduced.
+If the user indicates
+\example send\ -encrypt\endexample
+then \pgm{post} encrypts the messages it sends.
+
+When sending an encrypted message,
+\pgm{post} first checks that each addressee has a mapping to a \KDS/ ID
+during address verification.
+Then, instead of batching all addresses for a message in a single posting
+transaction,
+for each addressee,
+\pgm{post} consults the \TMA/ for the appropriately encrypted text and
+posts that instead.
+(Appendix~A discusses the reasons for this more fully.)
+Hence,
+assuming the user has established mappings between \MTS/ addresses
+and \KDS/ IDs,
+the \TMA/ does all the work necessary to encrypt the message,
+including contacting the \KDS/ as necessary.%
+\nfootnote{Once the \TMA/ establishes a connection to the \KDS/,
+it retains that connection until the \UA/ terminates.
+This is done to minimize connections to the \KDS/.
+In the context of \MH/,
+since the trusted mail agent is active over the lifetime of an invocation of
+a program such as \pgm{post},
+this means that the connection is terminated just before the program
+terminates.}
+
+In \MH/,
+when a user is notified that new mail has arrived,
+the \pgm{inc} program is run.
+As each message is incorporated into the user's message handling area,
+a scan (one-line) listing of the message is generated.
+
+By default,
+the \pgm{inc} program upon detecting one or more encrypted messages,
+after the scanning process,
+asks the \TMA/ to decipher the message,
+and if successful,
+scans the deciphered messages.
+This action can be inhibited with the \switch{nodecrypt} switch.
+Hence, if the user wishes to retain messages in encrypted form,
+\pgm{inc} can be told to note the presence of encrypted messages,
+but otherwise not to process them.
+By using the \MH/ user profile mechanism,
+\pgm{inc} can be easily customized to reflect the user's tastes.
+Again,
+the actions of the \TMA/ are transparent to the user.
+In fact,
+if encrypted mail is received from users unknown to the \TMA/,
+it queries the \KDS/ as to their identity prior to retrieving the
+KK-relationship.
+
+If \pgm{inc} fails to decrypt a message for some reason,
+or if \pgm{inc} was told not to decrypt a message,
+the \pgm{decipher} program can be used.
+This simple program merely deciphers each message given in its argument
+list.
+The \pgm{decipher} program can be given the \switch{insitu} switch,
+which directs it to replace the ciphertext version of the message with the
+plaintext version;
+or,
+the \switch{noinsitu} switch can be used indicating that the ciphertext
+version of the message should be left untouched and the plaintext version
+should be listed on the standard output.
+
+Finally,
+the \pgm{tma} program is used to manipulate the \TMA/ database,
+containing commands to boot the database,
+add new users to the database,
+and to establish mappings between addresses and users in the \TMA/ database.
+This program can also be used to disconnect KKs between other \TMA/s,
+and the KK/KA between itself and the \KDS/.
+
+Appendix~A of this paper contains a transcript of an \MH/ session.
+
+\section{Remarks}
+We now consider the merit of the system described.
+After presenting some of the basic strengths of the system
+and a few unresolved questions,
+the discussion centers on the simplifying assumptions made by the system,
+and how these can be defended in a non-military environment.
+
+\subsection{Strengths}
+It can be argued that the prototype system
+(and the augmented model in which it finds its basis)
+present many strengths.
+
+Perhaps the most important is the high-level of independence from the \MTS/
+enjoyed by the system.
+As a result,
+since the \TMA/ does not interact directly with the \MTS/,
+it can be made to be completely free from any \MTS/-specific attributes,
+such as naming, addressing, and routing conventions.
+Furthermore,
+when interfacing a \trustedmail/ system,
+no modifications need be made to the \MTS/ or local \MTA/.
+
+In addition to the systems-level advantage to this scheme,
+users of the system profit as well,
+since many disjoint \MTS/s can be employed by a user with a single \TMA/.
+This reduces the number of weaknesses in the system and allows a user to keep
+a single database of ``trusted'' correspondents.
+It should also make analysis and verification of the \TMA/ easier.
+
+Of course from the user-viewpoint,
+once the \TMA/ has been initially booted,
+all key management is automatic.
+Not only does this reduce the risk of compromise of cryptographic material
+(given proper construction and maintenance of the \TMA/),
+but it relieves the user of a tedious and error-prone task.
+
+Finally,
+although the \KDS/ described herein is used to support \trustedmail/,
+other applications which require key management,
+could employ the services offered by the key distribution center.
+
+\subsection{Open Questions}
+At present, there are many restrictions on the prototype implementation
+described.
+Some of these result from that fact that the implementation is a prototype
+and not a production system.
+Others deal with more fundamental issues.
+
+In terms of the \TMA/,
+the expiration delay for keys is hard-wired in;
+it should be user-settable.
+In the prototype version,
+the KK and KA with the \KDS/ are good for 2~days or 10~uses
+(whichever comes first),
+while a KK for use with another \TMA/ is good for 1~day or 5~uses.
+In actual practice,
+keys with long cryptoperiods might be good for 6~months or 100~uses,
+while keys with short cryptoperiods might be good for 1~month or 25~uses.
+The choice of actual values is an open question
+beyond the scope of prototype system.%
+\nfootnote{The current values were chosen by guess work.
+Although not necessarily technically sound,
+the small numbers were very good for debugging purposes.}
+In many respects, this issue is a classic trade-off:
+with relatively small cryptoperiods,
+an adversary has less chance of breaking a key,
+but with longer cryptoperiods less connections have to be made to the key
+distribution server.
+
+A fundamental issue,
+owing to differences between the EFT and CBMS environments,
+is that the \KDS/ implements only a subset of the \ansi/ draft
+and the semantics of certain operations have changed somewhat.
+It would be nice to unify the CBMS and EFT views
+of a {\it key distribution center}
+(in the former environment, the center is called a \KDC/,
+while in the latter environment, the center is known as a \CKD/).
+Appendix~C of this paper discusses the differences between the two
+perspectives in greater detail.
+
+At present,
+the relationship between errors in the \TMA/ and the posting process is an
+open question.
+For example,
+if an address doesn't have a mapping in the \TMA/ database,
+\pgm{post} treats this as an address verification error.
+This prevents the draft from being posted.
+The philosophy of the \UA/ is unclear at this point,
+with respect to how recovery should occur.
+A second area, also in question, deals with the way in which plaintext and
+ciphertext versions of a message are present in a system.
+Clearly, it is a bad idea to make both versions available,
+but since the \TMA/ doesn't try to concern itself with first party
+observation,
+there seems to be little possibility of preventing this behavior.
+The best that can be done,
+at this stage,
+is simply to choose a consistent policy that user's should attempt to adhere
+to.
+The software can help somewhat in implementing this policy,
+but it certainly can't circumvent the user.
+
+The prototype is built on the assumption that a single key
+distribution server is present.
+Since the \ansi/ draft\cite{FIKM} makes provisions for
+{\it key translation centers},
+the \trustedmail/ prototype should perhaps be made to operate in a more diverse
+environment.
+Until the issues become clearer,
+this remains open.
+
+Finally,
+for distribution lists,
+a large number of people would need to share the same \KDS/ ID.
+The current implementation doesn't support this.
+Each \TMA/ database is for a particular ID.
+A user with multiple IDs would need multiple databases,
+or the database should be re-organized.
+
+\subsection{Weaknesses}
+As pointed out earlier,
+this prototype system situates itself in a commercial, not military,
+environment.
+With respect to this decision,
+several aspects of the system are now discussed,
+which we feel are acceptable in a commercial environment,
+but which would be considered weaknesses in a military environment:
+
+\item{1.} Traffic Flow\hbreak
+The prototype \TMA/ makes no attempt whatsoever to prevent or confuse traffic
+analysis by augmenting traffic flow.
+
+\item{2.} The Database of \KDS/ Subscribers\hbreak
+Since information returned by the request user identification (RUI)
+and request identified user (RIU) MCLs are returned in the clear,
+this allows an adversary to ascertain subscribers to the \KDS/,
+and perhaps deduce some information about the system.
+Without knowledge of the master key however,
+an adversary could not impersonate a subscriber though.
+Still, in the military sense, this is a weakness.
+However,
+all this assumes that the database maintained by the \KDS/ accurately
+reflects the real-world.
+
+\item{3.} Multiple Recipients\hbreak
+It is possible, though not proven to the authors' knowledge,
+that the scheme used to avoid encrypting the body of a message more than once
+for multiple recipients might permit one of the recipients who is also an
+adversary to compromise the key relationship between the sender and another
+recipient.
+
+\item{} The scenario goes like this:
+When a message is being prepared for encryption,
+a single KD/IV/KA triple is generated to encrypt the body.
+Since the sender has a different key relationship with each recipient,
+each message sent is different, since the structure $m$ depends not only on
+the KD/IV/KA triple but also on the key relation between the sender and a
+particular recipient.
+Now suppose that one of the recipients, $r_1$,
+in addition to receiving the copy of the message meant for him/her also
+intercepts a copy of the message destined for another recipient, $r_2$.
+At this point,
+the recipient $r_1$ has both the plaintext and ciphertext version of the body,
+the plaintext version of the KD/IV/KA triple,
+and the ciphertext version of the KD/IV/KA triple that was generated using
+the key relationship between the sender and the recipient $r_2$.
+The question is:
+can $r_1$ now deduce the key relationship between the sender and $r_2$?
+
+\item{} If so, then the way that the \TMA/ attempts to minimize the use of
+encryption resources is a weakness.
+But, even if this is possible,
+given relatively short cryptoperiods for key relationships between \TMA/
+peers,
+this becomes a non-problem.
+
+\item{4.} Discussion Groups\hbreak
+As discussed earlier,
+the proposed method of associating a single \KDS/ ID with the membership of a
+discussion group does introduce a significant weakness for the security of
+messages sent to the discussion group.
+Since the \TMA/ does not assume a general broadcast facility,
+it appears that there are no good solutions to the problem of discussion
+group traffic.
+Of course,
+it is easy enough to simply send to each member of the group.
+
+\item{} For the sake of argument,
+let's assume that the discussion group has $n$ members.
+Now,
+since a different key relationship would exist between the sender and
+each of the $n$ recipients,
+the structure $m$ would be different for each recipient
+and so a different message would have to be sent to each recipient.
+To make matters worse,
+if one rejects the way the \TMA/ handles multiple recipients,
+not only does the \MTS/ get burdened with $n$ different messages,
+but the sender's \TMA/ gets burdened by having to encrypt
+the body of the message $n$ times.
+For meaningful values of $n$ (say on the order of~500, or even~25),
+the amount of resources required for any trusted discussion group are simply
+too costly.
+
+\subsection{Compromises, Compromises}
+Each of the possible weaknesses discussed above represent a compromise
+between the expense of the system and the level of security it can provide.
+
+The first two areas, if addressed by the \TMA/,
+could result in much less background information being available to an
+adversary.
+In an application where it is important that an adversary not know who is
+talking to whom,
+or who can talk at all,
+this is very important.
+It is the authors' position that in the commercial environment,
+this issue is not paramount.
+By ignoring the issue of traffic flow,
+the \TMA/ has a lot less work to do and the \MTS/ is kept clear of
+``useless'' messages.
+By keeping the information returned by the RUI and RIU MCLs in the clear,
+the complexity of the \TMA/ is significantly reduced.
+
+The second two areas, if addressed by the \TMA/,
+could result in a lesser probability of traffic being deciphered by an
+adversary.
+Regardless of the application,
+this is always extremely important.
+However,
+the authors' feel that the compromise made by the \TMA/ in these two issues
+is not substantial,
+and does not result in an explicit weakness when a message is sent to
+multiple recipients
+(note that when there is only a single recipient of a message,
+these two policies can not introduce weaknesses).
+In return, efficient use can be made of both the \MTS/ and the \TMA/ when
+messages are being sent to multiple recipients.
+Given scarce resources or large numbers of recipients,
+this approach may prove to be quite winning.
+
+Of course, much work remains to be done to prove the success of the \TMA/ in
+all four of these areas.
+
+\section{Acknowledgements}
+The prototype implementation described herein utilizes a public domain
+implementation of the DES algorithm\cite{DEA}
+which was originally implemented by James J.~Gillogly in May, 1977
+(who at that time was with the Rand Corporation,
+and is now affiliated with Gillogly Software).
+Interfaces to Dr.~Gillogly's implementation were subsequently coded by
+Richard W.~Outerbridge in September, 1984
+(who at that time was with the Computer Systems Research Institute
+at the University of Toronto,
+and is now affiliated with Perle Systems, Incorporated).
+
+The authors would like to acknowledge Dennis Branstad,
+Elaine Barker, and David Balensen of the National Bureau of Standards
+for their comments on the prototype system
+and insights on the ANSI draft\cite{FIKM}.
+In particular, Dr.~Branstad originally suggested the method used for
+encrypting a single message for multiple recipients under different keys.
+
+The authors (and all those who have read this paper) would like to thank
+Willis H.~Ware of the Rand Corporation,
+and Jonathon B.~Postel of the USC/Information Sciences Institute.
+Their extensive comments resulted in a much more readable paper.
+In addition,
+the authors would like to thank
+Dr. Stephen P.~Smith and Major Douglas A.~Brothers
+for their insightful comments.