Confidential mobile mail retrieval
Introduction
In this article we study the implementation of an e-mail storage and download method using resource restricted devices like a mobile phone and an organizer. The described method aims at providing the privacy of the processed e-mails.
The subject of private information retrieval from a database was investigated in [6], [7], [9], [14]. The setting of most of the articles on private information retrieval assume that the sensitive data is stored on several entities that do not communicate with each other like in [3], [8], [16]. There are also more theoretical motivated discussions on methods that allow a user to read a small part of a memory on some server without revealing the location of the read memory [4], [10], but these approaches usually assumed several servers where each of them stores a copy of the whole data. From a practical point of view these system are very resource consuming. For the foundation of the complexity of such private information retrieval see [1], [17].
Today it is already possible that users download their e-mails to their mobile phone from an e-mail account provided by a mobile network operator. We assume that a mobile operator has control of all its entities. If the user wants to keep her mail confidential, i.e. wants to be sure that the data can only be read by herself and not the operator, then the e-mails have to be encrypted before sending them to the untrusted account. In this case the user has to download all her mails to the mobile phone for decryption. This method would be quite expensive and time consuming. Take the case of an employee that is waiting for one important mail from her company. She has an e-mail account at an operator and her company e-mails are forwarded to this account. She is subscribed to some mailing lists; hence her mailbox is usually very full. She knows the original sender or subject, but it is not possible for her to search her e-mails for this special mail without disclosing the e-mail or search criteria to the untrusted mail account provider.
On the IEEE Symposium on Security and Privacy 2000, Song, Wagner and Perrig from the University of California published a probalistic method for searching on encrypted data [21]. We implemented a modification of this method. The original method was formulated in a very generic setting. We restricted and modified the used algorithms and parameters to take the constraints of our mobile environment into account.
Section snippets
The used setting
The solution we implemented is intended to be flexible, portable and usable for a broad range of devices with standard GUI components to enter and display information. The description also includes latest technical functions contained release of WAP 2.0 (Wireless Application Protocol) [22]. Since the mobile phones currently available on the market do not support WAP 2.0 yet, these functions are not available. WMLScript v1.2.1 does not provide the needed cryptographic functionality to search on
Theoretical foundation and notation
Our notation will follow closely the one in Ref. [21]. The implemented probalistic search method is slightly different from the ideas presented there. We will describe the changes where they occur and the motivation.
Denote with W the data block that shall be encrypted with the key k and the encryption function Ek. The encrypted value of W will be denoted by X=Ek(W). The decryption function is called Dk, hence W=Dk(X)=Ek−1(X). The stream cipher consists of two basic steps. First to derive the
Network structure
We assume that the WAP-gateway, the CGI script and the IMAP4 mail server are placed in an untrusted domain. Thus all cryptographic operations should be performed on the mobile device or the trusted area of the company network environment (Fig. 1). In the case that the mobile phone does not support the necessary cryptographic operations and software it can be used for dial in and the other operations can be performed on an organizer that is connected to the mobile phone. Most of the data can be
Measurements with regard to parameter M
We made some measurements where we varied the important factor M. The framework for these measurements was:
- 1.
The overhead is understood as amount of header bytes that are sent to the mobile (i.e. the amount of header bytes causing correct and false matches).
- 2.
Test covers about 1000 e-mails.
- 3.
Tested look-ups will be the searches on the sender and subject field.
- 4.
Date field search will not be covered since it is not searched for (only sender and subject).
- 5.
Every sender will have typical Internet address.
Limits of the implementation
Due to memory restriction it is not desired to download attachments to the mobile, therefore any attachments are removed.
Using national characters is a problem both in the mobile and mail system. We assume to have a mail system that allows storing of 8-bit data. Mobiles usually do not have facility to display the full range of national characters. The solution for this problem might be not using these characters and simply converting them to spaces.
The ciphers described need a secret key. Hence
Summary
The probabilistic search on encrypted data that was proposed in a very generic setting in Ref. [21] posed the question if such a system can be implemented in real world scenario using devices with restricted capabilities like mobile phones and organizers for downloading mail from an untrusted source. But by choosing suitable algorithms, limiting the proposed options to the essential ones, introducing conversion procedures and small modification we obtained a private e-mail retrieval system that
Dr. Silke Holtmanns received a Ph. D. in Mathematics from the University of Paderborn in 2000. Since September 2000, she has worked as Senior Reasearcher at Ericsson Eurolab. She was secretary of the WAP/OMA Security Group and a member of the WAP Electronic Commerce Expert Group (ECOMEG), Smart Card Expert Group (SCEG) and the WAP Privacy Group. Her research activities include mobile credential management, privacy enhancing technologies as well as application and transport layer security.
References (23)
Upper bound on the communication complexity of private information retrieval
LNCS 1256
(1997)- J. Daemen, V. Rijmen, The Rijndael Home Page (AES),...
- A. Beimel, Y. Ishai, Information-theoretic private information retrieval: a unified construction, Electronic Colloquium...
- et al.
Preserving privacy in a network of mobile computer
Proceedings of the Institute of Electrical and Electronics Engineers Inc. (IEEE) Symposium on Security and Privacy, Oakland (California)
(1995) - et al.
Computationally private information retrieval
Proceedings of the 29th Annual Association for Computing Machinery ACM Symposium on Theory of Computing STOC, El Paso (Texas)
(1997) - et al.
Single database private information retrieval implies oblivious transfer
LNCS 1807
(2000) - et al.
Computationally private information retrieval with polylogarithmic communication
LNCS 1592
(1999) - et al.
Private information retrieval
Proceedings of the 36th Institute of Electrical and Electronics Engineers Inc. (IEEE) Symposium on Foundations of Computer Science FOCS
(1995) - B. Chor, N. Gilboa, M. Naor, Private Information Retrieval by Keywords, TR CS0917, Department of Computer Science,...
- et al.
Software protection and simulation on oblivious RAMs
Journal of the ACM (JACM)
(1996)
Cited by (0)
Dr. Silke Holtmanns received a Ph. D. in Mathematics from the University of Paderborn in 2000. Since September 2000, she has worked as Senior Reasearcher at Ericsson Eurolab. She was secretary of the WAP/OMA Security Group and a member of the WAP Electronic Commerce Expert Group (ECOMEG), Smart Card Expert Group (SCEG) and the WAP Privacy Group. Her research activities include mobile credential management, privacy enhancing technologies as well as application and transport layer security.