Presentation title: Email Forward Secrecy presented at BsidesDFW2013 2013

by Nate Brown,

Summary : Spammers obtain victim email addresses by scraping websites, address books, and hacked databases. Sometimes, they even outright guess email addresses. Using a different email alias for each sender has been proposed to allow blacklisting of email sent to compromised addresses. In this talk, I expand this idea beyond an obscurity based folk model and propose a whitelisting based system that does not enable an attacker to predict other valid recipient email addresses if one is compromised. I outline the design and implementation of a system that includes cryptographically random secret generation, protections against brute force attacks, creation of honeypots, and a fault-tolerant fallback mechanism. I will then examine possible attacks and give an overview of the practical considerations and issues encountered when implementing such a system.