City University of Hong Kong researchers have defined perfect forward secrecy for email and suggested a technical solution to enable email security to be independent of the server used to send the message.
“An email system provides perfect forward secrecy if any third party, including the email server, cannot recover previous session keys between the sender and the recipient even if the long-term secret keys of the sender and the recipient are compromised,” the researchers say. They have created an email protocol based on this principle and say it is possible to use it to exchange emails with almost zero risk of interference from third parties.
“Our protocol provides both confidentiality and message authentication in addition to perfect forward secrecy,” the researchers note. The protocol involves the server creating a random session hash that is then used to encrypt the encryption key for the email. The recipient then gets the key used to create the hash and returns an identification tag, which enables the sender and receiver to verify each other’s identity.