Preventing EFail Attacks with Client-Side WebAssembly: The Case of Swiss Post's IncaMail

Pascal Gerig,Jämes Ménétrey,Baptiste Lanoix,Florian Stoller,Pascal Felber,Marcelo Pasin,Valerio Schiavoni
DOI: https://doi.org/10.1145/3583678.3596899
2023-06-23
Abstract:Traditional email encryption schemes are vulnerable to EFail attacks, which exploit the lack of message authentication by manipulating ciphertexts and exfiltrating plaintext via HTML backchannels. Swiss Post's IncaMail, a secure email service for transmitting legally binding, encrypted, and verifiable emails, counters EFail attacks using an authenticated-encryption with associated data (AEAD) encryption scheme to ensure message privacy and authentication between servers. IncaMail relies on a trusted infrastructure backend and encrypts messages per user policy. This paper presents a revised IncaMail architecture that offloads the majority of cryptographic operations to clients, offering benefits such as reduced computational load and energy footprint, relaxed trust assumptions, and per-message encryption key policies. Our proof-of-concept prototype and benchmarks demonstrate the robustness of the proposed scheme, with client-side WebAssembly-based cryptographic operations yielding significant performance improvements (up to ~14x) over conventional JavaScript implementations.
Cryptography and Security
What problem does this paper attempt to address?