Comparison of the Anti-Spoofing Techniques

We need anti-spoofing techniques in order to be able to recognize TEAs(Trustworthy Email Addresses), which becomes trustworthy thanks to the use of a TSF(trust/risk based security framework). Obviously, ourtechniques differ regarding their security strength or level of confidence in recognition. However, there is no exact way to say that one technique is weaker than another one. For example, it is not straight forward to choose which of the following offers the higher level of confidence: a valid signature with a very short asymmetric key, which has been used for years, or the ability to show that the sender is able to receive emails sent to a specific email address.

By using either our proxy-assisted C/R anti-spoofing technique or our verification of common hashes technique, we get a level of confidence in the binding between the text email address and the ownership of the email account. The technique based on hashes has the advantage of local verification. However, it cannot be used for the very first exchange of email because the sequence contains no previous email (or if all the hashes have been lost). Fortunately, the C/R technique allows the sender to bootstrap with the receiver. After C/R bootstrapping, common hashes comparison is used. However, once the bootstrapping is done, in order to minimise the overhead of emails sent due to our approach, the possibility tocheck whether the correct hashes are present or not is valuable because the check can be done locally. As an aside, in case all the hashes are lost, a simple solution may be to restart the process of C/R bootstrapping for all email addresses and change to the local verification of hashes after the first email of any email addresses.

Tags : , , , , , , ,

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Leave Comment