Preventing EFail Attacks with Client-Side WebAssembly: The Case of Swiss Post's IncaMail

TL;DR

This paper introduces a client-side WebAssembly-based cryptographic scheme for Swiss Post's IncaMail, enhancing security against EFail attacks and improving performance by offloading cryptography to clients.

Contribution

It proposes a novel architecture that shifts cryptographic operations to clients using WebAssembly, reducing server load and increasing security and efficiency.

Findings

WebAssembly cryptography improves performance by up to 14x

The revised architecture enhances security against EFail attacks

Client-side cryptography reduces server computational load

Abstract

Traditional email encryption schemes are vulnerable to EFail attacks, which exploit the lack of message authentication by manipulating ciphertexts and exfiltrating plaintext via HTML backchannels. Swiss Post's IncaMail, a secure email service for transmitting legally binding, encrypted, and verifiable emails, counters EFail attacks using an authenticated-encryption with associated data (AEAD) encryption scheme to ensure message privacy and authentication between servers. IncaMail relies on a trusted infrastructure backend and encrypts messages per user policy. This paper presents a revised IncaMail architecture that offloads the majority of cryptographic operations to clients, offering benefits such as reduced computational load and energy footprint, relaxed trust assumptions, and per-message encryption key policies. Our proof-of-concept prototype and benchmarks demonstrate the robustness of the proposed scheme, with client-side WebAssembly-based cryptographic operations yielding significant performance improvements (up to ~14x) over conventional JavaScript implementations.