Traditional email encryption schemes are vulnerable to EFail attacks, which exploit the lack of message authentication by manipulating ciphertexts and exfiltrating plaintext via HTML backchannels. Swiss Post's IncaMail, a secure email service for transmitting legally binding, encrypted, and verifiable emails, counters EFail attacks using an authenticated-encryption with associated data (AEAD) encryption scheme to ensure message privacy and authentication between servers. IncaMail relies on a trusted infrastructure backend and encrypts messages per user policy. This paper presents a revised IncaMail architecture that offloads the majority of cryptographic operations to clients, offering benefits such as reduced computational load and energy footprint, relaxed trust assumptions, and per-message encryption key policies. Our proof-of-concept prototype and benchmarks demonstrate the robustness of the proposed scheme, with client-side WebAssembly-based cryptographic operations yielding significant performance improvements (up to ~14x) over conventional JavaScript implementations.

翻译：传统电子邮件加密方案易受EFail攻击，此类攻击通过操纵密文并利用HTML反向通道泄露明文，利用缺乏消息认证的漏洞。瑞士邮政的IncaMail是一种用于传输具有法律约束力、加密且可验证电子邮件的安全邮件服务，其采用关联数据认证加密（AEAD）方案来抵御EFail攻击，确保服务器间的消息隐私与认证。IncaMail依赖受信任的基础设施后端，并根据用户策略对消息进行加密。本文提出了一种改进的IncaMail架构，将大部分密码学操作卸载至客户端，具有降低计算负载与能耗、放宽信任假设以及实施单消息加密密钥策略等优势。我们通过概念验证原型和基准测试证明，基于客户端WebAssembly的密码学操作相比传统JavaScript实现实现了显著的性能提升（最高约14倍）。