TL;DR: Smart contracts can be used to improve email security and help protect users against phishing. Chainmail is a smart contract that serves as a public key infrastructure (PKI) to connect email addresses, PGP keys, and blockchain addresses. It leverages the blockchain to verify the authenticity of incoming emails for recipients.
Highlights:
- Circle Research releases Chainmail: an open-source, blockchain-based email verification tool.
- A Chainmail smart contract is deployed on the Ethereum Sepolia test network and acts as a public key infrastructure for email.
- Chainmail verifications are gasless, enabling users to verify emails without being charged network fees.
Protecting Against Phishing Remains a Challenge
When you receive an email, it can be difficult to be sure exactly who sent it. Cyberthieves are using increasingly sophisticated and sneaky methods to make phishing emails look authentic. While services like Mailvelope can verify if an email message has been signed by its sender, how do you know if the sender is to be trusted?
Public Keys and Digital Signatures
Let’s take a step back and look at digital signatures and how they are used to secure cryptocurrency accounts on public blockchains. On a blockchain, each user account has a public key that uniquely identifies the account. Moving funds from the account, or any other transaction performed by the account, requires the owner of the account to use the corresponding private key to sign the transaction. The blockchain uses the public key to verify the signature and ensure the transaction is authorized. Crucially, the blockchain serves as an open permissionless ledger for financial transactions with an integrated public key infrastructure (PKI) for its users.
Expanding the Blockchain’s Public Key Infrastructure
Today, blockchains are primarily used as a financial ledger. While there is growing interest in expanding the use cases for the ledger, there are also opportunities to leverage the public key infrastructure itself. The Chainmail project seeks to answer the question: can we use the blockchain as a universal public key infrastructure?
One challenge is that blockchains typically support only one or two digital signatures, such as ECDSA or ed25519. There are many other types, such as PGP, RSA, and EdDSA, with email typically being verified by PGP signatures. To turn the blockchain into a universal PKI, we would need a way to link email messages, PGP public keys, and the blockchain together. Our investigation led us to create and launch Chainmail, an open-source prototype that uses smart contracts on the blockchain to verify signed emails and help protect users against phishing.
The Chainmail smart contract lets the owner link email addresses to Ethereum accounts and PGP fingerprints (short public keys). Email recipients can then verify the email addresses either through a trusted web portal, or directly through blockchain explorers like Etherscan.
The Chainmail smart contract can be found directly on Etherscan here. To test, try the function emailAddressInfoPlaintext with the pre-registered email address alice@testuser.com. In response, you will get Alice’s Ethereum address 0xd46E0b8d19aADBE03fB744bf35055484f945D504 and PGP fingerprint a787fe6f9cc778eeee9331752819f956fde452f4. Since Chainmail verifications are gasless, querying the contract comes at no cost.
Try the Chainmail Web App
You can experiment with more advanced functionality using our open-source web application for Chainmail. The app can generate signed text messages and verify them against the blockchain. Note: the app can’t send emails as this requires integration with an SMTP provider.
The Chainmail web app also enables the email sender to sign hashed messages directly on the blockchain. The app handles many obvious challenges to this approach, especially with handling whitespace and line endings.
A Two-Part, Open-Source Solution
To summarize, Chainmail consists of two components: a smart contract and a Flask-based web application that developers can run on their machines as localhost. The web app signs messages using PGP and verifies PGP signatures. The app can connect to the smart contract (running on testnet or a local anvil node) to check if the PGP signing key is registered and whether the message itself is registered.
Future Questions
How else might the blockchain be used as a PKI? Though Chainmail solves many problems, it also raises new questions:
- Can the gas cost of registering a sent email message work as “spam deterrence”?
- How can we register email addresses in the PKI without inadvertently creating a permissionless directory for spam bots?
- Adversaries may embed links to malicious websites directly in an email verification link. How can we create a one-click verification that cannot be spoofed by cyberthieves?
- Is it possible to create a similar blockchain-backed system for chat systems?
Getting Started
Chainmail is available now for testing purposes. We invite you to download our open-source Chainmail prototype and experiment with our deployed test contract. As always, Circle Research welcomes your input and feedback as we strive to accelerate crypto, blockchain, and Web3 innovation.
Note: This article describes technology developed by Circle Research, a division of Circle committed to public good and open-source contributions to push the boundaries of technology used in crypto, blockchain, and Web3. These projects do not represent completed and released software or services. Unless otherwise stated, content published by Circle Research is open-source and is available for anyone to consume, use, and build upon. Due to their experimental and emergent nature, Circle Research innovations are provided to be tested and evaluated at a developer’s or company’s discretion.
