At 2:56 PM -0400 5/12/2000, Peter Wayner wrote:
>I think all crypto products rely on passphrases. Every wallet is
>locked with a passphrase. Every private key is locked away. Even the
>smart cards are usually sewn up with PINs. It's just a fact of life
>and it seems unfair to me to pick upon Hushmail.
>
>-Peter
I'm not picking on Hushmail. Hushmail is a fairly good privacy
product. It should protect against the average office snoop or an
employer that wants to monitor employee e-mail. In fact, I'd give
their work a 95%. Unfortunately, 95% is not a passing grade in high
security cryptography. They have, however, opened their design to
public critique and that is the only way I know to get close to 100%.
So I'm just trying to help.
It's true that most encryption products rely on passphrases, however
most do not rely on them to the same extent that Hushmail does. A
well-designed a smart cards will only accept a limited number of PIN
attempts before freezing up for some period of time. The primary
security PGP comes from keeping the private key secret; the
passphrase is a secondary protection in case the encrypted private
key is stolen. This is generally adequate to protect against random
surveillance. Protecting a private key from a resourceful targeted
attack is difficult, but it can be done, especially in the era of
small laptops and PDA's.
But Hushmail is different. Your Hushmail private key is kept on a
central server at Hushmail encrypted by your passphrase. If an
attacker can figure out the passphrase they can simply login to hush
mail and to read the your mail. Even worse, the hush mail central
server stores a hash of your passphrase. If an attacker can purloin
a copy of the hash values, he can compare them to a pre-computed
dictionary.
Many if not most Hushmail users will choose weak passphrases. My
survey of PGP passphrase usage
http://world.std.com/~reinhold/passphrase.survey.asc found that 25%
of PGP users chose passphrases of 14 characters or less. The median
passphrase length was 21 characters. Hushmail users are likely to be
less informed abd motivated about the need for a strong passphrase
than PGP users.
Suppose the attacker's dictionary yields up 40% of the passphrases.
Each exchange of messages involves at least two different people, so
the probability that at least one of them will have a cracked
passphrase is 68%. If the dictionary yields 60% of the passphrases,
84% of the traffic can can be read. Since many people quote the
message they're responding to -- and even if they don't it's usually
possible to follow a conversation by reading only one party's e-mail
-- a majority of the traffic will be readable. Remember the
messages you send are protected by the other guy's passphrase.
I have a no knowledge about the security procedures that Hushmail
takes. I'm sure they try very hard. But I suspect that they are no
match for the likes of the signals intelligence agency of any of the
major powers: U.S.,Russia, Britain, France, India, Israel, Japan,
China, etc. (I wonder if the intelligence operatives from various
countries attempting to penetrate Hushmail know about each other and
go out for beer every now and then.)
There are other ways to get hold of the hash value besides
penetrating Hushmail's security. Some users may log in using 40 bit
browsers for example. Quite a few users will select a passphrase
that they already use on other accounts that are not secure. Those
are easy to get.
If you buy my analysis, Hushmail has built a system that concentrates
all the e-mail from people who think they have something to hide in
one place. If an intelligence agency succeeds in in getting at
Hushmail's files, the weak passphrases that most users select will
let them read much if not most of the mail stored there. That's a
pretty good deal for the intelligence community.
Here are some things Hushmail could do to make things better:
o Advise against 40-bit browsers and put up an alert of a
user attempts to login on one
o Offer better passphrase advice: not one you already use,
minimum length > 14, offer to generate one for the user a la Diceware
o Add salt
o Use a key stretcher
o Report the last time a user logged in
o Develop an independent way for users to verify the Hushmail applets
Adding salt would at least break up the dictionary attack. An
intelligence agency could still an attempt to crack the passphrase is
of individual targets one at a time but mass surveillance would
become much more expensive. Getting people to select a strong
passphrases and to insure that their correspondents also have
selected strong passphrases would turn Hushmail into a fairly secure
system instead of a trap for the unwary. If they fear turning off
the average user, they could offer an enhanced security package that
enforced these rules.
I hope Hushmail heeds this advice and I wish them well.
Arnold Reinhold
