On 08/22/2013 02:36 AM, Phillip Hallam-Baker wrote:
Thanks to Snowden we now have a new term of art 'Prism-Proof', i.e. a security scheme that is proof against state interception. Having had
> an attack by the Iranians, I am not just worried about US interception. > Chinese and Russian intercepts should also be a concern.
We have two end to end security solutions yet Snowden used neither. If PGP and S/MIME are too hard to use for the likes of Snowden, they are too hard to use. The problem Snowden faced was that even if he could grok PGP, the people sending him emails probably couldn't.
Observation: Silent Circle and Lavabit both ran encrypted email services. Lavabit shut down a few days ago "rather than become complicit in crimes against the American People." I would say that's about as close as you can skate to "We're facing a court order that we're not allowed to tell you about." Maybe even closer; we'll be forbidden to know whether anyone prosecutes them for violating the presumed gag order. Silent Circle shut down soon after, saying, "We always knew the USG would come after us." Which perhaps a little less clearly indicates a court oder they can't talk about, but that's certainly one interpretation. Egypt, Oman, and India refused to allow Blackberry to operate with their end-to-end encrypted devices. In cases where Blackberry is now allowed to operate in those jurisdictions it is not at all clear that they are not doing so using compromised devices whose keys shared with those governments. Chinese military teams spent so much effort hacking at gmail and facebook accounts, in order to ferret out dissidents, that Google was eventually forced to cease doing business in China, and now gmail and facebook both have some end-to-end encrypted clients. My point I guess is that we have some evidence that Governments across the world are directly hostile to email privacy. Therefore any centralized server, CA, or company providing same may expect persecution, prosecution or subversion depending on the jurisdiction. And it can never, ever, not in a billion years, be clear to users which if any of those centralized servers or companies are trustworthy. Google now implements some end-to-end encryption for gmail but we also know that google is among those specifically mentioned as providing metadata access to the US government. The exact details of Blackberry's keys in Oman, UAE, & India are now subject to largely unknown deals and settlements. Therefore, IMO, any possible solution to email privacy, if it is to be trusted at all, must be pure P2P with no centralized points of failure/control and no specialized routers etc. And it can have no built-in gateways to SMTP. Sure, someone will set one up, but there simply cannot be any dependence on SMTP or the whole thing is borked before it begins. It is time to simply walk away from that flaming wreckage and consider how to do email properly. S/Mime and PGP email-body encryption both fail to protect from traffic analysis because of underlying dependence on SMTP. Onion routing fails to protect due to timing attacks. So I say you must design your easy-to-use client completely replacing the protocol layer. No additional effort to install because this is the only protocol it handles.
The traditional approach to making a system intercept proof is to eliminate the intermediaries. PGP attempts to eliminate the CA but it has the unfortunate effect on scalability. Due to the Moore bound on a minimum diameter graph, it is only possible to have large graphs with a small diameter if you have nodes of high degree. If every PGP key signer signs ten other people then we have to trust key chains of 6 steps to support even a million users and nine to support a global solution of a billion users.
> My solution is to combine my 'Omnibroker' proposal currently an internet draft and Ben Laurie's Certificate Transparency concept. I would start from a design in which mail is a global distributed database, with globs that can be decrypted by use of one or more of each user's set of keys, and all globs have expiry dates after which they cease to exist. Routing becomes a nonissue because routing, like old USENET, is global. Except instead of timestamp/ message ID's, we just use dates (because timestamps are too precise) and message hashes (because message IDs contain too much originating information). No certificate, no broker, no routing information unless the node that first hears about the new glob has been compromised. Each message (decrypted glob) optionally contains one or more replyable addresses (public keys). If we need more 'scalability' we could set up "channels" discriminated by some nine bit or so substring of the message hash, and require senders to solve hashes until they get a hash with the "right" nine bits to put it in the desired channel. Still no routing information as such. Now Eve can tell what channel/s a user is listening to, but the user has each of those channels in common with thousands across the world most of whom s/he has no connection with. Zero-trust anonymous email. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography