----- Forwarded message from Aaron Lux <[email protected]> ----- Date: Thu, 03 Oct 2013 23:50:40 -0500 From: Aaron Lux <[email protected]> To: [email protected] Subject: [guardian-dev] How To Generate SSL keys without Backdoor Message-ID: <[email protected]> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 Reply-To: Aaron Lux <[email protected]>
How to generate SSL keys which cannot be compromised. (Courtesy of FBI): > ATTACHMENT B > Lavabit uses 2048?bit Secure Socket Layer (SSL) certificates purchased from > GoDaddy to > encrypt communication bet".Veen users and its server. SSL encryption employs > public-key > cryptography, in which both the sender and receiver each have two > mathematically linked keys: a > "public" key and a "private" key. "Public" keys arc published, but "private" > keys are not. In this > circumstance, a Lavabit customer uses Lavabit's published public key to > initiate an encrypted > email session with Lavabit over the internet. Lavabit's servers then decrypt > this traffic using their > private key. The only way to decrypt this traffic is through the usage of > this private key. A SSL > certificate is another name for a published public key. > To obtain a SSL certificate from GoOaddy, a user needs to firs! generate a > 2048-bil > private key on hislher computer. Depending on the operating system and web > server used, there > are mUltiple ways to generate a private key. One of the more popular methods > is to use a freely > available command-line tool called OpenSSL. This generation also creates a > certificate signing > request file. The user sends this file to the SSL generation authority (e.g. > GoOaddy) and > OoOaddy then sends back the SSL certifi cate. The private key is not sent to > GoDaddy and > should be retained by the user. This private key is sto red on the user's web > server to permit > decryption of internet traffic, as described above. The FBI's collection > system that will be > installed to implement the PRiTT also requires the private key to be stored > to decrypt Lavabit > email and internet traffic. This decrypted traffic will then be filtered for > the target email address > specified in the PRlTI order. > Depending on how exactly the private key was first generated by the user, it > itself may be > encrypted and protected by a password supplied by the user. This additional > level of security is > useful if, for example, a backup copy of the private key is stored on a CD. > Ifthal CD v.'8S lost or > stolen, the private key would not be compromised because a password would be > required to > access it. However, the user that generated the private key would have > supplied it at generation > time and would thus have knowledge of it. The OpenSSL tool described above is > capable of > decrypting encrypted private keys and converting the keys to a non-encrypted > format with a > simple, well -documented command. The FBI's collection system and most web > servcrs requ ires > the key to be stored in a non-encrypted format. > > A 2048-bit key is composed of 512 characters. The standard practice of > exchanging > private SSL keys between entities is to use some electronic medium (e.g., CD > or secure internet > exchange). SSL keys are rarely, if ever, exchanged verbally or through print > medium due to their > long length and possibil ity of human error. Mr. Levison has previously > stated that Lavabit > actually uses five separate public/private key pairs, one for each type of > mail protocol used by > Lavabit. > PEM format is an industry-standard file format for digitally representing SSL > keys. PEM > files can easily be created using the OpenSSL tool described above. The > preferred medium for > receiving these keys would be on a CO. _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eugen%40leitl.org You are subscribed as: [email protected] ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
