Re: [Cryptography] prism proof email, namespaces, and anonymity
John Kelsey writes: > In the overwhelming majority of cases, I know and want to know the > people I'm talking with. I just don't want to contents of those > conversations or the names of people I'm talking with to be revealed > to eavesdroppers. And if I get an email from one of my regular > correspondents, I'd like to know it came from him, rather than being > spoofed from someone else. That's a good description of stealthmail [1]. My only regret is that it badly needs an update and I don't have time these days to work on it. But it still works out of the box. Here's the Debian description: Package: stealthmail Architecture: all Pre-Depends: gnupg Depends: procmail, esubbf, openssl, dc, libssl0.9.6 | libssl0.9.7, fetchmail | kmail, suck, ppp, solid-pop3d, exim | exim4, dpkg (>= 1.10.21), grep (>= 2.5), bash (>= 2.05b), ${shlibs:Depends}, ${misc:Depends} Description: scripts to hide whether you're doing email, or when, or with whom Maintain on-going random cover traffic via usenet newsgroup alt.anonymous.messages, substituting encrypted live traffic when available. A live message is indistinguishable from a random cover message except with the decryption keys. All potential participants send messages to alt.anonymous.messages with rigid periodicity uncorrelated with any live traffic, and maintain an uninterrupted full feed from alt.anonymous.messages, so that an observer cannot determine whether, when, or among whom live communication is happening. . Members of a "stealthmail group" -- call it "OurGroup" for purposes of this discussion -- are defined by their knowledge of the encryption keys created for the group. With this package installed, mail addressed to OurGroup@stealthmail does not go directly to the Internet like ordinary mail, but gets encrypted by the OurGroup key, given an encrypted subject intelligible only with OurGroup keys, and queued to go to alt.anonymous.messages in place of a piece of cover traffic at the next scheduled sending time. Meanwhile, all messages appearing on alt.anonymous.messages are downloaded into an incoming queue. A POP3 server runs on the local host. The mail reader is provided with filters so that when it fetches mail from this local server, messages having subject lines encrypted for OurGroup (or any other stealthmail group of which this host is a member) are decrypted by the appropriate key and presented. Other messages are discarded. [1] See mailto URL below. -- -- StealthMonger Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key pgpqkHhnE3m__.pgp Description: PGP signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] dead man switch [was: Re: Snowden "fabricated digital keys" to get access to NSA servers?]
Richard Salz writes: >> How could it be arranged that "if anything happens at all to Edward >> Snowden, he told me he has arranged for them to get access to the full >> archives"? > A lawyer or other (paid) confidant was given instructions that would > disclose the key. "Do this if something happens to me." An adversary can verify an open source robot, but not such instructions. NSA cannot verify a claim that such instructions have been given (unless they know the lawyer's identity, but in that case they can "interfere"). (On the other hand, NSA cannot afford to assume that such a claim is a bluff, and that's the strength of this idea.) The intended interpretation of the "open source" clause in the original problem statement is that anyone could inspect the workings of the robot and verify that it does indeed "harbor a secret" and that if the signed messages stop coming it will indeed release that secret. (For example, in one implementation -- NOT CRYPTOGRAPHICALLY STRONG -- a secret file's access permissions can only be granted by the robot.) -- -- StealthMonger Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key pgpCBTbveGDzX.pgp Description: PGP signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Snowden "fabricated digital keys" to get access to NSA servers?
John Gilmore writes: > [John here. Let's try some speculation about what this phrase, > "fabricating digital keys", might mean.] > John John's question is not the only one raised by this episode. Eli Lake: > Glenn Greenwald, the Guardian journalist who Snowden first contacted > in February, told The Daily Beast on Tuesday that Snowden "has taken > extreme precautions to make sure many different people around the > world have these archives to insure the stories will inevitably be > published." Greenwald added that the people in possession of these > files "cannot access them yet because they are highly encrypted and > they do not have the passwords." But, Greenwald said, "if anything > happens at all to Edward Snowden, he told me he has arranged for them > to get access to the full archives." How could it be arranged that "if anything happens at all to Edward Snowden, he told me he has arranged for them to get access to the full archives"? Some months ago on another mailing list the question was raised whether there could be a cryptographically strong "dead man switch" wherein as long as the owner of a certain secret key is alive, his frequent signed messages to an open-source robot somewhere would prevent that robot from revealing the information it harbors, but if the messages stop coming the robot would release the information (presumably further encrypted to selected recipients). [1] James A. Donald pointed out that it couldn't be done because one could simply disconnect the robot from the Internet. The effect could still be achieved though, by putting the robot in a place that cannot be disconnected from the Internet, such as a widely used public web server. But this is not cryptographically strong. So the question is how did Snowden get the effect of a "dead man switch" in the present case. [1] http://lists.randombit.net/pipermail/cryptography/2012-September/thread.html -- -- StealthMonger Long, random latency is part of the price of Internet anonymity. anonget: Is this anonymous browsing, or what? http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain stealthmail: Hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key pgp18Zsq3AOVz.pgp Description: PGP signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: A mighty fortress is our PKI, Part II
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry Leichter writes: > The only conceivable purpose for using a signature is that you can > check it *offline*. If you assume you can connect to the network, > and that you can trust what you get from the network - why bother > with a signature? Simply check a cryptographic hash of the driver > against an on-line database of "known good" drivers. > This is right in line with Lynn Wheeler's frequent mention here that > the use case for offline verification of certs for commerce > basically doesn't exist. It was a nice theory to develop 30 years > ago, but today the rest of the framework assumes connectivity, and > you buy nothing but additional problems by focusing on making just > one piece work off-line. Not quite. Untraceable anonymity and untraceable pseudonymity remain one of the important applications of cryptography, and both depend on store and forward anonymizing networks which mix traffic by using high random latency. The saving qualifier for your assertion is "for commerce". True, there is not yet a way to securely transmit and store commercial value (money) offline, but it has not been proven impossible. For these applications, the security has to be in the message, not the connection. Offline verification is essential. -- StealthMonger -- stealthmail: Scripts to hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net Finger for key. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/> iEYEARECAAYFAkxReuIACgkQDkU5rhlDCl7izQCfXuxcHdDT5c54EpATviI+PXCO MFEAoI62kO/DZcwkw++BpQ4Ey5jTVro6 =6mIw -END PGP SIGNATURE- - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Why the poor uptake of encrypted email?
Alec Muffett writes: > In the world of e-mail the problem is that the end-user inherits a > blob of data which was encrypted in order to defend the message as it > passes hop by hop over the store-and-forward SMTP-relay (or UUCP?) e- > mail network... but the user is left to deal with the effects of > solving the *transport* security problem. > The model is old. It is busted. It is (today) wrong. But the capabilities of encrypted email go beyond mere confidentiality and authentication. They include also strongly untraceable anonymity and pseudonymity. This is accomplished by using chains of anonymizing remailers, each having a large random latency for mixing with other traffic. Connection-based communication such as Skype and OTR do not provide this capability. The hop by hop store-and-forward email network does. This is not busted or wrong. It's essential. stealthmail: Scripts to hide whether you're doing email, or when, or with whom. mailto:stealthsu...@nym.mixmin.net -- StealthMonger - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Why the poor uptake of encrypted email? [Was: Re: Secrets and cell phones.]
"James A. Donald" <[EMAIL PROTECTED]> writes: > Of course, the old cypherpunk dream is a system with end to end > encryption, with individuals having the choice of holding their own > secrets, rather than these secrets being managed by some not very > trusted authority > We discovered, however, that most people do not want to manage their own > secrets This may help to explain the poor uptake of encrypted email. It would be useful to know exactly what has been discovered. Can you provide references? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: road toll transponder hacked
Sherri Davidoff <[EMAIL PROTECTED]> writes: > [EMAIL PROTECTED] wrote: >> Look for general tracking to appear everywhere. > Anonymous travel is dead. Even for subway riders who still use tokens > and citizens that bicycle around town, the proliferation of cameras, > facial recognition technology, biometrics and RFID tagging will render > anonymity obsolete within a generation. Cryptography affords an alternative. Cryptography enables untraceable persistent pseudonyms created and maintained via chains of anonymizing remailers and broadcast replies. In the nightmare scenario that you describe, untraceable nyms may be the only way that one can live as a responsible adult, rather than a subject of a nanny state. -- StealthMonger <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> -- stealthmail: Scripts to hide whether you're doing email, or when, or with whom. mailto:[EMAIL PROTECTED] Finger for key. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Fixing SSL (was Re: Dutch Transport Card Broken)
Anne & Lynn Wheeler <[EMAIL PROTECTED]> write: > one of my favorite exchanges from the mid-90s was somebody claiming > that adding digital certificates to the electronic payment > transaction infrastructure would bring it into the modern age. my > response was that it actually would regress the infrastructure at > least a couple decades to the time when online, real-time > transactions weren't being done. The online, real-time transaction > provides much higher quality and useful information than a stale, > static digital certificate (with an offline paradigm from before > modern communication). Having an available repository about the > party being dealt with ... including things like timely, aggregated > information (recent transactions) is significantly mover valuable > than the stale, static digital certificate environment (the only > thing that it has going for it, is it is better than nothing in the > oldtime offline environment). > [...] > EU had also made a statement in the mid-90s that electronic retail > payments should be as anonymous as cash. They can't be as "anonymous as cash" if the party being dealt with can be identified. And the party can be identified if the transaction is "online, real-time". Even if other clues are erased, there's still traffic analysis in this case. What the offline paradigm has going for it is the possibility of true, untraceable anonymity through the use of anonymizing remailers and related technologies. -- StealthMonger <[EMAIL PROTECTED]> -- stealthmail: Scripts to hide whether you're doing email, or when, or with whom. http://stealthsuite.afflictions.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Hushmail in U.S. v. Tyler Stumbo
Jon Callas <[EMAIL PROTECTED]> writes: > Hushmail is not a scam. They do a very good job of explaining what > they do, what they cannot do, and against which threats they > protect. You may quibble all you want with its *effectiveness* but > they are not a scam. A scam is being dishonest. Failure to tell the whole truth is a form of dishonesty, just as is telling a lie. By silently, implicitly adopting a narrow definition of "security", Hush are able to claim "Only Hush's solution provides such a high level of security combined with total ease of use." [1] The larger truth is that a consequence of using Hushmail is that record of when, with whom, and the size of each communication is available to Hush, even though the content is concealed. According to the original poster, it's these kinds of data that Hushmail was required to turn over to the US DEA. -- StealthMonger <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> -- stealthmail: Scripts to hide whether you're doing email, or when, or with whom. http://stealthsuite.afflictions.org [1] http://www.hushmail.com/about-how - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
The need for off-line communication [was: Re: 307 digit number factored]
Anne & Lynn Wheeler <[EMAIL PROTECTED]> writes: > ... [lengthy discussion about why on-line communication is better > than off-line for strangers becoming introduced to one another] ... That may well be, but no claim was made that off-line communication is as efficient as on-line for introducing and certifying strangers to one another. It was only claimed that players who have to remain geographically hidden would lose their protection if deprived of off-line communication. This is because in the on-line, low-latency case, an attacker can locate the end-points through traffic analysis. Only off-line does the option exist of untraceable traffic mixing such as remailer chains. This subject is on-topic here because cryptography is an indispensable ingredient of these untraceable traffic mixes. -- StealthMonger <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> -- stealthmail: Scripts to hide whether you're doing email, or when, or with whom. http://stealthsuite.afflictions.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 307 digit number factored
Anne & Lynn Wheeler <[EMAIL PROTECTED]> writes: > of course ... the whole licenses/credentials/certificates are an offline > world paradigm licensing, credentialing, and certifications can be > validated with online, real-time operations ... obsoleting any requirement for > supporting offline methodologies. > it would be really great to make it an excuse to move away from offline > paradigm to real online operation ... getting totally rid of the need for > domain name certificates ... DNS serving up both ip-addresses and public > keys in single operation. This would destroy the protection of one who depends on off-line, message-based communication for self-defense. Such a person may create and maintain a persistent pseudonym through untraceable chains of random latency, anonymizing remailers which thwart traffic analysis through mixing. On-line, connection-based communication has low latency and can be traced by traffic analysis. -- StealthMonger <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> -- stealthmail: Scripts to hide whether you're doing email, or when, or with whom. http://stealthsuite.afflictions.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Piercing network anonymity in real time
Ivan Krstic <[EMAIL PROTECTED]> writes: > Calling this "piercing network anonymity in real time" is highly > misleading; in reality, it's more like "making it bloody obvious > that there's no such thing as network anonymity". No. Ever hear of Chaum's "Dining Cryptographers" [1]? Anonymity right there at the table. Been around for almost twenty years. Strong anonymity is available today using chains of random-latency, mixing, anonymizing remailers based on mixmaster [2], of which there is a thriving worldwide network [3]. > The best one can hope for today is a bit of anonymous browsing and > IM with Tor ... Tor is indicted by its own documentation: ... for low-latency systems like Tor, end-to-end traffic correlation attacks [8, 21, 31] allow an attacker who can observe both ends of a communication to correlate packet timing and volume, quickly linking the initiator to her destination. [4] [1] "The Dining Cryptographers Problem: Unconditional Sender Untraceability," D. Chaum, (invited) Journal of Cryptology, vol. 1 no. 1, 1988, pp. 65-75. ftp://ftp.csua.berkeley.edu/pub/cypherpunks/papers/chaum.dining.cryptographers.gz http://www.e-ztown.com/cryptopapers.htm http://citeseer.nj.nec.com/context/143887/0 [2] http://sourceforge.net/projects/mixmaster/. [3] See usenet newsgroup alt.privacy.anon-server. [4] http://tor.eff.org/cvs/tor/doc/design-paper/challenges.pdf - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Piercing network anonymity in real time
[EMAIL PROTECTED] writes: > eTelemetry Locate [Image] > Locate dynamically discovers, correlates and archives the > person behind the IP address ... Another reason to use StealthMail -- see package description below. StealthMail still needs an Internet site. If you can provide one, please contact the author. <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Package: stealthmail Description: scripts to hide whether you're doing email, or when, or with whom Maintain on-going random cover traffic via usenet newsgroup alt.anonymous.messages, substituting encrypted live traffic when available. A live message is indistinguishable from a random cover message except with the decryption keys. All potential participants send messages to alt.anonymous.messages with rigid periodicity uncorrelated with any live traffic, and maintain an uninterrupted full feed from alt.anonymous.messages, so that an observer cannot determine whether, when, or among whom live communication is happening. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PGP "master keys"
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes: > In an article on disk encryption > (http://www.theregister.co.uk/2006/04/26/pgp_infosec/), the following > paragraph appears: > BitLocker has landed Redmond in some hot water over its insistence > that there are no back doors for law enforcement. As its > encryption code is open source, PGP says it can guarantee no back > doors, but that cyber sleuths can use its master keys if > neccessary. > What is a "master key" in this context? Interesting epilog: theregister has apparently now edited out all mention of master keys. In a version downloaded via the Agora web-to-mail gateway at Sat, 29 Apr 2006 03:42:05 +0900 (JST), the second sentence reads "PGP says its open source encryption code also guarantees no back doors." (full stop) -- StealthMonger - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: NPR : E-Mail Encryption Rare in Everyday Use
Ben Laurie <[EMAIL PROTECTED]> writes: > Florian Weimer wrote: > > I couldn't find a PGP key server operator that committed itself to > > keeping logs confidential and deleting them in a timely manner (but I > > didn't look very hard, either). Of course, since PGP hasn't > > progressed as faster as our computing resources, I'm nowadays in a > > position to run my own key server, but this is hardly a solution to > > that kind of problem. > OK, I buy the problem, but until we do something about the totally > non-anonymising properties of the 'net, revealing that I want the public > key for some person seems to be quite minor - compared, for example, to > revealing that I sent him email each time I do. But you don't have to reveal that you sent him email. You can use stealthy communication. Stealthy communication is communication wherein not only is the content concealed from eavesdroppers by encryption, but information about who is communicating with whom, when, or if at all, is concealed, as well. The Internet can be used for stealthy communication. The basic idea is that each potential participant has ongoing traffic to and from a message pool which is propagated world-wide. When the participant has no live traffic to send, dummy traffic is sent instead. The dummy traffic is indistinguishable from the live traffic except by using decryption keys which are chosen by correspondents. The outbound traffic continues autonomously without interruption for months and years and is not correlated to the live traffic, so an observer without the keys cannot determine when or how much live communication is happening. Inbound cover traffic consists of taking a full feed of the message pool at all times without interruption. A Debian Linux package exists which enables stealthy email. It has been in everyday use for years, although not widely. Details on request. I am looking for someone to host it. Any volunteers? -- StealthMonger <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: X.509 / PKI, PGP, and IBE Secure Email Technologies
"James A. Donald" <[EMAIL PROTECTED]> writes: > ... email should be sent by a direct connection from the client to > the recipient mail server, rather than this store and forward crap. This would eliminate the only available technique for strong anonymity or pseudonymity. Strong anonymity or pseudonymity cannot be achieved if there is a direct connection from the sender to the recipient because it can be traced. For strong anonymity or pseudonymity, the only available secure technology is anonymizing remailers with random latency store and forward. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]