[cryptography] RFC6973: Privacy Considerations for Internet Protocols
https://tools.ietf.org/html/rfc6973 This document offers guidance for developing privacy considerations for inclusion in protocol specifications. It aims to make designers, implementers, and users of Internet protocols aware of privacy- related design choices. It suggests that whether any individual RFC warrants a specific privacy considerations section will depend on the document's content. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service
A naive comment. In his first email Zooko states: S4 offers “*verifiable* end-to-end security” because all of the source code that makes up the Simple Secure Storage Service is published for everyone to see A suspicious user may wonder, how can he be sure that the service indeed uses the provided source code. IMHO, end-to-end security can be really verifiable--from the user perspective--if it can be attested by examining only the source code of the applications running on the user side. Best, Nikos On Sat, Aug 17, 2013 at 11:52 AM, ianG i...@iang.org wrote: On 16/08/13 22:11 PM, zooko wrote: On Tue, Aug 13, 2013 at 03:16:33PM -0500, Nico Williams wrote: Nothing really gets anyone past the enormous supply of zero-day vulns in their complete stacks. In the end I assume there's no technological PRISM workarounds. I agree that compromise of the client is relevant. My current belief is that nobody is doing this on a mass scale, pwning entire populations at once, and that if they do, we will find out about it. My goal with the S4 product is not primarily to help people who are being targeted by their enemies, but to increase the cost of indiscriminately surveilling entire populations. Now maybe it was a mistake to label it as PRISM-Proof in our press release and media interviews! I said that because to me PRISM means mass surveillance of innocents. Perhaps to other people it doesn't mean that. Oops! My understanding of PRISM is that it is a voluntary secret arrangement between the supplier and the collector (NSA) to provide direct access to all information. By 'voluntary' I mean that the supplier hands over the access, it isn't taken in an espionage or hacker sense, or leaked by an insider. I include in this various techniques of court-inspired voluntarianism as suggested by recent FISA theories [0]. I suspect it is fair to say that something is PRISM-proof if: a) the system lacks the capability to provide access b) the operator lacks the capacity to enter into the voluntary arrangement, or c) the operator lacks the capacity to keep the arrangement (b) secret The principle here seems to be that if the information is encrypted on the server side without the keys being held or accessible by the supplier, then (a) is met [1]. Encryption-sans-keys is an approach that is championed by Tahoe-LAFS and Silent Circle. Therefore I think it is reasonable in a marketing sense to claim it is PRISM-proof, as long as that claim is explained in more detail for those who wish to research. In this context, one must market ones product, and one must use simple labels to achieve this. Otherwise the product doesn't get out there, and nobody is benefited. iang [0] E.g., the lavabit supplier can be considered to have not volunteered the info, and google can be considered to have not volunteered to the Chinese government. [1] In contrast, if an operator is offshore it would meet (b) and if an operator was some sort of open source distributed org where everyone saw where the traffic headed, it would lack (c). Regards, Zooko ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service
Considering that it's designed to not trust the servers in the first place (just your gateway, which often will be part of your own client or otherwise run locally), it's not all too hard. If you've verified the client, then you can be sure your data is secure. 2013/8/29 Nikos Fotiou niko...@gmail.com: A naive comment. In his first email Zooko states: S4 offers “*verifiable* end-to-end security” because all of the source code that makes up the Simple Secure Storage Service is published for everyone to see A suspicious user may wonder, how can he be sure that the service indeed uses the provided source code. IMHO, end-to-end security can be really verifiable--from the user perspective--if it can be attested by examining only the source code of the applications running on the user side. Best, Nikos On Sat, Aug 17, 2013 at 11:52 AM, ianG i...@iang.org wrote: On 16/08/13 22:11 PM, zooko wrote: On Tue, Aug 13, 2013 at 03:16:33PM -0500, Nico Williams wrote: Nothing really gets anyone past the enormous supply of zero-day vulns in their complete stacks. In the end I assume there's no technological PRISM workarounds. I agree that compromise of the client is relevant. My current belief is that nobody is doing this on a mass scale, pwning entire populations at once, and that if they do, we will find out about it. My goal with the S4 product is not primarily to help people who are being targeted by their enemies, but to increase the cost of indiscriminately surveilling entire populations. Now maybe it was a mistake to label it as PRISM-Proof in our press release and media interviews! I said that because to me PRISM means mass surveillance of innocents. Perhaps to other people it doesn't mean that. Oops! My understanding of PRISM is that it is a voluntary secret arrangement between the supplier and the collector (NSA) to provide direct access to all information. By 'voluntary' I mean that the supplier hands over the access, it isn't taken in an espionage or hacker sense, or leaked by an insider. I include in this various techniques of court-inspired voluntarianism as suggested by recent FISA theories [0]. I suspect it is fair to say that something is PRISM-proof if: a) the system lacks the capability to provide access b) the operator lacks the capacity to enter into the voluntary arrangement, or c) the operator lacks the capacity to keep the arrangement (b) secret The principle here seems to be that if the information is encrypted on the server side without the keys being held or accessible by the supplier, then (a) is met [1]. Encryption-sans-keys is an approach that is championed by Tahoe-LAFS and Silent Circle. Therefore I think it is reasonable in a marketing sense to claim it is PRISM-proof, as long as that claim is explained in more detail for those who wish to research. In this context, one must market ones product, and one must use simple labels to achieve this. Otherwise the product doesn't get out there, and nobody is benefited. iang [0] E.g., the lavabit supplier can be considered to have not volunteered the info, and google can be considered to have not volunteered to the Chinese government. [1] In contrast, if an operator is offshore it would meet (b) and if an operator was some sort of open source distributed org where everyone saw where the traffic headed, it would lack (c). Regards, Zooko ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service
On 29/08/13 at 03:09pm, Nikos Fotiou wrote: A suspicious user may wonder, how can he be sure that the service indeed uses the provided source code. IMHO, end-to-end security can be really verifiable--from the user perspective--if it can be attested by examining only the source code of the applications running on the user side. I agree with you and I propose a simply protocol which follows your statement: - encrypt your data with a simmetric cipher and a private and robust key - make an hash of the encrypted data and store it securely (no loss possibile) offline - upload the encrypted data over some service. - download the encrypted data when you need it, check the hash and decrypt with the key used in the first pass. In this (simple) case, what is run server side does not nullify security properties (confidentiality and integrity in this example), provided that what is run user-side is ok. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service
On Thu, Aug 29, 2013 at 02:44:37PM +0200, danimoth wrote: On 29/08/13 at 03:09pm, Nikos Fotiou wrote: A suspicious user may wonder, how can he be sure that the service indeed uses the provided source code. IMHO, end-to-end security can be really verifiable--from the user perspective--if it can be attested by examining only the source code of the applications running on the user side. I agree with you and I propose a simply protocol which follows your statement: - encrypt your data with a simmetric cipher and a private and robust key - make an hash of the encrypted data and store it securely (no loss possibile) offline - upload the encrypted data over some service. - download the encrypted data when you need it, check the hash and decrypt with the key used in the first pass. In this (simple) case, what is run server side does not nullify security properties (confidentiality and integrity in this example), provided that what is run user-side is ok. The Least-Authority Filesystem does all of the above. We have some pretty good docs: https://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/docs/about.rst http://code.google.com/p/nilestore/wiki/TahoeLAFSBasics https://tahoe-lafs.org/trac/tahoe-lafs/wiki/FAQ Regards, Zooko ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Reply to Zooko (in Markdown)
On Sat, Aug 24, 2013 at 09:18:33PM +0300, ianG wrote: I'm not convinced that the US feds can at this stage order the backdooring of software, carte blanche. Is there any evidence of that? (I suspect that all their powers in this area are from pressure and horse trading. E.g., the export of cryptomunitions needs a licence...) I don't know. I asked a lawyer a few days ago -- a person who is, as far as I can tell, one of the leading experts in this field. Their answer was that nobody knows. In any case, you don't appear to be arguing that Silent Text is different than Silent Mail, only that the U.S. Federal Government would not require Silent Circle to actively backdoor their own products. This argument applies equally to the canceled product and the current ones. In fact, I don't think it is a useful question for evaluating the security of services that you rely on. If a service provider could spy on you at the behest of their government, then an attacker who infiltrated that service provider's systems could also spy on you. Imagine that your adversary is not the U.S. NSA, but instead Chinese cyber-warriors, and instead of contacting your service provider and demanding cooperation, they simply remotely infiltrate your service provider's employee's laptops. They've apparently done this many times in recent years, to Adobe, Google, Microsoft, Nortel Networks, and basically every other company you can name. So I don't think the question of To whom is my service provider vulnerable? is the right question. You can't really know the answer, so it doesn't help you much to wonder about it. The right question is Am I vulnerable to my service provider?. The answer, as far as Silent Circle's current products go, is Yes.. I would be surprised if there was a single stated reason. Here are the first five hits from DuckDuckGo for the query silent circle mail: We knew USG would come after us. That's why Silent Circle CEO Michael Janke tells TechCrunch his company shut down its Silent Mail encrypted email service. http://techcrunch.com/2013/08/08/silent-circle-preemptively-shuts-down-encrypted-email-service-to-prevent-nsa-spying/ Silent Circle, the provider of a range of secure communications services, has pre-emptively closed its Silent Mail email service in order to stop U.S. authorities from spying on its customers http://gigaom.com/2013/08/09/another-u-s-secure-email-service-shuts-down-to-protect-customers-from-authorities/ Silent Circle, the global encrypted communications firm revolutionizing mobile security for organizations and individuals alike, today announced it has discontinued its Silent Mail e-mail encryption service in order to preempt governments' demands for customer information in the escalating surveillance environment targeting global communications. http://www.darkreading.com/privacy/silent-circle-ends-silent-mail-service-t/240159779 the Lavabit e-mail service used by National Security Agency leaker Edward Snowden announced Thursday that it would shut down, implying heavily that it had received some sort of government request for information. Hours later ... Silent Circle, said it would preemptively shut down its Silent Mail service to avoid ending up in the same position. http://m.washingtonpost.com/business/technology/lavabit-silent-circle-shut-down-e-mail-what-alternatives-are-left/2013/08/09/639230ec-00ee-11e3-96a8-d3b921c0924a_story.html There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure. https://silentcircle.wordpress.com/2013/08/09/to-our-customers/ (Kudos to Jon for saying something sensical in that last one!) Regards, Zooko ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
