Hal Finney writes: [...regarding mixmaster remailer passwords...]
The other suggestion that was made here, that the operator would have to manually type in the pass phrase every time the computer rebooted [...] However it would probably not be a practical method of operation given the reliability of at least the Unix operating systems that I am familiar with.
Then you need to start running PC unix systems which were last written or updated during this decade. Keeping a unix system running, _as long as it is running a limited subset of application programs_, is a trivial task in Linux, BSD/OS, FreeBSD, and others. I routinely have server systems which perform specific tasks (e.g. smtp mail services, DNS, etc.) with uptimes of 5-6 months; there is no reason why a host serving as a remailer should not be able to be as reliable.
And even then the information is in memory. An attacker who could gain root privileges (and let's not pretend that the NSA can't do that) can dump memory and later comb it for the key information.
"Security is economics" -E. Hughes The point is not to make a system which is absolutely, positively, no doubt about it, secure against any attacker. If cypherpunks could do this they would be working for defense contractors and others who make certified systems. The objective is to make a system which is difficult to attack, one which costs the attacker time/money. After securing a host against the obvious attacks one can turn to the esoteric ones such as you present: move the key to kernel memory and remove tools for accessing or manipulating that area, run the memory-space encrypted and do not let it dump the contents to disk, etc. Systems which have been certified to high Orange book levels already exist, so there are obviously solutions to the problems you present. The tools and tricks of these systems just need to be migrated into systems which people actually use. Then remember that remailers gain strength in numbers. The more remailers you chain your message through the better your chances of passing through a single node which is not compromised, at which point your message has been "mixed." As long as it is easier for someone to create new remailers than to break existing remailers we are winning.
My point remains that strong keys are pointless for remailers which run on Unix systems connected to the net.
"Insisting on perfect security is for people who do not have the balls to live in the real world" -paraphrased from M. Shaefer You give far too much credit to the potential attackers. One advantage that unix systems connected to the net have over your hypothetical PC at home is the advantage of persistence, what is the point of running a remailer if it is never up, or only up when you need to use it? Traffic analysis of that particular node becomes a pretty easy task :) The unix hosts running remailers also have the advantage in that they have been subjected to attack for quite a while now and most of the obvious problems (and some of the non-obvious problems) have been fixed. A strong key on such a host is better than a weak key, so why not make systems as strong as you can? The only way to have a completely secure computer is to encase it in concrete, cut any network connections, and drop it into the ocean; OTOH the only thing you have created in this case is a fairly unique boat anchor. You are beginning to sound like the people who claim that the NSA can crack any encryption system, not because they have any proof but just because they extrapolate their limited knowledge into the unknown and mix in a bit of paranoia. [...]
Recall that my original comments were in connection with the claim that the government was running most of the remailers. As I said, I still think that is absurd when it would be so much easier to simply steal their keys.
But the point is that it is _not_ easier to steal the keys. It is much easier to put up a remailer than to attack an existing remailer, this is why the remailer system is winning the battle of security economics. By putting up its own remailers a potential attacker probabalistically diminishes the number of systems which they must break. jim