Re: Security flaws introduced by "other readers" in CMR
Adam Back writes:
You have a dual concern: you are trying to protect against big brother and against little brother.
At the technical level, is there a meaningful difference between the brothers? Aren't we really talking about third-party access to communications, and second-party access to stored data ... with the "brother" distinction being one made at a social/political level, as a judgement about the legitimacy of the access or the size of the actor, rather than the character of the access? -- Greg Broiles | US crypto export control policy in a nutshell: gbroiles@netbox.com | Export jobs, not crypto. http://www.io.com/~gbroiles | http://www.parrhesia.com
Greg Broiles <gbroiles@netbox.com> writes:
Adam Back writes:
You have a dual concern: you are trying to protect against big brother and against little brother.
At the technical level, is there a meaningful difference between the brothers?
I think so yes. I think I am able to demonstrate situations where there is a trade-off: you can trade government resistance against little brother resistance. PGP Inc's CMR I believe is a form of this; they have nice recommendations for companies, statement of intents for plaintext handling, and transparent statements of when email is a company recoverable email address. But way that they have implemented this functionality I believe could be perverted for uses other than their intentions by governments. I think this means that the resulting system has traded off weaker government resistance to acheive marginally stronger little brother resistance. (I may even say no stronger little brother resistance, I think CDR can acheive same functionality). The best example I can think of is France. Other governments (US/UK) people say: it'll never happen; tin pot dictator scenarios people are less worried about because they feel the dictator will do unreasonable things in any case. The situation in France is: currently (or recently) you could not use encryption at all without a license. The enforcement rate is low to zero. (Jerome Thorel interviewed the head of SCSSI (NSA equivalent), and they said that if you asked for a license for personal use they would say "no", but if you didn't bother asking and used PGP2.x anyway, they wouldn't do anything about it typically). Now I understand the French have switched position: you can use encryption without a license *provided* that it has master key access for the government. Lets say then that our aim is to design the OpenPGP standard and the pgp5.5 implementation to be as resistant to use by the French government as possibe. With the pgp standard as is french government could insist that people use pgp5.x. pgp5.x provides a reasonablly useful framework for the french government to adapt to be used as a master access system. Because this will then be explicitly allowed, more people are likely to use it. (Current people using pgp2.x illegally are one suspects the french cypherpunks subset of the population). This means that the french government can start to ramp up enforcement as there are less objections (you _can_ protect confidentiality for business and privacy uses, use this: pgp5.x). If on the other hand pgp5.x were to use only single recipients for confidentiality, and to base company recovery of encrypted mail folders on key recovery information stored locally alongside the mailbox the system would be less useful to the french government.
Aren't we really talking about third-party access to communications, and second-party access to stored data ... with the "brother" distinction being one made at a social/political level, as a judgement about the legitimacy of the access or the size of the actor, rather than the character of the access?
It is more than that I think. This is because many people acknowledge legitimacy of companies to a) encrypt data b) to recover data in case employee forgets keys, or dies unexpectedly. Second party access to stored data is much less scary. Little brother can ultimately read _everything_ you do at work. If he gets suspicious he can install keyboard logger, keyboard password sniffer, or concealed videocam whilst you are out of the office. The best we can do is discourage little brother from abusing systems designed for data recovery as mass communications snooping. The best suggestion I have seen for this so far was Bill Stewart's suggestion to only store recovery info for some of the bits. Make the recovery process artificially slow: say 40 bits. Worth it for recovering main developers design notes made in email when he dies unexpectedly. Some hinderance to little brother unless he is determined. As long as this hinderance is similar scale to other similar things little brother could do to check up on suspicious user, you have achieved your goal of hindering little brother. Big brother is hindered very significantly if you do recovery locally, rather than on the communications link as PGP Inc CMR does. This is because big brother does not have access to the ciphertext on disks. He must come and take them. Whereas for communications he can practically acheive access to your email ciphertext at push button convenience. Your email communications are already secret split with the NSA: the data is split into to unequally sized halves: the _key_ and the _ciphertext_. For this reason you really don't want the NSA to get that key. For data storage recovery, your data is again in two halves: you have one, the _key_, your employee/you have the other, the _ciphertext_ on disk. Your employee can recover that info anyway. The NSA can't easily. It is much more logistically expensive to collect or randomly sample disk contents. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
At 10:44 PM -0700 10/18/97, Fabrice Planchon wrote:
I would say people who wrote the current law 2 years ago didn't have a clue on the technical issues, anyway. That's why we are still waiting for the "decrets d'application", which are the set of rules on how the law will be enforced. Somehow I would bet they are waiting to see where the wind blow at the international level.
I'm not sure the people who wrote the U.S. laws had a clue, either. (Check out Dan Bernstein's report in sci.crypt on the latest appeal arguments of the government side in his case...the Feds are arguing that the First Amendment (to the U.S. Constitution) does not protect speech that may be read and acted upon by computers!).
I know at least one academic site where system administrator were prevented from switching to ssh because of the legal issue. Seems the campus administration folks wanted to protect their asses...
This is an important point. Covering their asses. I think much of the "corporate demand" for CMR and CAK has been coming from medium-level bureaucrats, the mid-level "security staff" who make recommendations on corporate and institutional purchases. It's not too surprising that the security staff at Random Corporation and at the University of Middle America want access to all communications...if it were up to them alone they'd have video cameras scattered everywhere. But I predict serious downstream (future) objections to CMR and CAK will arise. Once the higher-ups at Random Corporation realize that all e-mail will now be logged in perpetuity for easy perusal in lawsuits, FTC actions, etc. (*), they'll no doubt have second thoughts. (* It may be argued that all corporate e-mail is already archived, on the machine backups for the corporate mail servers, SMTP, etc. Possibly, but such e-mail is often hard to get. Some sites may choose to not keep mail server backups, etc. Certainly ISPs have the same machine backups, and yet it has proven difficult for investigators and whatnot to get complete e-mail archives on targets. A CMR or CAK system would formalize the archiving and make obtaining such records much easier. A very tempting target indeed for "discovery" procedures. Or for law enforcement.) And as for the University of Middle America, wait until professors and students discover that UMA bought PGP 5.5 Snoopware for Sysadmins and that communications with other professors, other employers, etc. will be subject to snooping by some low-level security employees. ...
still). But what I certainly fail to understand is why PGP inc (and people who support them) is focusing on a solution which allows to intercept and read e-mail in transit. That inherently evil, no matter
I agree. It makes the job of snoopers much easier. And while I don't dispute the property right of a business owner to state the terms of encryption use on his property, the practical situation is that few businesses tape-record all telephone calls, open all incoming and outgoing physical mail, etc. Even though this is in some sense their "right," they realize the morale effects this would have on employees, the trust issues, and the sheer impracticality. (I am reminded of the issue of "personal use" of telephones in companies. Companies which forbid personal use find decreased productivity as employees leave the premises to find payphones, or queue up at the payphones in the cafeteria, etc. Most companies have decided to let employees--especially their professionals--use their phones for personal uses, within reason. (My company, Intel, had this policy, though a printout of calls to long-distance locations was kept, of course, and occasionally there were inquiries made about the purposes of calls, etc.)) What I expect will happen with CMR and CAK is that employees or professors or whatever who really need confidentiality--and their are many valid reasons for this--will use either their own products (probably freeware, to boot), or will use non-company accounts. The professor at UMA who doesn't want administrations snoops monitoring his e-mail will use his AOL or Netcom account. As we are already seeing today. If his institution has a firewall preventing such services from being connected to (itself a hardship), he'll just wait until he gets home and send his sensitive mail then. PGP could actually lose business this way.
you put it. And the "hit by a truck" hypothesis doesn't stand a minute in real life (Yah, shit happens, so what ?). The (legitimate) needs of a company can be achieved via an agreement with its employees, on how data are stored, backed, duplicated, whatever, and it has merely nothing to do with cryptography. Or am I missing something obvious ?
No, you're not missing anything. The claimed need that PGP for Business fills is that of recovery of important information. In fact, it fails miserably at that. (For reasons several of us have outlined. First, truly confidential information will be sent in other ways, as noted above. Second, very little of the important stuff ever travels by e-mail, for obvious reasons. Third, the important files in the "hit by a truck" scenario are the gigabytes of local storage on user machines...the circuit files, the process descriptions, the work in progress, the source code, etc. These are the files a company wants to protect against unrecoverable encryption. And these files have very little to do with mail encryption.) What PGP for Business appears to do, the market it appears to satisfy, is the desire for some companies and institutions to be able to monitor what their employees are saying to each other, to detect banned language, to cover their asses for lawsuits, etc. (In fact, it fails at most of these uses, too. For obvious reasons. And it introduces new risks for lawsuits, as noted above.)
And as far as the "legitimate needs of the law enforcement agencies", well, if they want to read e-mail sent by an employee from his company account because he is a potential drug dealer, they can obtain the proper authorization from the court and snoop on the guy from within the company. As usual, the weakest link is the guy typing on his keyboard, as I doubt anybody speaks IDEA fluently...(even rot13 I am skeptical. Crime organizations in Paris at the beginning of the century were using "Javanais", which was a very basic code, but sufficient to confuse the police)
Exactly so. I believe governments will _like_ PGP for Business because it simplifies the monitoring process for them. If they get a court order telling Random Corporation to turn over their keys, or convince Random Corporation to voluntarily cooperate, they now have easy access to _all_ of the traffic. I believe it's a slam dunk certainty that corporations in many countries will be required on a pro forma basis to give their keys to the law enforcement agencies. This does not even seem debatable. Of _course_ these will be turned over. (By focussing on the United States we, and PGP, Inc., is missing the obvious reality that most of the world's nations have no constitutional protections sufficient to stop this from happening. And even the U.S. may be able to get these keys easily...invocation of "commerce" and FTC/SEC sorts of issues may be sufficient.)
So why isn't everybody focusing on being sure the transport layer is secure, and leave to social interaction at both end of the communication process the problem of recovery of whatever was transmitted ? (which, I feel dumb for saying it, was in clear at some point before being sent, and will be when it will be read...)
This is what some of us have been saying for a long time. I advocate KISS, "Keep it Simple, Stupid," for the OpenPGP effort. Let PGP, Inc. go off on quixotic crusade to provide snoopware for corporations and universitites, and let the market decide. PGP, Inc. should remind themselves of the moral promise doctors make: "First do no harm." --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
At 12:17 PM -0700 10/19/97, Fabrice Planchon wrote:
On Sun, Oct 19, 1997 at 10:54:18AM -0700, Tim May wrote:
I'm not sure the people who wrote the U.S. laws had a clue, either. (Check out Dan Bernstein's report in sci.crypt on the latest appeal arguments of the government side in his case...the Feds are arguing that the First Amendment (to the U.S. Constitution) does not protect speech that may be read and acted upon by computers!).
Ohoh. How interesting. But they have to define what they mean by acted upon computers, and we are back to a technical issue they don't understand. But does the judge understand this issue better ? If I
By the way, the main discussion for this Bernstein point is on misc.legal.computing, where followups have been redirected. He asked for examples, modern and old, of where the government's position could be used for prior restraint and censorship. I suggested JPEGs and GIFs, which are clearly machine-readable instructions telling a computer how to write a pattern of pixels in a display window. Are we to presume that such JPEGs and GIFs (and WAVs and MOVs and...) have lost their First Amendment protection? If upheld, the CDA would not even be needed. Oh, folks, don't submit your own examples _here_. Do it in the appropriate thread in misc.legal.computing, so Bernstein can get a lot of examples collected.
corporate and institutional purchases. It's not too surprising that the security staff at Random Corporation and at the University of Middle America want access to all communications...if it were up to them alone they'd have video cameras scattered everywhere.
eheh, I had an argument with my local (PU) system administrator, and at some point he said "and what are all mails coming from cypherpunks anyway ?" (I hope he reads this one...). So, they are already snooping, by fear, or because in a moment of boredom, they look at the mail log (the same way phone operators in the old days were listening to calls, I guess. Part of human nature)
Yes, they snoop. Out of boredom, out of instructions from Administration, whatever. Encryption will help, but not if the same snoopers can continue to snoop.
And as for the University of Middle America, wait until professors and students discover that UMA bought PGP 5.5 Snoopware for Sysadmins and that communications with other professors, other employers, etc. will be subject to snooping by some low-level security employees.
Somehow, I can play the devil advocate and argue that it would be better than the current situation where: 1) people don't use encryption at all 2) networks are weakly secured and snooping is easy 3) people use e-mail without thinking it can be snooped, archived, and reused later, unlike, say, a phone call.
I disagree. Snoopware will tend to centralize the files to a point where snooping is easier. Those using PGP 5.0 and earlier will likely be told to switch to the snoopware version. While many may not encrypt now, this is changing. Snoopware rolls back the clock. To be clear: we should be advocating the wider use of strong encryption, not arguing that snoopware is better than nothing. Nothing is not really the proper alternative to weigh snoopware against.
If you tell a professor that any student can easily read his e-mail but that with this nice pgp5.5 software it will be no longer the case, he might embrace it readily, even if on the long run and on second thoughts it might not be a good idea.
Why does this professor not have the option of PGP 5.0? That's the real alternative to consider. (Some of us have fears that development of the "free" version of PGP will not be supported or developed. While PGP may _hope_ that many buy the PGP 5.0 they plan to sell to individuals, the fact is that most individuals won't pay money for what they can get for free. This is presumably a motivation for the development of PGP for Business, with Netscape-like incentives for corporate buys.)
I advocate KISS, "Keep it Simple, Stupid," for the OpenPGP effort. Let PGP, Inc. go off on quixotic crusade to provide snoopware for corporations and universitites, and let the market decide.
Yes and no, as I said before it's not clear what the market will decide, if people who make key buying decisions don't do the right thing. Once every single university is equipped with pgp5.5, it's not that easy to go back. And because of their reputation capital, people are more likely to buy the product blindly. Sounds scary ? I don't believe in conspiration theory, usually stupidity, ignorance and such are enough to make bad things happen. And we see it now.
We all agree that widespread adoption of PGP 5.5 could be scary. Hence our concerns. (Even more scary are the many ways various governments could gain easy access to the CMR keys. Whereas enforcement of key escrow is difficult with millions of diverse, anarchic users and approaches, CMR essentially centralizes the target nicely.) --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
On Sun, Oct 19, 1997 at 10:54:18AM -0700, Tim May wrote:
I'm not sure the people who wrote the U.S. laws had a clue, either. (Check out Dan Bernstein's report in sci.crypt on the latest appeal arguments of the government side in his case...the Feds are arguing that the First Amendment (to the U.S. Constitution) does not protect speech that may be read and acted upon by computers!).
Ohoh. How interesting. But they have to define what they mean by acted upon computers, and we are back to a technical issue they don't understand. But does the judge understand this issue better ? If I recall correctly my CS classes, translating plain english to computer code is doable, and depending on what rules you use for lexical and syntaxical issues you would get different codes. Wether you can do something with it is another issues, of course... Somehow if they follow this heuristic, they will have to ban speech recognizion software (which would be bad for me as my research has potential applications exactly there).
corporate and institutional purchases. It's not too surprising that the security staff at Random Corporation and at the University of Middle America want access to all communications...if it were up to them alone they'd have video cameras scattered everywhere.
eheh, I had an argument with my local (PU) system administrator, and at some point he said "and what are all mails coming from cypherpunks anyway ?" (I hope he reads this one...). So, they are already snooping, by fear, or because in a moment of boredom, they look at the mail log (the same way phone operators in the old days were listening to calls, I guess. Part of human nature)
And as for the University of Middle America, wait until professors and students discover that UMA bought PGP 5.5 Snoopware for Sysadmins and that communications with other professors, other employers, etc. will be subject to snooping by some low-level security employees.
Somehow, I can play the devil advocate and argue that it would be better than the current situation where: 1) people don't use encryption at all 2) networks are weakly secured and snooping is easy 3) people use e-mail without thinking it can be snooped, archived, and reused later, unlike, say, a phone call. If you tell a professor that any student can easily read his e-mail but that with this nice pgp5.5 software it will be no longer the case, he might embrace it readily, even if on the long run and on second thoughts it might not be a good idea.
What I expect will happen with CMR and CAK is that employees or professors or whatever who really need confidentiality--and their are many valid reasons for this--will use either their own products (probably freeware, to boot), or will use non-company accounts. The professor at UMA who doesn't want administrations snoops monitoring his e-mail will use his AOL or Netcom account. As we are already seeing today. If his institution has a firewall preventing such services from being connected to (itself a hardship), he'll just wait until he gets home and send his sensitive mail then.
Somehow, and even if I perfectly agree with you, you forget to see that while this may be true for professors from, say, CS, Engineering, Math, it won't be true for others which don't have the technical background to understand the problems and their solutions. I guess what I am saying is what seems obvious to you, me, and probably most of the readers is not the the general public. And the group of all professors at UMA probably reflects this. Unfortunatly I don't have any solution to the advertising crypto problem. My best hope is that within a generation people will understand the technical issues and the underlying social implications of the way you make implementations. I fear it might be to late then...
I advocate KISS, "Keep it Simple, Stupid," for the OpenPGP effort. Let PGP, Inc. go off on quixotic crusade to provide snoopware for corporations and universitites, and let the market decide.
Yes and no, as I said before it's not clear what the market will decide, if people who make key buying decisions don't do the right thing. Once every single university is equipped with pgp5.5, it's not that easy to go back. And because of their reputation capital, people are more likely to buy the product blindly. Sounds scary ? I don't believe in conspiration theory, usually stupidity, ignorance and such are enough to make bad things happen. And we see it now. F. -- Fabrice Planchon (ph) 609/258-6495 Applied Math Program, 210 Fine Hall (fax) 609/258-1735
On Sat, Oct 18, 1997 at 08:53:14PM +0100, Adam Back wrote:
The situation in France is: currently (or recently) you could not use encryption at all without a license. The enforcement rate is low to zero. (Jerome Thorel interviewed the head of SCSSI (NSA equivalent),
I am not sure you can really say they are the NSA equivalent. I would rather say they are the equivalent of, say, the office in the dpt of commerce which gives the export authorizations in the US. What I mean is that I doubt they are listening to anybody. Other french agencies do that (and each agency, wether its depends on the police, like DST, RG, or the army, DGSE, DSM, has its own group of people listening to anybody they like). A normal police department could do it too, but then they will need a warrant of some kind. None of the agencies above probably bothers with things like that, as they will usually say "secret défense" if they are asked questions (some french equivalent of "national security").
Now I understand the French have switched position: you can use encryption without a license *provided* that it has master key access for the government.
I would say people who wrote the current law 2 years ago didn't have a clue on the technical issues, anyway. That's why we are still waiting for the "decrets d'application", which are the set of rules on how the law will be enforced. Somehow I would bet they are waiting to see where the wind blow at the international level.
With the pgp standard as is french government could insist that people use pgp5.x. pgp5.x provides a reasonablly useful framework for the french government to adapt to be used as a master access system.
http://www.lemonde.fr/multimedia/sem4297/textes/act42972.html It's in french, so I won't quote. The article has a very neutral position, but they point out exactly the same thing as you.
Because this will then be explicitly allowed, more people are likely to use it. (Current people using pgp2.x illegally are one suspects
I know at least one academic site where system administrator were prevented from switching to ssh because of the legal issue. Seems the campus administration folks wanted to protect their asses...
If on the other hand pgp5.x were to use only single recipients for confidentiality, and to base company recovery of encrypted mail folders on key recovery information stored locally alongside the mailbox the system would be less useful to the french government.
I don't have the technical expertise to discuss your proposal, so I won't (seems less snoop friendly to me than the PGP5.5 solution, still). But what I certainly fail to understand is why PGP inc (and people who support them) is focusing on a solution which allows to intercept and read e-mail in transit. That inherently evil, no matter you put it. And the "hit by a truck" hypothesis doesn't stand a minute in real life (Yah, shit happens, so what ?). The (legitimate) needs of a company can be achieved via an agreement with its employees, on how data are stored, backed, duplicated, whatever, and it has merely nothing to do with cryptography. Or am I missing something obvious ? And as far as the "legitimate needs of the law enforcement agencies", well, if they want to read e-mail sent by an employee from his company account because he is a potential drug dealer, they can obtain the proper authorization from the court and snoop on the guy from within the company. As usual, the weakest link is the guy typing on his keyboard, as I doubt anybody speaks IDEA fluently...(even rot13 I am skeptical. Crime organizations in Paris at the beginning of the century were using "Javanais", which was a very basic code, but sufficient to confuse the police) So why isn't everybody focusing on being sure the transport layer is secure, and leave to social interaction at both end of the communication process the problem of recovery of whatever was transmitted ? (which, I feel dumb for saying it, was in clear at some point before being sent, and will be when it will be read...)
Second party access to stored data is much less scary. Little brother can ultimately read _everything_ you do at work. If he gets suspicious he can install keyboard logger, keyboard password sniffer, or concealed videocam whilst you are out of the office. The best we can do is discourage little brother from abusing systems designed for data recovery as mass communications snooping. The best suggestion I have seen for this so far was Bill Stewart's suggestion to only store recovery info for some of the bits. Make the recovery process artificially slow: say 40 bits. Worth it for recovering main developers design notes made in email when he dies unexpectedly. Some hinderance to little brother unless he is determined. As long as this hinderance is similar scale to other similar things little brother could do to check up on suspicious user, you have achieved your goal of hindering little brother.
Sounds fair to me.
Big brother is hindered very significantly if you do recovery locally, rather than on the communications link as PGP Inc CMR does. This is because big brother does not have access to the ciphertext on disks. He must come and take them. Whereas for communications he can
And he needs proper authorization before coming. And yes, it takes time but that's the price to pay in a system with separation of powers.
For data storage recovery, your data is again in two halves: you have one, the _key_, your employee/you have the other, the _ciphertext_ on disk. Your employee can recover that info anyway. The NSA can't easily. It is much more logistically expensive to collect or randomly sample disk contents.
Yes, yes, yes. And still I am sure that we will hear objections to that... sigh.... F. -- Fabrice Planchon (ph) 609/258-6495 Applied Math Program, 210 Fine Hall (fax) 609/258-1735
Fabrice Planchon <fabrice@math.Princeton.EDU> writes:
Adam Back <aba@dcs.ex.ac.uk> writes:
(Jerome Thorel interviewed the head of SCSSI (NSA equivalent),
[clarification of SCSSI functionality, and french government organisations who would tap communications.]
Now I understand the French have switched position: you can use encryption without a license *provided* that it has master key access for the government.
I would say people who wrote the current law 2 years ago didn't have a clue on the technical issues, anyway. That's why we are still waiting for the "decrets d'application", which are the set of rules on how the law will be enforced. Somehow I would bet they are waiting to see where the wind blow at the international level.
I talked to some people at CESG (Communications Electronics Security Group) (they are part of GCHQ, UK NSA equivalent) in a business setting. It was they who said that France was changing position to going over to "key escrow" or TTPs (Trusted Third Parties). From their point of view they seemed to view this as a good development, because they could use France as an example of a progressive, socially responsible government which the UK government should follow the example of. They were very happy with this because they could use it in their arguments to attempt to persuade the UK government and people. Perhaps the CESG are exaggerating because they would like this to be the case because it suits their argument. But on the other hand, it seems likely that CESG have had talks with DGSE and SCSSI and it seems probable this really is what these French government organisations really are planning for. Probably there are opposing elements in the French government also. But CESG/GCHQ are vying for those elements which are in favour of "TTPs" to win. You can see how each new government that takes the TTP or key escrow stance allows the secret services and governments in other countries to clamour for their countries to follow suit. People can also see I hope how PGP Inc in influencing an international standard (IETF OpenPGP) to include explicit support for third party access to communications traffic is dangerous. However this is not the biggest danger, the biggest danger is that PGP Inc are implementing software solutions (pgp5.5) which as far as I can see, in all honesty, could literally be useful to the French government and others like it. If the French government adopt it, or a system implemented by a European company with the same functionality (that pgp5.5 has this functionality means others must follow for financial reasons in being compatible), then pro-GAK government agencies will point to this as a success story. Already Bruce Schneier quoted from the US congressional record where some GAKkers were praising pgp5.5 functionality in demonstrating their case that GAKware is possible.
With the pgp standard as is french government could insist that people use pgp5.x. pgp5.x provides a reasonablly useful framework for the french government to adapt to be used as a master access system.
http://www.lemonde.fr/multimedia/sem4297/textes/act42972.html
It's in french, so I won't quote. The article has a very neutral position, but they point out exactly the same thing as you.
Do they actually mention PGP software, or OpenPGP standard? Or just the general principle? It is reasurring to hear that my analysis is supported by others. I am trying to think through what a GAKker would want and predict what they will be interested in seeing in standards and in off the shelf products. From that I am interested to use this estimate as a basis to design systems which resist the GAKkers desires, by denying any functionality which supports their requirements where this can be done within the normal user requirement constraint. It is difficult with arguments against a company such as PGP Inc which has a very high reputation capital due to Phil Zimmermann and large privacy following, because some people will oppose what you are saying just on principle without listening to the logic, they will say "you must be wrong, because PGP would never do that." But, the simple fact is that I think PGP Inc have not evaluated these indirect implications for GAK politics. This means I think that they have pure intentions. Unfortunately these pure intentions do not help us if the effect is as I fear: that the result helps the GAKkers to some significant amount.
Because this will then be explicitly allowed, more people are likely to use it. (Current people using pgp2.x illegally are one suspects
I know at least one academic site where system administrator were prevented from switching to ssh because of the legal issue. Seems the campus administration folks wanted to protect their asses...
You confirm my suspicions. I have several people I know in France who use encryption illegally. Not least of these is Jerome Thorel himself :-) (He who interviewed the SCSSI and had it spelt out to him that it was illegal, but they wouldn't bother you if you didn't ask permission). However those that I know are effectively anti-GAK activists, or cypherpunk type individuals.
I don't have the technical expertise to discuss your proposal, so I won't (seems less snoop friendly to me than the PGP5.5 solution, still).
It is not really that technical an idea. The idea is simply that communications keys are more valuable to government than storage keys. Keyword scanning is what governments want; they probably don't care too much about storage keys, they are much more expensive to collect ciphertext for (dawn raids for disks), and are much more difficult to enforce (who knows what keys are really being used to encrypt data on your disk, until the point of the dawn raid).
But what I certainly fail to understand is why PGP inc (and people who support them) is focusing on a solution which allows to intercept and read e-mail in transit. That inherently evil, no matter you put it.
The reason is that they consider it purely a recovery mechanism for stored emails. That it has this side effect of making a product which could be used for other purposes is currently considered an insignificant risk by them, I think. I think their analysis in this regard is flawed.
And the "hit by a truck" hypothesis doesn't stand a minute in real life (Yah, shit happens, so what ?). The (legitimate) needs of a company can be achieved via an agreement with its employees, on how data are stored, backed, duplicated, whatever, and it has merely nothing to do with cryptography.
There you have the Tim May proposal. Do not recover, just store in clear. Most data on disks already is, so why bother. If you want to encrypt work out those problems when you come to them, as a separable issue. This is a very compelling argument to me.
Or am I missing something obvious ?
Not that I can see. I think it really is that obvious.
So why isn't everybody focusing on being sure the transport layer is secure, and leave to social interaction at both end of the communication process the problem of recovery of whatever was transmitted ? (which, I feel dumb for saying it, was in clear at some point before being sent, and will be when it will be read...)
I agree, my confusion also: why do people not understand this. There are some very bright people at PGP Inc, why do they not see it in these terms.
Big brother is hindered very significantly if you do recovery locally, rather than on the communications link as PGP Inc CMR does. This is because big brother does not have access to the ciphertext on disks. He must come and take them. Whereas for communications he can
And he needs proper authorization before coming. And yes, it takes time but that's the price to pay in a system with separation of powers.
He may not need authorization. I'm not sure MI5 (UK military intelligence branch) asked authorization before sending an SAS swat team into BBC head-quarters to confiscate tapes of a secret service documentary. Still that one failed because the BBC had hidden backups :-) (Smart cookies:-) They aired the film later. No one knows I suppose whether it was edited before airing. Also this is the status quo. Already the police, or terrorist prevention investigators can inflitrate, perform dawn raids, etc. and this is as it should be.
For data storage recovery, your data is again in two halves: you have one, the _key_, your employee/you have the other, the _ciphertext_ on disk. Your employee can recover that info anyway. The NSA can't easily. It is much more logistically expensive to collect or randomly sample disk contents.
Yes, yes, yes. And still I am sure that we will hear objections to that... sigh....
I can't believe anyone who understands cryptography even remotely could possibly argue against the fact that communications keys are more valuable to an attacker. This seems very obvious. Readers may note Bruce Schneier's remark earlier in this discussion that he too couldn't believe someone would not separate storage keys from communications keys. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
In <199710190903.KAA00780@server.test.net>, on 10/19/97 at 10, Adam Back <aba@dcs.ex.ac.uk> said:
I talked to some people at CESG (Communications Electronics Security Group) (they are part of GCHQ, UK NSA equivalent) in a business setting. It was they who said that France was changing position to going over to "key escrow" or TTPs (Trusted Third Parties). From their point of view they seemed to view this as a good development, because they could use France as an example of a progressive, socially responsible government which the UK government should follow the example of. They were very happy with this because they could use it in their arguments to attempt to persuade the UK government and people.
France as a model?!? ROTFLMAO!!!! I wouldn't recomend Russia or China to follow the French model on anything, let alone a country like the UK who's government every now and then remembers what democracy and freedom are. -- --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html ---------------------------------------------------------------
On Sun, Oct 19, 1997 at 10:03:24AM +0100, Adam Back wrote:
I talked to some people at CESG (Communications Electronics Security Group) (they are part of GCHQ, UK NSA equivalent) in a business setting. It was they who said that France was changing position to going over to "key escrow" or TTPs (Trusted Third Parties). From
I think what caused me to answer was in part your words "changing position": let's say that up to recently, the french govt position was no crypto at all (except for authorized entities, and only weak, ie breakable, crypto). Given the trend on that issue, related to on-line commerce and so on (the reader has to keep in mind that in France I seriously doubt the average politician has an idea of what this means. At best they know the french minitel, which is completely different), they felt some pressure to change the law in order to permit the use of crypto. So the move was, well, let's authorize strong crypto but let's keep the keys. Understandable point of vue, I would say. They want that because they feel it means statu quo for them, and that's all. All political issues aside, the technical issues are ignored, because the guys who decide have no clue, and they probably don't listen to their own experts who would say that TTP, GAK, key recovery, whatever, are not that easy to design, implement, and maintain on a everyday basis. And for that matter, I don't think the situation is that much different in other western countries, US included.
Perhaps the CESG are exaggerating because they would like this to be the case because it suits their argument.
Yeah, probably. But there is another problem, anyway: some countries within the EC won't pass any legislation restricting cryto, I think. So any country within the EC having such a legislation is likely to have trouble with its partners at some point. Somehow it's like Chirac who decided to maintain customs with Belgium because people go to Amsterdam to buy drugs. But in the meanwhile, the border with Germany no longer has customs, so you drive through Germany to Holland and that's it. So, it's utterly inefficient, but on the domestic political scene, he can appear as been strong on drugs.
With the pgp standard as is french government could insist that people use pgp5.x. pgp5.x provides a reasonablly useful framework for the french government to adapt to be used as a master access system.
http://www.lemonde.fr/multimedia/sem4297/textes/act42972.html
Do they actually mention PGP software, or OpenPGP standard? Or just the general principle?
They do: the title is "Le programme PGP se range", which I unfortunatly have know idea of how to translate. And then, they say (I loosely translate, my english is better than our MISTY friend's, but not perfect ;-) The last version, aimed at compagnies, of this crypto software (still banned from use in France) includes the highly controversial feature known as key escrow. [...] Of course this system has advantages: when an employee is sick or away, you can access his files. But, it's reasonnable to think that such a system could be used for spying purposes. Within the governement, the key escrow proposal is seriously challenged. Some, in charge of national security, favor it as necessary to decrypt terrorists or drug dealer messages, and others, more concerned by privacy, are against it. In France, the governement chose this option of TTP. [Note: somehow this last sentence is in contradiction with the previous one. It's *not* a side effect of my translation...] Then, the article recalls that the situation was different in the US, and that the FBI would like to have something like key escrow, but that a recent proposal was defeated in congress. They finally recall how PGP is widely available all over the world, and how the last version was exported as a book to defeat the export controls. So, I certainly agree with you that the proGAK have won, or will. As long as they don't enforce the current laws, as an individual I don't care. But I fear, as you do, that as soon as you have things like pgp 5.5 which are available, they will start saying "use this or go to jail".
But, the simple fact is that I think PGP Inc have not evaluated these indirect implications for GAK politics. This means I think that they have pure intentions. Unfortunately these pure intentions do not help us if the effect is as I fear: that the result helps the GAKkers to some significant amount.
I think, but I might be wrong, that they have at least to reasons, which have already be given: -first, what they did was somehow "easy" (don't jump on me, I don't write code !!) to implement within the existing code. This is reflected by what W.Geiger said, that anything pgp5.5 does he could do with scripts in the old version. Or at least a good part of it. -second, they don't know what will happen in 12 months, so they cover their asses. I hope this isn't true, but it's a matter of personnal opinion more than anything else.
You confirm my suspicions. I have several people I know in France who use encryption illegally. Not least of these is Jerome Thorel himself :-) (He who interviewed the SCSSI and had it spelt out to him that it was illegal, but they wouldn't bother you if you didn't ask permission). However those that I know are effectively anti-GAK activists, or cypherpunk type individuals.
A quick search on the MIT key server tells you that there are 538 valid keys registered with an *.fr address. If you remove all keys registered in 97, you are left with 232. Remove 96, it goes down to 132, 95 -> 39 and then I know a fair number of them ;-) So, it seems to me that the number of illegal users is growing up, anyway. Interesly enough, most of the registered users are registered with personnal e-mail addresses, not compagnies e-mail addresses, if you except academic sites.
It is not really that technical an idea. The idea is simply that communications keys are more valuable to government than storage keys. [...] The reason is that they consider it purely a recovery mechanism for stored emails. That it has this side effect of making a product which
As I said before, I guess they did it this way by lazyness more than anything else. I think your solution requires more thinking, new code, and all that sort of things. More brain demanding, in some sense (and time consuming, whereas their solution is ready, works, can be sold, makes the compagny make profits, and so on). So, arguing with political arguments doesn't stand a chance against a market driven compagny, be it PGP with all its reputation capital. Everybody should concentrate on technical issues, and several of these have been pointed out, by you and others.
There you have the Tim May proposal. Do not recover, just store in clear. Most data on disks already is, so why bother. If you want to encrypt work out those problems when you come to them, as a separable issue. This is a very compelling argument to me.
Well, facts are that it is the current situation, and IIRC what TM what saying. Once again, in term of costs, it's the easiest solution. And within a compagny, in a trusted environment, it doesn't matter wether your hard drive is encrypted. Things which need protection from inside snooping are usually protected via other more traditionnal mechanisms. Safe, locks, and so on. If you think to locks, which are often compared to crypto, most people fail to see that locks are not made to prevent somebody to break in: they are designed to make the break-in difficult. Your house door lock is probably pickable in a matter of minutes (standard locks seem to be really easy to pick in the US, but I digress...). Locks in a bank are not. So, as for crypto, difficult is replaced by virtually impossible, you have to think twice before encrypting something: it's the reverse argument, it is so valuable that I might stand a chance to be unable to recover it ? This is, of course, purely a storage issue. And I like the idea (Bill Stewart's ?) of implementing a mechanism which would simply "weaken" the storage key, so that if it's lost, you can recover the missing part by brute force. I think it's Jon Callas who made a related analogy with a car and what happens if you have the lost your key: bad example. Suppose you want to buy a car, and the dealer tells you, I have this new security feature, unbreakable. Only drawback, if the (unique) key is lost, you can tow away the car. Well, I won't buy it. Nobody will. (while we are on car locks, car makers use the same lock on several cars, so if you have an honda accord, you have a non zero probability of opening a random other honda accord, albeit very low). Anyway, the car problem is like a storage problem, and has to be adressed as such. Nothing to do with securing a (temporary) channel. Somehow, if I was to rent such a car, I would take it, provided I am no liable if the key is lost ;-). This because on a short period of time, I won't likely make anything stupid with that key, and I like the idea that nobody will steal the car while I am havin dinner. So different situations, different answers.
Also this is the status quo. Already the police, or terrorist prevention investigators can inflitrate, perform dawn raids, etc. and this is as it should be.
Statu quo is fine with me in that respect. Insert the usual quote on technology and the police state. I tend to think that technologies lead to brave new world anyway, but at least in brave new world people are "happier" than in 1984. F. -- Fabrice Planchon (ph) 609/258-6495 Applied Math Program, 210 Fine Hall (fax) 609/258-1735
Fabrice Planchon <fabrice@math.Princeton.EDU> writes:
http://www.lemonde.fr/multimedia/sem4297/textes/act42972.html
Do they actually mention PGP software, or OpenPGP standard? Or just the general principle?
They do: the title is "Le programme PGP se range", which I unfortunatly have know idea of how to translate. And then, they say (I loosely translate, my english is better than our MISTY friend's, but not perfect ;-)
[translation of discussion of pgp5.5]
So, I certainly agree with you that the proGAK have won, or will. As long as they don't enforce the current laws, as an individual I don't care. But I fear, as you do, that as soon as you have things like pgp 5.5 which are available, they will start saying "use this or go to jail".
There is a precedent for this of sorts in France. You probably recall that prior to the netscape 40 bit breaks, there were 3 versions of netscape: - 128 bit US only non-exportable - 40 bit exportable - no SSL at all -- French version After Damien Doligez hit the headlines with his first break of 40 bit SSL, and the other breaks had similar headlines, the French authorities noticed -- "oh," they thought, "if those cypherpunks can break it, so can DGSE" -- I understood that from that point on they allowed 40 bit SSL netscape browsers in France. (At least someone reported about this on list). That Damien himself is French and was working at a researcher at INRIA(?) of all places only adds to the irony. (That Damien had a his PGP key at the bottom of his web page which must have attracted 100,000s of hits after that also is somewhat amusing, illegal PGP usage, and no one said a word). Anyway, my perhaps rude jibe to Jonathan Seybold, PGP Inc's chairman a few days back that PGP should "make a sales pitch to French DGSE" was not so far off after all. Course there is still the export problem. Perhaps eventually the NSA and DGSE/SCSSI, CESG/GCHQ will come to some kind of reciprocal agreement, and then there will be another export exemption in the US following on from the 56 bit DES exemption for companies which can demonstrate they are working to a 2 year schedule to have key escrow built in. Or perhaps some european competitor will provide pgp5.5 compatible software to them (with support for multiple CMR keys, something not yet in pgp5.5, but already accepted without problem, and planned I gather for the next major release).
But, the simple fact is that I think PGP Inc have not evaluated these indirect implications for GAK politics. This means I think that they have pure intentions. Unfortunately these pure intentions do not help us if the effect is as I fear: that the result helps the GAKkers to some significant amount.
I think, but I might be wrong, that they have at least to reasons, which have already be given: -first, what they did was somehow "easy" (don't jump on me, I don't write code !!) to implement within the existing code. This is reflected by what W.Geiger said, that anything pgp5.5 does he could do with scripts in the old version. Or at least a good part of it.
This is true, it could be done largely with multiple recipient feature in 2.x. Bill Stewart and William Geiger and I think PGP's Jon Callas pointed this out. However I think that: a) this is no excuse to actually _implement_ it! b) PGP implementing this kind of thing encourages others to do so also as they could become the defacto standards setter (particularly with this almost certainly going in OpenPGP standard, and PGP defining the semantics of the CMR either in or outside the standard to be what they have done in pgp5.5) c) it sets out the design work for other companies less scrupulous companies such as TIS, etc. to interoperate marginally more smoothly with pgp installed base when they implement something even worse compatible with OpenPGP. d) the alternative I proposed, or especially Tims alternative are even simpler if anything to implement
-second, they don't know what will happen in 12 months, so they cover their asses. I hope this isn't true, but it's a matter of personnal opinion more than anything else.
Monty Cantsin said this. I said similar things also, and got shouted out by PGP Inc people for being rude. I don't think so, I hope not anyway.
As I said before, I guess they did it this way by lazyness more than anything else. I think your solution requires more thinking, new code, and all that sort of things. More brain demanding, in some sense (and time consuming, whereas their solution is ready, works, can be sold, makes the compagny make profits, and so on).
It seems somewhat fair enough if it was much more difficult to do that this might be difficult to acheive within their budget and user delivery date demands, etc. But, Tim's proposal to store in clear seems easy enough. My alternative on top of that is merely to encrypt the mail folder with pgp -c; they've got all the technology sitting there. It is only a simple scripting task. If I was William Geiger I would say that you could knock that up over the week end in a few scripts. I expect I could too :-) (eg. if I knew emacs elisp, I reckon it would be easy enough to decrypt the mailbox prior to use, and re-encrypt after use. Or to do the same on a per message basis after decryption, or for all messages encrypted or not. Perhaps I'll have a go at getting Pat Lopresti to add this for mailcrypt.el v3.5). The task isn't any harder for them. It is not a technical objection, or at least I have seen no technical objections so far. I think it is purely a privacy objection: they have worked out some privacy preserving principles, and to enforce them they have come up with this approach. The message snooping dangers seem to have been overlooked, or considered unavoidable trade-offs to achieve their privacy objectives. They are simply wrong in this regard.
So, arguing with political arguments doesn't stand a chance against a market driven compagny, be it PGP with all its reputation capital. Everybody should concentrate on technical issues, and several of these have been pointed out, by you and others.
Political arguments stand a better chance with PGP Inc than with most any other company ... but of course there are limits.
This is, of course, purely a storage issue. And I like the idea (Bill Stewart's ?) of implementing a mechanism which would simply "weaken" the storage key, so that if it's lost, you can recover the missing part by brute force.
I think Bill's point was more that you would make recovery harder. That is you have two ways into the messages: your passphrase, and some recovery information (a second copy of your private key). He suggested that you miss off some bits, to discourage companies from abusing what was meant to be a disaster recovery system being used as a storage recovery system. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
Fabrice Planchon wrote:
On Sat, Oct 18, 1997 at 08:53:14PM +0100, Adam Back wrote:
Now I understand the French have switched position: you can use encryption without a license *provided* that it has master key access for the government. ... With the pgp standard as is french government could insist that people use pgp5.x. pgp5.x provides a reasonablly useful framework for the french government to adapt to be used as a master access system.
http://www.lemonde.fr/multimedia/sem4297/textes/act42972.html
It's in french, so I won't quote. The article has a very neutral position, but they point out exactly the same thing as you.
From Privacy Protection for the Individual to the Government Choice in SnoopWare. Is it possible to do that while keeping your panties on? Perverted minds want to know...
If on the other hand pgp5.x were to use only single recipients for confidentiality, and to base company recovery of encrypted mail folders on key recovery information stored locally alongside the mailbox the system would be less useful to the french government.
True. This is why it seems all the more odd that PGP leapt over the obvious to introduce *exactly* what Lying Jackoff Fuck Louis J. Freeh is asking for--***___IMMEDIATE___*** access to communications. Corporate Message Recovery amounts to a _Real-Time_Wiretap_ on email communications. Bonus Question: "Why would a government agency bother with getting a court order to _use_ a key they are already in possession of, and how would we know if they use it, if they don't have to go to an outside source to get possession of it?" Bonus Prize: One freeh bomb. Bonus Stupid Question: "Why don't you give me your life savings, to hold for you, and I will only spend it after getting permission from someone who won't know whether I am spending it, or not, anyway." Bonus Stupid Prize: One freeh-dumb. The government is quite simply trying to poke enough holes in a variety of privacy/security areas, so that they can shine 'a thousand points of light' into our private affairs and communications. In order to spy on everyone in a corporation, would you rather have to break a thousand keys, or just one key? Hmmm...tough question... TruthMonger
participants (6)
-
Adam Back -
Fabrice Planchon -
Greg Broiles -
Tim May -
TruthMonger -
William H. Geiger III