What email encryption is actually in use?

Mon Nov 4 11:35:21 PST 2002

Peter Trei wrote...

"Durden's question was whether a snooper on an IPSEC VPN can
tell (for example) an encrypted email packet from an encrypted
HTTP request.

The answer is no.

All Eve can tell is the FW1 sent FW2 a packet of a certain size.
The protocol of the encapsulated IP packet, it's true source
behind FW1, it's true destination behind FW2, and the true
destination port are all hidden."

Yes, this was indeed the gist of my question. I was aware that there are 
actually hard and soft switches that are aware all the way up to the 
application layer, apparently (I also know that some softswiches have 
actually been deployed in RBOC/Baby Bell territory.)

But from your previous email, you indicated that the secure IPSEC tunnel is 
created by taking the packets, encrypting S/A, D/A, payload and protocol 
fields (ie, pretty much everything) and then dumping them into the payload 
of another packet, and setting the Protocol field of the parent-packet to 
"IPSEC". All that is now visible are the firewall addresses.

That's a lot, methinks! In other words, there's practically a bright red 
flag sticking up saying "I'm encrypted! Look over here!"...it's child's play 
(well, if you consider making an ASIC child's play!) to then look at the S/A 
and D/a to see if they are interesting. If they belong to the IP spaces of 
two large companies, for instance, then look elsewhere (though I hear rumors 
that the NSAs of the world are branching out into industrial eavesdropping 
for their parent companies, ehr, for their parent countries).

If a secure VPN tunnel forms between al-Jazeera's firewall and, say, some 
ISP near Atlantic Avenue in Brooklyn (heavy Arab community), then all sorts 
of spyglasses could pop up.

Thus, I suspect a lot can be gleaned (and is) from communiques without 
actually de-encrypting...the philosohpy probably is, "why violate civil 
rights unless we really, really have to? Extract as much as we can without 
actually de-encrypting, and if the probably of something being "interesting" 
is high enough, then we'll send it downstairs to be opened" (and even then, 
determining how hard it is to open the communique might also be of 
interest...is it legal to open somebody else's email but not read it?)

Here's a little quote for ya, since it seems to be the in-thing to do...

"The revolution is right where we want it: out of our control."
(Royal Family and the Poor)

>From: "Trei, Peter" <ptrei at rsasecurity.com>
>To: cypherpunks at lne.com, "'Major Variola (ret)'" <mv at cdc.gov>
>Subject: RE: What email encryption is actually in use?
>Date: Mon, 4 Nov 2002 12:58:55 -0500
>
> > Major Variola (ret)[SMTP:mv at cdc.gov]
> >
> >
> > At 10:13 AM 11/4/02 -0500, Tyler Durden wrote:
> > >This is an interesting issue...how much information can be gleaned from
> >
> > >encrypted "payloads"?
> >
> > Traffic analysis (who, how frequently, temporal patterns)
> > Size of payload
> >
> > Is it possible for a switch or whatever that has
> > >visibility up to layers 4/5/6 to determine (at least) what type of file
> > is
> > >being sent?
> >
> > Yes.
> >
> > Modern network equiptment can examine all the way up to "layer 7".
> > Can tell that you're sending an .mp3 and will cut your QoS, if that's
> > the policy.
> >
>Durden's question was whether a snooper on an IPSEC VPN can
>tell (for example) an encrypted email packet from an encrypted
>HTTP request.
>
>The answer is no.
>
>All Eve can tell is the FW1 sent FW2 a packet of a certain size.
>The protocol of the encapsulated IP packet, it's true source
>behind FW1, it's true destination behind FW2, and the true
>destination port are all hidden.
>
>Peter

_________________________________________________________________
Unlimited Internet access -- and 2 months free!  Try MSN. 
http://resourcecenter.msn.com/access/plans/2monthsfree.asp