Pen register request used to force disclosure of SSL private keys - LavaBit hearings
Lance Cottrell
loki at obscura.com
Thu Oct 3 09:30:35 PDT 2013
When architecting a system, it is critical that the operator of the system should not have access to the keys at all. You can't be compelled to produce something that you don't have. It is not hard to do if it is part of your initial design.
Backup providers like SpiderOak seem to be doing this right. I have designed a number of systems with this type of security design.
Rule #1 don't store clear text.
Rule #2 don't store decryption keys
Rule #3 don't do decryption on the server
Rule #4 treat all communications with people not implementing security on THEIR computers as insecure
Email security for systems designed to work with outsiders who don't use the tool are particularly problematic. The operator can use public keys to encrypt traffic as it arrives, but can easily be compelled to reveal the arriving clear text messages before encryption.
Is it the SSL certificate for the SMTP TLS that was being requested? It appears so from the transcripts. If that is the case, they are asking to access content that was stored in the clear on the previous mail server(s). This is hardly highly secured content. The HTTPS sessions might reasonably be considered more sensitive and secure.
-Lance
--
Lance Cottrell
loki at obscura.com
On Oct 3, 2013, at 3:04 AM, coderman <coderman at gmail.com> wrote:
> this is perhaps the most interesting aspect of the LavaBit proceedings. See:
> http://cryptome.org/2013/10/lavabit-orders.pdf
>
> in short if you have not designed your system to be amenable to
> metadata tapping, particularly all the rich metadata requested by a
> "pen register", they're going to demand the encryption keys to access
> this metadata.
>
> said again for emphasis:
>
> SSL private keys are demanded under the smallest of justifications,
> which need not even show probable cause nor reasonable suspicion!!
>
> (they did later go back with an actual warrant for the keys, but only
> after this initial gambit, made repeatedly, failed.)
>
>
> """
> July 16, 2013
> TRANSCRIPT OF HEARING
> BEFORE THE HONORABLE CLAUDE M. HILTON
> ...
> [ED: James Trump is the fed lawyer, Ladar Levinson the LavaBit operator.]
> ...
> THE COURT: So as I understand it, my initial order ordered
> nothing but that the pen register be put in place.
>
> MR . TRUMP : And all technical assistance, information, and
> facilities necessary to implement the pen register. And
> it's our position t hat without the encryption keys, the data
> from the pen register will be meaningless. So to facilitate
> the actual monitoring required by the pen register, the FBI
> also requires the encryption keys .
>
> THE COURT: Well, that could be, but I don't know that I
> need - - I don ' t know that I need to reach that because
> I've issued a search warrant for that .
>
> MR. TRUMP : Correct, Your Honor. That the -- to avoid
> litigating this issue, we asked the Court to enter the
> seizure warrant.
>
> THE COURT : Well, what I ' m saying is if he agrees that the
> pen register be established, and that the only thing he
> doesn't want to do in connection with the pen register is
> to give up the encryption device or code
>
> MR. LEVISON : I've always maintained that .
>
> THE COURT : -- so we ' ve got no issue here . You're ready to
> do that?
>
> MR. LEVISON : I ' ve been ready to do that since Agent Howard
> spoke to me the first time .
>
> THE COURT: All right . So that ends our --
>
> MR . TRUMP : Well, then we have to inquire of Mr, Levison
> whether he ... Jill produce the encryption keys pursuant to
> the search warrant that Your Honor just signed.
>
> THE COURT : But I can't deal with that this morning, can I?
>
> MR . TRUMP : Well , it ' s the same issue . You could ask
> him, Your Honor . We can serve him with the warrant and ask
> him if he' 5 going to comply rather than - -
>
> MR. LEVISON : Your Honor I've also been issued a subpoena
> demanding those same keys, which I brought with me in the
> event that we would have to address that subpoena .
>
> THE COURT : I don't know, Mr . Trump . I don't think I want
> to get involved in asking him . You can talk with him and
> see whether he ' s going to produce them or not and let him
> tell you . But I don ' t think I ought to go asking what
> he's going to do and what he's not going to do because I
> can ' t take any action about it anyway . If he does not
> comply with the subpoena, there are remedies for that one way
> or another .
>
> MR . TRUMP: Well, the original pen register order was followed
> by a compulsion order from Judge Buchanan . The compulsion
> order required the encr yption keys to be produced . So , yes,
> part of the show cause order is to require compliance both
> with the pen register order and the compulsion order issued
> by Judge Buchanan . And that order, which was attached to the
> show cause order, states, "To the extent any information,
> facilities, or technical assistance are under the control of
> Lavabit are needed to provide the FBI with the encrypted
> data, Lavabit shall provide such information, facilities, or
> technical assistance forthwith ."
>
> MR. LEVISON : I would object to that statement . I don't know
> if I'm wording this correctly, but what was in that order to
> compel was a statement that was incorrect . Agent Howard
> seemed to believe that I had the ability to encrypt the
> e-mail content stored on our servers, which is not the case .
> I only have the keys that govern communications into and out
> of the network , and those keys are used to secure the
> traffic for all users, not just the user in question . So
> the statement in that order compelling me to decrypt stuff
> and Agent Howard stating that I have the ability to do that
> is technically false or incorrect. There was never an explicit
> demand that I turn over these keys .
>
> THE COURT : I don't know what bearing that would have, would
> it? I mean, I don't have a problem -- Judge Buchanan issued
> an order in addition to mine, and I'm not sure I ought to
> be enforcing Judge Buchanan's order . July order, if he says
> that he will produce or allow the installation of the pen
> register, and in addition I have issued a search warrant for
> the codes that you want, which I did this morning, that's
> been entered, it seems that this issue is over as far as
> I'm concerned except I need to see that he allows the pen
> register and complies with the subpoena .
>
> MR . TRUMP : Correct .
>
> THE COURT: If he doesn't comply -- if he doesn't comply with
> the subpoena, then that has -- I have to address that.
>
> MR . TRUMP : Right .
>
> THE COURT: But right now there's nothing for me to address
> here unless he is not telling me correctly about the pen
> register .
>
> MR. TRUMP: Well , we can -- Your Honor, if we can talk to Mr
> . Levison for five minutes, we can ask him whether he will
> honor the warrant that you just issued .
>
> MR. LEVISON : Before we do that , can I - -
>
> THE COURT : Well, what can I do about it if he doesn't, if
> he tells you he's not going to? You've got the right to go
> out and search and get it .
>
> MR . TRUMP: Well, we can't get the information without his
> assistance . He's the only who knows and has possession of it
> . We can't take it from him involuntarily .
>
> MR . LEVISON : If I may, sir, my other
>
> THE COURT : Wait just a second . You're trying to get me
> ahead . You're trying to get me to deal with a contempt
> before there's any contempt , and I have a problem with that.
>
> MR . TRUMP: I'm trying to avoid contempt altogether, Your Honor .
>
> THE COURT: I know you are . And I'd love for you-all to get
> together and do that. I don't want to deal with it either.
> But I don't think we can sit around and agree that there's
> going to be a default and I will address it before it
> occurs.
>
> MR . TRUMP: I'm just trying to figure out whether there's
> going to be a default . We'll take care of that, Judge .
>
> THE COURT : You can . I think the way we've got to do this
> - - and I'll listen to you . I'm cutting you off, I know, but
> I'll listen to you in a minute. The way we have to do
> this, the hearing that's before me this morning on this issue
> of the pen register, that's been resolved, or so he's told
> me . I don't know whether you want to continue this one week
> and see if he complies with that, which I guess would be
> prudent to do, or a few days for him to comply with the
> pen register. Then we Hill wait and see what happens with
> the SUbpoena . Because as far as my pen register order is
> concerned, he says he's going to comply with it . So that
> issue's over and done with . The next issue will be ...
> whether or not he complies with the subpoena . And I don't
> know and I don't want to presume, and I don't want him to
> represent to me what he intends to do when he can very well
> go home and decide he's going to do something different. When
> that warrant is served, we'll know what he's going to do .
> I think we've got - - I don't see another way to do it .
>
> MR . TRUMP : That's fine, Your Honor. We will serve the
> warrant on him as soon as we conclude this hearing, and
> we'll find out whether he will provide the keys or not .
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 16951 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20131003/b83d7496/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4877 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20131003/b83d7496/attachment-0001.bin>
More information about the cypherpunks
mailing list