[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
monkey-wrenching GAK
This is along the lines of a technical monkey-wrenching of GAK:
1) The state of email encryption
If the NSA decides they would like to get a decrypt of an email that
you sent, they turn up with a copy of the encrypted email and request
that you decrypt it.
The reason that this is so bad is that you have effectively secret
shared your plaintext between the NSA (who has archived all of your
encrypted email), and yourself who still has they key. This is not in
your interests.
2) Mandatory GAK
In a future with mandatory GAK, the NSA has all your keys already,
because they have a nice database of them, and so they can decrypt any
thing they feel like.
3) Monkey-wrenching
Even with GAK, where you are forced to give the government the keys,
you can do much to make the job of administering GAK very expensive.
You start by ensuring that the government can not get your encrypted
data (the other half of the secret share), so that the key is of no
use :-)
You can do this by using a forward secret protocol such as
Diffie-Hellman to exchange data, then you can't provide the encrypted
text to the NSA even if you want to.
But won't they make forward secret protocols illegal at the same time
as enforcing GAK? Well, maybe they've left it too late already,
consider:
IP security layers in general - they provides an extra layer of
encryption that the NSA has to obtain the keys for to make sense of
their tap. They may have to archive impossible amounts of IP traffic if
they can't recognize the type of IP traffic through the IP level
encryption (www traffic has its uses as cover traffic :-)
IP security layers which use Diffie-Hellman: forward secrecy means
that the site owners can't decrypt old IP traffic even if they want
to.
When using an IP security layer, email delivered via SMTP will be
transparently sent over an encrypted link with a random symmetric
encryption key negotiated with DH. So the NSA can't get your
encrypted email so the fact that they have the decryption key
doesn't help them.
Even if the NSA had access to the signatory keys used to
authenticate DH key negotiation, this means that they still have to
do an active MITM attack on the link. This is not something they
can do after the fact. Bang goes the ability to archive it all and
present it to people afterwards for decryption. Also the expense
and complexity of fishing expeditions become impractical.
To do a successful MITM attack, the NSA must also subvert the
authentication key infrastructure, and hope that no one uses a
subliminal, or out-of-band channel to verify the authentication.
The above arguments, depending on how quickly things like John
Gilmore's S/WAN are deployed, will quickly reduce the Governments
options to:
attempting to revoke de facto international standard internet
protocols after the fact
requesting the authentication keys used to sign DH negotiations, so
that they can do MITM attacks, and get an IP packet modification
infrastructure built (something significantly harder, and more
expensive than the digital telephony bill which is still floundering
at an estimated $4Bn)
So, to monkey wrench GAK, be an early adopter of IP link level
security, make sure that everybody is using link level security with
forward secrecy, long before Clipper IV gets forced into use as a
voluntary, or possibly later mandatory scheme.
Adam
--
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)