More on Lavabit and encryption


While I am pretty ignorant about the processes of encryption and decryption, I have become intrigued with the topic, particularly since the decision by the mail service companies Lavabit and Silent Mail to shut down their businesses rather than having to be forced to hand over the keys to the government to snoop on their clients’ emails.

Since the government has the power to impose a gag order that prevents the recipients from even acknowledging that they received the infamous National Security Letters demanding that they hand over information about specific people, there has been some speculation about exactly what Lavabit might have been asked to do.

Dan Goodin has some ideas about what they might have been asked. He says that Lavabit’s founder Ladar Levison designed the system keeping the draconian USA PATRIOT Act provisions in mind, to make it technically impossible for him to provide the government with information on individuals. Goodin describes the layers of encryption the system had built in.

But Levison was aware that there was a weakness.

All along, Levison spotted at least two ways his system could be subverted. The first was for an adversary to obtain the private key his server used to HTTPS encrypt the password and other sensitive data as it traveled between the user and the Lavabit server. The other was that Levison could somehow be forced to rewrite his source code and build a trap for users. For instance, Levison or anyone else with control over Lavabit might redesign the system so plaintext passwords were written to a log as soon as they were entered by the user, rather than being scrubbed from the system. Levison believed he had legal protections that would prevent the government from exploiting either weakness. After all, he had never heard of service providers being compelled to reveal the private key used to authenticate and encrypt HTTPS connections. Similarly, he was aware of no precedent mandating service providers change source code against their will.

Levison said he has always known Lavabit safeguards could be bypassed if government agents took drastic measures, or as he put it, “if the government was willing to sacrifice the privacy of many to conduct surveillance on the few.” For instance, if he was forced to change the code used when a user logs in, his system could capture the plain-text password needed to decrypt stored e-mails. Similarly, if he was ever forced to turn over the private encryption key securing his site’s HTTPS certificate, government agents tapping a connection could observe the password as a user was entering it. But it was only in the past few weeks that he became convinced those risks were realistic.

“I don’t know if I’m off my rocker, but 10 years ago, I think it would have been unheard of for the government to demand source code or to make a change to your source code or to demand your SSL key,” Levison told Ars. “What I’ve learned recently makes me think that’s not as crazy an assumption as I thought.”

Goodin says that in 2007, it seemed like the government actually did require an email service provider named Hushmail to take similar measures to obtain encrypted email messages.

The most recent NSA revelations suggest that these speculations are accurate.

It is still possible to defeat the NSA’s spying. As ProPublica reports,

The files show that the agency is still stymied by some encryption, as Mr. Snowden suggested in a question-and-answer session on The Guardian’s Web site in June.

“Properly implemented strong crypto systems are one of the few things that you can rely on,” he said, though cautioning that the N.S.A. often bypasses the encryption altogether by targeting the computers at one end or the other and grabbing text before it is encrypted or after it is decrypted.

Security analyst Bruce Schneier says that in its drive to commandeer the internet the US has betrayed the trust it was given as a steward of the internet and gives some advice on how to improve one’s security even in the face of the NSA.

Comments

  1. says

    Is it just me, or is anyone else unable to see the word ‘Lavabit’ without mentally translating it from the Latin, thus rendering it ‘he/she will wash’?

  2. One Day Soon I Shall Invent A Funny Login says

    Security and encryption are indeed technically fascinating. You can still conceal the contents of email using PGP or one of its derivatives. This assumes that the content is encrypted before it leaves your computer and is only decrypted on the recipient’s computer. This defeats the NSA’s tapping of the main internet conduits.

    However.

    First, the fact that you are using encryption is itself cause for your mail to be noticed. We have been told that encrypted mail picked up from the flood of traffic caught by those taps, is retained for up to five years, just in case the NSA later finds a way to crack that level of encryption and has some reason to be curious about you.

    Second, with present systems you cannot conceal the metadata: the date and time the mail is sent and delivered, the source address and the destination, all have to be in the clear. Just the fact that you corresponded in code with party X on certain dates paints a picture of your relationship to party X. If you or X ever come up in relation to some party Y who corresponded with a party Z who is under suspicion, all the facts about this traffic among you is available to analysts.

    There are ongoing efforts to design an email system that doesn’t reveal metadata; the ideas are quite clever though not, I think, yet practical. Bottom line, today’s email cannot ever be a good way to operate a conspiracy.

  3. says

    The first was for an adversary to obtain the private key his server used to HTTPS encrypt the password and other sensitive data as it traveled between the user and the Lavabit server.

    This would be the preferred method, since it would dovetail into other collection targets that rely on breaking https.

    Briefly, the way SSL works is a public key exchange signed by the site’s certificate, which is used to transmit a random (hopefully!) session key for the connection. Public key is used, in other words, very little -- just to transfer the 56-bit or 128-bit bulk encryption key for the IDEA cipher. There are a lot of possible attacks against this, first and easiest is to have the secret piece of the public key used by the server. Then, the attacker can just suck up all the traffic for the session, drop the session key out, and decrypt the data. This system lacks a desirable (but difficult!) property known as “forward secrecy” -- preventing an attacker who has your old data from going back and decrypting it later if they are able to compromise the key. Another possibility is that there are flaws in the random number generator used for the session keys (this has happened several times in the past!) and the attacker can eventually compute or narrow down the keyspace of the bulk encryption key, bypassing the public key exchange entirely.

    My guess is that NSA would have attacked all aspects of SSL. First and foremost, the payoff would be from active attacks against the certificate’s keys -- either subpoena’ing them with a national security letter -- or an inside job. A secondary technique would be to exploit software flaws in the server software and subvert the running code to extract the key from the running process’ memory.

    So, what Lavabit is referring to is probably a couple FBI agents showing up to collect their server keys, under a subpoena with a national security letter attached. If Lavabit rolled over on that, the next visit from the FBI agents would be a request under PATRIOT for the user database, also attached to a national security letter. At that point the NSA would be able to decrypt all email in and out at the edge -- not even requiring a tap at Lavabit’s network -- they could collect it from AT&T, Verizon, etc. And they could map the usernames on Lavabit to other usernames elsewhere, to find out if [email protected] is “Marcus Ranum” who is also the “Marcus Ranum” on WordPress and so forth.

    Schneier is an optimist.

  4. says

    This defeats the NSA’s tapping of the main internet conduits.

    PGP messages include some very obvious fingerprints. Sending a message with
    -Begin PGP Message- *
    in the header amounts to painting a target on your head.

    (* I haven’t looked at a PGP message structure since 1994; I assume it’s changed since then but it’ll still be full of known plaintexts and metadata)

  5. says

    One of the more interesting classes I ever took while in the military was one about “ad hoc ciphers”, ways in which someone in enemy hands could encode information in allowed communications, as for instance was occasionally managed by PoWs held by Chinese/Korean, Japanese, and Vietnamese captors in various wars of the middle of the last century. It was really creative stuff, too, pointing out language insights about English and French (Canadian Forces is a nominally bilingual command) that would be unlikely to be recognized by even expert second-language speakers -- one that stuck with me was messing with the order of adjectives, such as in the noun phrase “the red big ball”. To a native speaker, the order should clearly be “big red ball”, as we have a complex set of internalized rules about the way we order adjectives, and size comes before colour in general usage. With subtle shifts of word order like that, you can hide quite a bit in even a paragraph’s store of words.

    These tips are, of course, different for various languages, because you want to hide the information in places that your captor’s language has different schemes. If I were Russian, for instance, and in Chinese-speaking hands, I might want to use the gender indicators on verbs and adjectives to show words that were to be highlighted.

    Not very on-topic, but it reminded me of it, so you get the ramble about it. 🙂

  6. Mano Singham says

    I had not really thought there were rules about the ordering of adjectives. But you are right that we do seem to follow some kind of pattern to them.

  7. says

    Yeah, it’s one of those corners of our understanding that we often don’t know we know. Wikipedia has a decent overview of the issue in English: http://en.wikipedia.org/wiki/Adjective#Adjective_order

    I’ve known people to do theses on adjective ordering, because of that very quality of it being something we don’t generally know we know. Experimentation can establish that we definitely do it, and that people rarely are able to articulate the rules without a lot of discussion, but we can do it reliably on the fly almost every time.

Leave a Reply

Your email address will not be published. Required fields are marked *