Re: Hushmail in U.S. v. Tyler Stumbo

I don't know anything about this case, so everything I say
is pure  
supposition.

Let's suppose you have Alice and Bob who are working
together on some  
sort of business, and they are using some OpenPGP [1]
software to  
encrypt their emails that pertain to that business. Let's
suppose  
that the authorities then decide to raid Bob. Let us then
suppose  
that they go to Alice's ISP and get a lot of encrypted
email, by  
warrant, subpoena, etc. It doesn't matter for our purposes
what ISPs  
Alice and Bob are using, nor what OpenPGP software they are
using.

* Let us consider the case where Bob turns state's evidence.
If those  
emails were encrypted to both Alice's key and Bob's key,
after Bob  
turns state's evidence, the authorities can decrypt all the
messages  
they seized from Alice's ISP. It doesn't matter what Alice
did with  
her key or what Alice's ISP did with it. They can be
decrypted  
because Bob's key has been compromised.

* Let us consider the same basic scenario where all the
messages are  
encrypted to the sender's, but not the recipient's key. In
this case,  
the authorities can decrypt all of Alice's messages to Bob,
but not  
Bob's messages to Alice. After they have compromised Bob,
all of  
Alice's messages to Bob can be decrypted. The fact that
Alice's  
security is untouched is mostly irrelevant. Alice is likely
toast,  
not because of the cryptography, but because Bob has been  
compromised, and Bob's key decrypts mail Alice has sent.

* Let us consider a slightly different scenario in which
neither  
Alice nor Bob are compromised, but Bob is detained. If the 

authorities raid Alice's ISP, despite the fact that they
cannot  
decrypt the messages, they may be able to show a connection
between  
Alice and Bob. If they have been CCing themselves, then
you'll find  
the same undecryptable message in each mailbox. If they have
been  
using "reply," there's probably metadata in the
plaintext headers  
that shows that M_n is a reply to M_ ... M_1, and thus
you have  
a chain of messages. If there is other evidence, such as Bob
sending  
checks to Alice every so often, the cryptography may be moot
or worse  
than moot. (If those messages are harmless, why don't you
decrypt  
them? Yes, this can get into many interesting discussions
like the  
applicability of Amendments 4 and 5, but these are also not 

cryptographic. I really don't want to discuss them because
I'll bet  
we agree.)

Cryptography is not magic pixie dust that you can sprinkle
on a  
security problem and make it go away. If your adversary is a
major  
national government, you have operational security issues,
as well.  
If your adversary is a major national government that has
direct  
authority over where you live, then you have a much larger
problem.  
The adversary is going to use forensic analysis, traffic
analysis,  
and anything else they can think of. They are also not dumb.
You also  
have to expect that third parties, including ISPs, are
unlikely to  
see why they should fail to comply with legal documents like
 
subpoenas and warrants because of what you did. Smart
cryptographers  
make sure there are no backdoors in the crypto, because if
there  
were, then every beat cop and two-bit mafioso will want you
to break  
just that one message -- or else. If the system is strong,
it all  
comes down to your operational security.

	Jon



[1] I have to give a now-usual rant. PGP is a trademark of
PGP  
Corporation and refers to software it makes. OpenPGP is an
IETF  
standard that covers encryption, certificates, and digital 

signatures. There are many products that implement the
OpenPGP  
standard. PGP software is one of those. But other products,
such as  
GnuPG, Hushmail, Bouncy Castle, and so on also implement the
OpenPGP  
standard. Futhermore, PGP software implements other
standards than  
OpenPGP. For example, PGP software implements the S/MIME and
X.509  
standards as well as the OpenPGP standard.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

In previous cases of the government somehow magically
gaining access to
"securely encrypted" data, it eventually turned
out that the government
had compromised the target's machine and installed a key
logger, or some
other piece of software to record the relevant secret
information.  So
far, I've seen no information ruling this kind of thing out.
 It's in
the government's interest to keep its methodology as secret
and
mysterious as it can.

A common mistake is looking at PGP or Hushmail or some other
kind of
secure mail system and saying "only I can read my my
mail.  Not even
close to true:  Unless you're doing all your decryption with
a pencil
and a piece of paper, it's your *computer* that can read
your mail.
And today's computers simply cannot be treated as trusted.

None of which argues against alternative possible scenarios,
such as
the "turned" correspondent at the other end of the
mail interchange.
The fact is, we just don't know how this information was
obtained.

We *may* learn more as the result of discovery leading up to
trial.
It's generally difficult for the government to keep out of
the record
the methods they use to obtain evidence, as doing so will
tend to
taint the evidence and make it inadmissible.  I'm sure there
are
plenty of lawyers looking closely at how to struture things
to keep
as many details hidden as possible, however.  The fact that
information
came from a "confidential informant" has to be
revealed, but the
identify of that informant can generally be kept concealed. 
Someone
will argue that the decrypted data plays the role of the
"confidential
informant"....
							-- Jerry


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com