1996-09-19 - monkey-wrenching GAK

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: cypherpunks@toad.com
Message Hash: 297e3b0fe8bea0c6807d800e196a34dea2bab7c8be0316a6737c354b52068ae8
Message ID: <199609182148.WAA00346@server.test.net>
Reply To: N/A
UTC Datetime: 1996-09-19 02:49:50 UTC
Raw Date: Thu, 19 Sep 1996 10:49:50 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Thu, 19 Sep 1996 10:49:50 +0800
To: cypherpunks@toad.com
Subject: monkey-wrenching GAK
Message-ID: <199609182148.WAA00346@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain



This is along the lines of a technical monkey-wrenching of GAK:

1) The state of email encryption

If the NSA decides they would like to get a decrypt of an email that
you sent, they turn up with a copy of the encrypted email and request
that you decrypt it.

The reason that this is so bad is that you have effectively secret
shared your plaintext between the NSA (who has archived all of your
encrypted email), and yourself who still has they key.  This is not in
your interests.

2) Mandatory GAK

In a future with mandatory GAK, the NSA has all your keys already,
because they have a nice database of them, and so they can decrypt any
thing they feel like.

3) Monkey-wrenching 

Even with GAK, where you are forced to give the government the keys,
you can do much to make the job of administering GAK very expensive.
You start by ensuring that the government can not get your encrypted
data (the other half of the secret share), so that the key is of no
use :-)

You can do this by using a forward secret protocol such as
Diffie-Hellman to exchange data, then you can't provide the encrypted
text to the NSA even if you want to.

But won't they make forward secret protocols illegal at the same time
as enforcing GAK?  Well, maybe they've left it too late already,
consider:

  IP security layers in general - they provides an extra layer of
  encryption that the NSA has to obtain the keys for to make sense of
  their tap.  They may have to archive impossible amounts of IP traffic if
  they can't recognize the type of IP traffic through the IP level
  encryption (www traffic has its uses as cover traffic :-)

  IP security layers which use Diffie-Hellman: forward secrecy means
  that the site owners can't decrypt old IP traffic even if they want
  to.

  When using an IP security layer, email delivered via SMTP will be
  transparently sent over an encrypted link with a random symmetric
  encryption key negotiated with DH.  So the NSA can't get your
  encrypted email so the fact that they have the decryption key
  doesn't help them.

  Even if the NSA had access to the signatory keys used to
  authenticate DH key negotiation, this means that they still have to
  do an active MITM attack on the link.  This is not something they
  can do after the fact.  Bang goes the ability to archive it all and
  present it to people afterwards for decryption.  Also the expense
  and complexity of fishing expeditions become impractical.

  To do a successful MITM attack, the NSA must also subvert the
  authentication key infrastructure, and hope that no one uses a
  subliminal, or out-of-band channel to verify the authentication.

The above arguments, depending on how quickly things like John
Gilmore's S/WAN are deployed, will quickly reduce the Governments
options to:

  attempting to revoke de facto international standard internet
  protocols after the fact

  requesting the authentication keys used to sign DH negotiations, so
  that they can do MITM attacks, and get an IP packet modification
  infrastructure built (something significantly harder, and more
  expensive than the digital telephony bill which is still floundering
  at an estimated $4Bn)

So, to monkey wrench GAK, be an early adopter of IP link level
security, make sure that everybody is using link level security with
forward secrecy, long before Clipper IV gets forced into use as a
voluntary, or possibly later mandatory scheme.

Adam
--
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)





Thread