Peer-To-Peer Encrypted E-mail

Markv writes: "CNET has an article about a peer-to-peer e-mail system called SafeMessage(TM) from AbsoluteFuture.com that could confound law enforcement. Not only is it peer-to-peer, the message is encrypted before it leaves the sender's computer, and the decoder key is destroyed. According to the article, AbsoluteFuture's SafeMessage system would potentially allow people to operate below the radar screen of the FBI's Carnivore program." So Carnivore may be good for something after all! Actually, though, how is this different (or less complicated) than, say, using PGP and an IRC client (with DCC) to effect the same sort of transfer?

Hushmail had this a long time ago.

[Azog]

Hushmail has had secure, encrypted email for a long time now. It uses a Java applet to do the encryption in your browser, without having to download and install any application. The Java source is available for everyone to check for security holes. Hushmail never actually sees your private key. It looks pretty secure, overall - it's been around for a couple of years and I haven't heard of any holes in it.

Bruce Schnier has even reviewed it. He has some problems with it, but there's no glaring security holes. Still, you're probably better off with GPG, storing your private key yourself.

So SafeMessage is nothing new. Of course, the more the merrier. Everyone should use encryption all the time, and competition is a good thing.


Torrey Hoffman (Azog)

I love anything that thwarts the governments power

[leereyno]

Power in the hands of ordinary citizens which balances the power held by the government, this is the cornerstone of democracy.

I can forsee a time when encryption becomes every bit as important as free speech or the right to bear arms are to holding the government in check.

With things like the DMCA, Carnivore and other moves being made by the powers that be to undermine the power of the people, it is easy to get angry and discouraged. But then I see something like this and it reminds me that there are people out there willing to fight back. That not everyone has forgotten that the government derives its power from the consent of the governed and not the other way around.

Lee

Why this is different from PGP/GPG

[Gurlia]

Apparently some people here are confusing this system as a similar one to PGP/GPG, so here goes...

With PGP/GPG, you publish your public key and others use your public key to encrypt messages to you. The same key is used over and over again.

With this scheme, apparently they are using a one-time encryption method: I would presume a random key is created during message sending time, and after the timeout, the message and the key is destroyed. Now suppose a 3DES key is produced for *each* message. That's going to be *very* hard for people to listen in, 'cos after cracking the key for the first message, they've gotten nowhere with the other messages.

Of course, it's debatable whether this will actually increase the strength of the encryption in practice.

And, as somebody else has said, there's nothing to stop the recipient from making copies of the decoding key and the message indefinitely. I presume the timeout is implemented in whatever client program they're selling -- but as we all know, any rules enforced by software (including timeout rules) are easily bypassed.

So I'd say, the timeout factor isn't going to make too much of a difference, though the idea of using a different key for every message *might* make the encryption system stronger.
---

My two cents

[fluxrad]

I'd just like to say. I'm an international terrorists and i am VERY dissappointed in the US government for this whole carnivore deal.

First off, i feel that my right to send plain-text email to my friends (such as mkhadafi@libya.com or carlos_the_jackal@internationalterrorism.co.uk) have been infringed by this "carnivore" program. Being that we have absolutely no other means of secure communications, like a phone session or even speaking face to face, my particular terrorist cell has been using email for quite some time now.

Another problem that arizes with this email snooping stuff is our new-found inability to transfer bomb making instructions to one another. Obviously there is no other way to find out about how to make bombs, or even a nuclear weapon....it must be done by email.

I guess i am angry, but i must congratulate the US...with carnivore it is obvious that the FBI has successfully eliminated any possibility of my compatriates and I actively engaging in anti-US terrorism.

damn.


FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network

PGP over email isn't secure?

[talonyx]

Since when is PGP via email less secure then over DCC or ICQ or FTP or any other 3 letter protocol?

Carnivore doesn't brute-force PGP, does it? That would take a lot of work for the random chance of finding a keyword like "blow up the pentagon" or "al gore is an erectilly dysfunctional motherfucker".

Seriously, folks, PGP is secure enough for now. Pretty Good Privacy. And lots of people use it. Good nuff for me and maybe later I'll use something else, but it will probably just be public/private key like with longer keys.

This isn't secure e-mail

[X]

It's secure instant messaging, whether they realize it or not. It has all the draw backs and benefits of instant messaging as well (inefficient use of resources, instant delivery notification, doesn't work when they're off-line, etc.)

The stupid thing though is the implication that just because this isn't going through an intermediary server it's more secure than PGP. What a crock! It's still going through a ton of routers, any of which could be copying the contents for analysis. Indeed, the way Carnivore, from what I know, doesn't so much scan the mail store as scan mail traffic. Heck, there are going to be roughly 10 copies of the message made before it gets read!

This is just useless..

[Sir_Winston]

Not only is PGP or GPG good enough, but this new service really doesn't offer anything useful. Here are a few points to consider:

First of all, peer-to-peer over the Internet isn't really peer-to-peer at all. It's very vulnerable to man-in-the-middle exploits, since by definition any packets going out over the Internet aren't headed straight for the recipient, they have to travel over an untrusted network first. At any point along this network, a third party could insinuate himself between you and the recipient--particularly if that third party is a law enforcement or intelligence agency, since companies which own the Internet infrastructure are legally required to help such organizations. Since the data is encrypted, this may or may not be a threat depending on the strength of the implementation and upon the ability of the sender and recipient not to be socially engineered into giving out compromising information. If the third party can trick you into thinking that he's your intended recipient, you're absolutely screwed. In the case of PKI, for instance, if the man-in-the-middle can get your trust and say something like, "Sorry, John, I had a hard disk crash last week, and the old floppy I had my backup keyring on is corrupted. I needed to make a new key pair, you'll have to use that to send messages from now on," then either you'll be communicating with the third party in readable fashion from now on, or you'll have to stop communicating anything confidential at all. Since a passphrase has to be suitably complex to be useful, the same attack is useful against shared-key crypto. I don't see how this new system could overcome this flaw at all.

Secondly, the biggest security flaw in communicating via the Net is usually whether you should trust the person at the other end or not. Many of the people we correspond or transact with over the Net are people we've never met IRL, and therein lies the problem. We have no way of knowing if the person we just started communicating with is really a fellow subversive who'll come and help with the demonstrations against the IMF we're planning, or whether he's LEA. Peer-to-peer messaging is therefore useless in real-life applications.

In fact, peer-to-peer messaging is perhaps actively dangerous. It provides a direct record that a given IP address communicated with this other given IP address at a particular time. Therefore, if your recipient is really an enemy, he now has a record of your IP communicating with him. Even though the message under this system is supposedly encrypted all the time and destroyed after a set period, this means nothing: your recipient's eyes have to see it at some point, so he can just as easily do a screen grab or if that's not possible take photographs of the text. Yes, IPs can be spoofed of course, but it's harder to do in peer-to-peer communications, and you'll still probably leave a trail of logs.

Contrast this with anonymizing forms of communication. Properly anonymized through use of remailers or remailers in combination with m2n gateways, or through services such as ZKS Freedom (if it can be trusted--who knows?), it doesn't matter if there's a man-in-the-middle, nor does it matter if your recipient is trusted or untrusted. If you leave no trail, you're safe, untraceable therefore untouchable. Peer-to-peer is the opposite of this, and very useless in the real world. PGP your message and send it via Freedom or a remailer chain, and you're golden. Of course, the best way to assure your protection is to run a public remailer yourself--that way you can be sure that at least one remailer in your chain will forward no previous headers and keep no logs. Then, you have absolute deniability even if traffic analysis hints at your involvement with the message in question--aside from which, remailers often pad messages, send out bogus messages, and use delays between receipt and sending of messages to thwart traffic analysis.

The ultimate way to communicate privately is to use the above suggestions and also divorce recipient e-mail messages from the game entirely once communications have been established. Use a m2n gateway at the end of your remailer chain, to post the PGP'd message to USENET. Either use alt.anonymous.messages with a predetermined heading, or use an empty or spam group. By using a nym with the reply block pointed to a given news group, you can allow people to communicate with you just as if they were e-mailing a real e-mail address, which eases first contacts with people not used to security.

In other words, peer-to-peer isn't a step forward, it's a step back. It's inherently insecure. The only secure communication is insulated communication, with several layers between sender and recipient. Personally, I'd love to see a company or group of hackers put together easy-to-use software to allow for this sort of anonymous communication, rather than the false security of direct peer-to-peer. Imagine if everyone with a cable or DSL connection (it takes some bandwidth and uptime to be a remailer) who wanted secure communications could just download a simple piece of software which sends anonymous messages for them and also acts as a remailer itself. Imagine a Gnutella-like network for remailing anonymous PGP'd messages and possibly posting them through news gateways to a group like alt.PGPtella.messages. If you made it easy to use, we could have truly private and secure communications in the hands of the people, and Carnivore and other spyware would be useless. For my ideas on how to make a network such as this work, read my musings about what Gnutella should have done and how to replace Napster here. The concept in that post which I think is applicable here is the idea about "regional servers," only in a remailer-type system instead of a file sharing system the "regional servers" would be mostly for finding IPs of connected machines to route through and for establishing initial connections to the network, although you could make this user0definable in case you know a trusted party on the network. All messages in such a system would be PGPd from each hop to the next, with "regional servers" promoted by the software itself based on uptime and other factors, and unlike with the current remailer system you needn't manually choose each hop along the route--the software could be let to do that, and if the next hop along the route that has been chosen has gone offline, the remailer stuck with the message would forward it to a random hop which is online. Currently, the remailer system is sometimes unreliable, but a new system like this could solve reliability issues. And, as I said, since every user of the system would be a remailer as well as a potential sender, there's absolute deniability: "Sorry, Secret Service guy, you may have traced the message back this far but I'm afraid my machine doesn't keep logs after a day. No, the logs aren't recoverable because they're securely overwritten after the specified period, with no possibility for recovery. I didn't send it and I don't know who did; feel free to look at the computer running the software." All your personal info can be encrypted with something like Scramdisk or the Encrypted File System, just in case the men-in-black do decide to take a look at your box(es).

Anyway, I think I've adequately described my distaste for direct peer-to-peer communications like this product.

Re:This is just useless..

[Sir_Winston]

This is why I said "run a public remailer" instead of just "run a remailer." Anyone can download and configure the standard remailer software, but naturally that doesn't make you a real remailer. However, it doesn't take a lot of effort to advertise a remailer--almost all serious users of remailers read a few basic forums, such as alt.privacy.anon-server. If you make "the big announcement" in such places, and prove yourself to have consistent uptime and reliability, you'll probably start getting hundreds or even thousands of messages a week within about a month or two--if you're reliable. If however you're offline and unavailable too much, or if your stats are flaky, no one will use you.

In deciding what remailers to use, people go on two things--reputation of the operator, and reliability statistics. Operate a reliable service and post in the right places, maybe join the remops mailing list, and you'll have absolutely no problem getting people to use your service and hence have complete deniability.

But in any event I suggested something even more important later in my post--that if someone would write an easy-to-use application for sending and relaying anonymous, encrypted e-mail, something simple enough for everyone to use, along the principles I outlined, then the public would beat a path to your door. Imagine if running a remailer and sending anonymous email through it were as simple as installing a Napster or Gnutella client--with thousands of nodes sending encrypted communications to each other, through randomized paths chosen by algorithms in the software, traffic analysis of any kind would be useless and anonymity would be guaranteed.

The problem is, no one has even tried such a thing. If half the effort put into Gnutella and Freenet were put into such a project, it would happen and quite quickly. It'd be one of the top downloads on Download.com and Tucows. But, among the several reasons this hasn't happened are the fear of having widespread easy-enough-for-anyone anonymous email, since it could be used by criminals and even worse abused by spammers. There's a reason that remailers are notoriously difficult to use: the people who code the software to run them and interface with them are the same kinds of people who are remops themselves, and they fear being used for spam or kiddy porn since that could get them visits from the fuzz. What they fail to realize is that a properly redesigned system of remailers with a clean and easy software interface which requires all clients to be servers as well, all traffic to be encrypted from node to node with a different key and padded to a different size, and other basic precautions, would get so many users as to make any visits from the men in suits useless. The same sorts of people who install Napster to get music and Gnutella for file sharing would install this program for private e-mail. There would be too many nodes and too much traffic to trace anything, and if they did trace parts of a path back to a particular node they'd contact the user and in all likelihood get some guy who has no idea what they're talking about because he's just an average user who wanted to send private mail. If all the data is never stored unencrypted, then the men in suits wouldn't even have any excuse to examine that Joe User's computer. It all comes down to designing the system well, and if it's designed well, it would become ubiquitous and impossible to stop or trace.

The only bad side effect of this would be increased possibilities for spamming, but since almost all spam is commercially motivated the senders are known. It would perhaps even be a good thing if a system like this were implemented and spamming skyrocketed, because it would spur on anti-spamming legislation which, without a big crisis, simply isn't going to happen thanks to Congress' own "commercial interests." The ultimate effect of such legislation, which as I said will probably only happen if spamming does skyrocket, would be to make spamming far smaller than it is now since the risks of severe criminal and civil penalties would outweigh the potential benefits.

But, I digress...