Luke Maurits

Quite a while ago now (toward the end of 2007), when I was freshly inspired to do more cryptography advocacy by the death of Itojun, “the IPV6 samurai”), I wrote a rant/essay called Anti-phishing Cryptography (it’s actually in a pretty bad state right now, it needs some structuring and completion) in which I lamented the fact that people in 2007 were being fooled by fraudulent emails into giving up the credentials for important services like Paypal or internet banking, despite the fact that digital signature technology which makes verifying the identify of an email sender largely foolproof has existed for literally decades. I tried to generate enthusiasm for a system where important services like Paypal or banks would digitally sign all official communications with their customers, and would make the keys easily available as metadata on their websites, with a well recognised and user friendly icon system, like that currently in place for RSS. Randomly returning to this idea a few years later, I’m struck by how much this overcomplicated the problem and how (seemingly) much better a new idea of mine is.

The idea is simple: when an email client like Thunderbird or Outlook receives an email from (purportedly) the address user@domain.com, it makes a HTTP request to a hostname derived from domain.com, perhaps something like keydiscovery.domain.com. The request can be on a port other than 80 (which means that keydiscovery.domain.com remains free for use as a website URL) and the URI can be some agreed upon standard with the username user included as a query parameter, e.g /getkey?id=user. A HTTP server on the other end responds with user@domain.com’s public key, in ASCII format, and then closes the connection. If the user doesn’t exist it returns a 404 like usual. Once the email client has the key (which it caches against the email address for future use), it can attempt to validate any signature present.

This can take place in a few seconds, completely invisibly to the email client user. Depending upon the possible results – key successfully found, signature is valid; key not found or signature not present; key successfully found, signature is invalid – the client can display a green, orange or red light respectively beside the email’s listing. Thus, without understanding anything that has actually gone on, even a clueless user who doesn’t know what a public key is can quickly grasp some significant security information about that particular email. If there’s a green light he knows the email is genuine. If there’s a red light he knows it is certainly a scam. If places like Paypal and major banks played their part by signing all of their emails (and their outgoing SMTP server could be configured to do this automatically to reduce the costs of retraining etc. and the risk of keys being stolen/leaked from low-level employees with insecure desk PCs) and making the public key available via HTTP at the appropriate URI and on the appropriate port, then people running phishing scams could not get away with spoofing a sender address which ends in @paypal.com, unless they were able to forge a digital signature, which at the moment is essentially impossible in practice. Any attempt to send such impersonating mail would raise an obvious red light at the user’s end.

Unfortunately, this idea does not kill phishing completely. Scammers could simply register domains which are superficially similar to those that they want to pretend to send email from, like paypaal.com (in fact, they often do this now in order to have somewhere convincing-looking to host web applications which steal credentials), set up a key discovery server for this domain and send signed emails that would get green lighted. It would be up to the user to realise that the email was from PayPaal and not PayPal, and that’s something that anybody could miss. So further measures would be required to help guard against this. I have ideas on how this might be done, but I don’t want to get this entry too off track by talking about them now. Besides, even if this system doesn’t solve the phishing problem completely, it is still cool and useful and a bold step in the direction of making public key cryptography easier for the public to use.

I’ve done a bit of googling and nobody appears to have written about this sort of idea before, although this may be because nobody has talked about it using the term “autodiscovery” (which I picked up from the RSS world, btw). The nearest I have found are some places (like here and here) talking about putting a tag in your blog’s HTML code to advertise your public key, so that people can do things like leave signed or encrypted comments on your blog without too much trouble. This is a similar-in-spirit but not-quite-the-same idea to the one I’ve proposed here. The fact that this is the closest idea I’ve found means either I’m the first person to have a great new idea (which I just can’t believe, given how simple it is), or (much more likely) there’s something fatally wrong with this idea and so everybody else who has had it has dropped it after some thought. Surely I must be missing something? Let’s think this through…

Suppose there’s a mail service out there somewhere that has not yet set up a key autodiscovery server. Could an attacker set up a fraudulent key server before them to impersonate their users? Well, no, since the hostname used to do the key lookup is derived from the domain part of the email address. An attacker can only set up a fake key server if they control the relevant domain name (excepting some sort of DNS attack, of course, which causes some users to mistakenly ask the attacker’s server for a key instead of the real one). This feature of the system limits impersonation attacks to people inside the same domain as the impersonated person. A disgruntled Microsoft sysadmin could establish a fake keydiscoery.microsoft.com and impersonate bill.gates@microsoft.com but he couldn’t impersonate scott.mcnealy@sun.com (and neither could Scott or one of his employees impersonate Bill). This is a weakness, but not a terrible one. Inside attackers are always going to be at an advantage over outsiders.

So fake servers don’t seem to be a problem. What about attacking genuine servers? Could an attacker exploit a buggy key server and overwrite somebody’s stored public key with his own? If the keys are served over a port other than 80, then even though they come via HTTP there is no need for them to be served by a “proper” webserver like Apache or Lighttpd (of course, in this case there’s no reason for them to use HTTP at all instead of some other invented-for-the-purpose protocol, but I’m a big fan of reusing HTTP wherever possible because it makes life easier for developers). They could be served by extremely small and lean specialist server programs which implement an extremely restricted subset of HTTP, close to HTTP/0.9 in simplicity. They would ignore any requests other than GET, and return a 404 for any URI other than the designated standard /getkey (or whatever the internet agreed upon). That’s it. They would have read-only access, enforced by the OS, to the keys themselves (some other program, less accessible to the public, could handle key management). The code for a server like this could be made so delightfully short and simple that you could realistically get all the dangerous bugs out of it.

I’m going to have to think about possible attacks against this system for a while. If there really are none then I think it’s a really exciting and important idea. I might go about trying to write a plugin for Thunderbird to implement a proof of concept. I have no idea how this will go, I don’t even know what language Thunderbird plugins have to be written in, or whether or not they would have access to a HTTP implementation. If anyone can see any weaknesses in this idea, please leave a comment. If the comment feature doesn’t work (which I’m starting to suspect is the case sometimes), then please email me.

The other day I wrote a Wikipedia article on correlation attacks. I first noticed a red link to that page from the article on stream ciphers (meaning that the correlation attack article had been referred to
but did not yet actually exist) when I was studying the at RMIT
in early 2006. I came back to the stream cipher article recently for some reason and was astonished to
find that the correlation attack link was still red – nobody had filled this rather substantial hole
(correlation attacks are a very basic part of stream cipher cryptanalysis) in Wikipedia in close to
three years! So I’ve made something of a start on it. I think there is plenty of scope for elaboration,
still.

I haven’t thought much at all about this sort of thing for a very long time and I quite enjoyed revisiting
it. Stream ciphers are not anywhere near as well publicised or discussed on the web as block ciphers are and
so they’re probably a weak point in most self-taught people’s understanding of cryptography. Arguably this
makes sense because they’re not used as often in the civilian world as block ciphers, but there are a lot of
interesting and fun problems associated with stream ciphers that it seems a shame to just miss out on.

Amongst others, the Times Online is reporting on considerations by ministers of the UK government of a plan to store and monitor every email sent by every person in Britain. The supposed reason that such an insane system is need, of course, is to fight terrorism. If we (like almost everyone else in government or the media) set aside the all too salient fact that terrorism typically kills less Britons each year than accidental drownings, and suppose that the government really should be spending time and money trying to do something about it, ample grounds still exist for criticism of this scheme.

While the UK government may conceivably be able to eventually muster the sheer amount of hardware required for intercepting and storing such a vast quantity of emails, it is entirely infeasible that they are ever going to have the ability to read any encrypted emails that they may have harvest. Furthermore, competent terrorists know this. Competent terrorists know they can use PGP or GnuPG to encrypt their emails and rest assured that the UK government simply cannot read them, short of physically apprehending the terrorists and torturing passphrases out of them. The very fact that as soon as a major terrorist incident happens the relevant government starts making loud noises about the threat encryption poses makes absolutely sure that terrorists know they can do this. So they will do it, and this scheme will fail at its intended task, wasting a horrendous amount of taxpayer’s money and putting undue strain on the country’s internet infrastructure. It’s a horrible idea.

But it gets worse.

All the innocent non-terrorists in Britain will, with a few rare exceptions, continue not to encrypt their emails, so these will be collected and stored by the government. This is a cause for tremendous concern because the UK government has recently made it embarassingly clear to the world that when it comes to the secure storage of sensitive data, they are nothing short of incompetent. Just look at these incidents – each of them from 2007. To be fair to the UK government, they’re not alone in this regard, and Google will help you find just as many or more breaches of a similar scale by the US government.

Naturally the loss and theft of hard drives and disks is bound to happen from time to time, but the possible impact of these breaches can be reduced to zero by using readily and cheaply available encryption technology. In none of the cases cited above was this data encrypted like it should have been, suggesting that data security is either not taken seriously by the UK government or it is handled by people not qualified to be handling it. When unencrypted disks full of everyday citizen’s personal emails are lost or stolen or bribed away from the government’s hands – and based on all the evidence we have so far, this is more likely than this email surveillane scheme actually thwarting a terrorist plot – end up anonymously posted to the internet, the consequences will be severe.

Details about people’s personal finances, love lives, political and religious beliefs will be exposed for all to see. Commerically sensitive material of every imaginable kind will be available to every company’s most feared competitor. Identity theft, industrial espionage, harassment and stalking are all likely consequences. The risk is simply far too great, and entirely disproportionate to any reasonably expectable benefits.

This rant says nothing about the basic principles of freedom and privacy that this issue obviously treads on (for a well-written and concise rebuttal to the standard issue “If you’ve done nothing wrong then you’ve got nothing to hide” justifications that are inevitably thrown around on this matter, see Bruce Schneier’s excellent “The Eternal Value of Privacy“), which are also well worth consideration. In an attempt to make the rejection of massive government surveillance programs appeal to a wider audience, in this post I’ve gone with a slight twist on an old saying and not resorted to considering malice where it is adequate to consider incompetence.

Although not relevant here, it bears mentioning in closing that the ideas of government incompetence at secure data storage discussed here should be the first thing that pops into your head when a government suggests (and, depressingly, this really does happen) that they should keep a record of everyone’s fingerprints, eye scans, DNA or any other biometric credential. When those details are lost or stolen (and how confident can you be that they never will be?), you can’t have them replaced like you can your credit card and passport. They’ll be on the internet for good.

In December 2007 I started writing this horribly incomplete proto-draft of an essay on “cryptographic cameras”, a concept inspired entirely by Bruce Schneier’s paper “An Authenticated Camera“. In April 2008 I was inspired to finally getting around to finishing this paper when a move by the NSW police raised again for me the potential social importance of the widespread adoption of cameras with cryptographic authentication possibilities.

That essay of mine sits still horribly incomplete today, shortly after the blogosphere, and later the mainstream media, became abuzz over the fact that a photo recently released by the Iranian government purporting to show successful test missile launches had been, rather obviously, Photoshopped to show one more missile than was actually launched.
Here is the photo the Iranians release. The “Little Green Footballs” blog (which I was pointed to by Reddit) has an article with a static picture showing the cloned exhaust plumes, and “Suitably Flip” has an animated version, which I personally find less enlightening. Mainstream coverage is available at the BBC and the Daily Telegraph, amongst other places.

This revelation is an even better example than the NSW police situation of why some sort of cryptographic photograph authentication technology is important, and probably just as good an example of this as Adnan Hajj’s doctored photos from Beirut in 2006, which are the (only) example currently present in my proto-draft. Perhaps a lesser example is the controversy surrounding photographs of the toppling of Saddam Hussein’s statue in Firdus Square, Baghdad. I say “lesser” because it is not immediately apparent that cryptography can guard against careful selection of camera angles and positions, although as products like Nintendo’s Wii console bring down the cost of accelerometer-based motion sensing devices (like the Wii Remote) I suspect that a good authenticated camera system could in fact detect this sort of manipulation. Perhaps a solution based on some sort of miniature, internal magnetic compass could suffice here as well. I’ve not given the details tremendous consideration, but I am digressing enough as it is.

The above examples (and perhaps more that I’m unaware of – comments welcome!) make it abundantly clear that, in this age of Photoshop, to assume photographs shown in the mainstream media are undoctored or accurately indicative of true events requires an entirely unjustified level of trust in that media. For every poorly executed and blatantly obvious manipulation like Iran’s missiles or Hajj’s Beirut, there is an unknown number of better executed and yet to be uncovered manipulations that currently enjoy status as fact. This knowledge must necessarily damage the credibility of photography in mainstream media for any critically thinking person. More worryingly, this trend can only reasonably be expected to continue.

Embedding cryptographic processors into digital cameras can reverse this trend, and further more it is probably the only technological solution which can reverse it. Once there exist cameras which can provide digitally signed copies of a photo (to establish a lack of subsequent doctoring) and digitally signed meta-data (to establish the time, location – via GPS – and orientation – via accelerometers or compasses – of the photo), and these cameras are available en-masse for even as much as a few thousand dollars, then it can and should be considered extremely suspicious for any professional media outlet to not make this supporting evidence available to the public. I honestly believe that such a cost is eminently achievable: Nokia’s N95 mobile phone already contains an integrated GPS receiver, a camera and an accelerometer and, according to this Cnet review, cost just $1379 Australian a little over a year ago. Obviously professional media photography would require a better quality camera component, but the rapid progress of the mobile phone industry will continue to drive the price of this technology down, to the point where it seems realistic to expect these capacities to be available in a good professional camera for a few grand in just a matter of years. A proof of concept implementation for $10,000 today is unquestionably possible and would help to get us there faster.

Not only would an investment in this sort of technology help to salvage the credibility of professional journalism and help us to spot falsified governmental saber-rattling, but it would open the doors to trustworthy citizen journalism, increase the trustworthiness of crime scene photography used in criminal trials and quite likely a whole host of other things I can even think of.

I really need to finish that essay.

Random and unrelated link drop: Donald Knuth’s infrequently asked questions.

I’ve recently added a cryptography section to my site. There is some material already up, though a lot of it is incomplete and/or unpolished, and there is some that I’m still working on and will put up shortly.

This section is perhaps something that has been a long time coming, as cryptography has been one of my main technical interests for many years now. I have long been of the opinion that, properly utilised, cryptography holds the potential to provide society with a lot of benefits. Admittedly, I have never been particularly optimistic that this potential would be realised, but neither was I particularly concerned with trying to change that.

I have recently been inspired to do more to rectify this situation. As was widely reported, on October 29 this year Jun-Ichiro “itojun” Hagino died at the age of 37 (I haven’t found the cause of death reliably reported anywhere on the internet). Itojun was a very active and well known Japanese programmer, perhaps best known for his extensive contribution to the KAME project, which produced free IPv6 implementations for BSD unix operating systems. Itojun dedicated the larger part of his life’s work to the promotion and advocacy of IPv6, at many levels – from writing code for KAME, down to producing educational IPv6 videos for lay people to distribute via YouTube. Judging by comments left in various places after his death, he is widely remembered as a genuinely dedicated, helpful and pleasant person who always put technical merit before project politics and always had time for anything or anyone on the subject of furthering IPv6 adoption.

Upon his death, it occurred to me that the cryptography world could really use someone to do for it what Itojun did for the IPv6 world. Although I dare not compare myself to Itojun in terms of talent or technical knowledge, I do feel that I can make some contribution to playing a similar role for cryptography. I can write explanations of cryptography at varying levels, I can explain possible benefits to society, I can make educational YouTube videos and I can write code.

I have thus resolved that in the near-ish future I will launch a separate website with the twofold goal of educating as many people as possible about basic cryptographic technology, together with what it can and cannot achieve, and of challenging the world’s programmers and policy makers to start making wider and better use of existing cryptographic technology to solve problems. The new crypto section of this site is a case of “testing the water” – a place I can slowly build up a collection of documents to eventually polish and release in one big user-friendly bunch at a later date. Stay tuned.