9 August 2000


Date: Wed, 9 Aug 2000 09:51:58 +0100
To: ukcrypto@maillist.ox.ac.uk
From: Dave Bird <dave@xemu.demon.co.uk>
Subject: RIP ------- put all your letters inside a "Big Brown Envelope"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


RIP-busting suggestions........

=============================================================/''one''|

    ''Big-Brown Envelope'' Project

Abstract: Those ISPs with tradeunionist or 3rdWorld campaigning users
are concerned at use of the Regulation of Investigatory Powers bill for
delving into the content of email [or simply who sent what when] to
disrupt activities or harm contacts.

The solution may be to pass all mail in a "big brown envelope", or user-
to-server encrypted session, with a mail server in a free country.  The
components to do this are easily found; the choice is a political and
commercial one.

THREAT MODEL.  Why Threatened?  The General Skivers Union is a fairly
sedate body except for its attempts to unionise US-owned ConglommoMunch
fast food outlets, and giving space to the Bogzanian Oil-Workers
Democracy Campaign: to the annoyance of the Alabama Oil Co and Imperial
Oil.   Some information on its computers can also be used to
wiretransfer large amounts of its money.  The machines are in the GSU
open plan offices which sometimes uses volunteers,  or are to some
extent laptops or computers-at-home of its executive. The practical
consequence of information theft is that the union organisers at CM
branches would be fired, BOWDC informants in the Bogzanian government
would be shot, or GSU funds would be stolen.

BY WHOM? Conglommo-Munch do not take likely any threat to their profits
or control and  are  not above hiring free-lances to use force,  at
least  against property.   They may have intelligence support, because -
after cocaine and M16s - giving them commercial information when
Conglommo Foundation pay an agent in "consultancy fees" is a common
intelligence currency; anyway, promoting [corporate] prosperity at home
has always been an integral aim of intelligence. AlabCo even more so,
because oil is a military/commercial strategic material.  

The nominally British, i.e. British-staffed, intelligence and security
services may be interested, because doing what they are told in exchange
for a supply of world-wide intelligence is a usual currency with them;
and it is long past the time they believed commercial spying beneath
their dignity.  They consider these activities against British
[economic] interests, and Imperial Oil to be a key strategic asset: also
they support large arms deals with the Bogzanian dictator.  Less
romantically, the GSU's funds may be quite simply a target for thieves.

HOW? Whether the motive is political or just stealing funds, the
interloper aims to get hold of information and keep it quiet that he has
done so  -  without the owner being able to intervene or preferably even
know - for as little effort as possible. 
Methods will include intercepting messages as they flow outside the
building, even if only ciphertext for which they hope to have a key
later. Or include intercepting traffic, which now needs only the
signature of a junior police canteen worker :-) , and yields almost as
much information in who talked to whom, how much, and when, as will
serve to identify and harass out of action main players in a strike
committee. 

Or they will try steal-once-use-later, where they get hidden access to a
machine on one occasion either covertly or by threatening the holder
into one-off co-operation and later secrecy.  Here they are after [a]
plaintext of material sent encrypted or [b] keys they can apply to
material they intercepted as ciphertext:  it is best to have an option
that these can be "shredded" when no longer needed,  so nothing can be
yielded up under threat... and to limit the future usefulness of keys
taken now.

More extreme is entire theft, where they try to steal and operate an
entire node in the network with the one-off compliance of its owner. The
additional factor is that occasional changes of key need future personal
co-operation to stay on the network. Also their is a null case where
they buy/obtain someone's co-operation permanently: you can limit what
past material they had at time of defection, and you can to some extent
see that people know only such confidential material as concerns them.




two''\=============================================================

DEFENCE MODEL.  If the black-hats are stopping the postman to read
postcards to and from you,  time to put letters in opaque envelopes
[individual message encryption].

If they are at the sorting office, beyond your control, photographing
all the address labels on your mail, it's time to put everything in a
"big brown envelope" and send it for sorting elsewhere i.e. user-to-
server encryption with a mail server owned and operated in a free
country.  All the ISP knows is the length of your overall session with
the foreign server:  the session contents are opaque to him.

If they break into your house for filed mail, with or without a warrant,
then perhaps you should be prepared by regularly shredding old mail...
and the envelopes it came in, if you don't want them to know even the
senders.  It is never a good idea to lie or expect others to lie under
pressure about what information is held: just see that it is not held,
and the shredding policy is recorded.

Some people may worry that with a sufficiently high-priced attack even
deleted files may be read off disks by microscopically examining the
edge of tracks. The solution in this case is to keep sensitive files
encrypted on removable Zip 100MB or Jaz 1000MB drives: junk old media
monthly, and be sure to re-format them with a lump hammer first.  No
technical solution gives perfect security, but such measures can make it
less and less likely anything will be found after more and more work.

Security Policy. The passage of the immensely damaging R-I-P bill
despite the fact that it is clearly insane shows that parliamentary
process is inadequate to guard our liberties:  British Democracy would
be a good idea, but we don't have it yet. Threats to take content and
traffic, under laughable safeguards, from under our noses without our
knowledge or power to object -- and even more so to enter our homes and
co-opt us as spies on others, forced into silence by the threat of being
locked up in a cellar -- are a fist in the face to ordinary Internet
users.


Anyone whose data may have political or commercial implications, or who
likes their private life however dull to be private thank-you-very-much,
should have the means of making choices:  whether they want their
letters open, whether they want their mail-traffic logable, whether it
should be possible to take past correspondence from their machine.   Or
indeed the means to make a minimum compliance to demands put upon them.
No doubt they will mix various levels of security for various broad
levels of priority [though the experts might urge them to "treat
everything as highest security so the sensitive items don't stand out"]. 

BIG-BROWN (OVERVIEW).  

What would the project look like?  A server would be set up somewhere
overseas  such as Ireland or Norway, on which the UK ISP hires services,
but which over  there and owned by local people so British hold over it
was minimal.  The users would be given a program to communicate with it
on CD, or told where to download it. The security of their traffic would
then be between them and the server.

All the unresolved questions are political/commercial in nature:  how
much would it cost, what would be the demand for it, who do we know over
there, are we sure their laws and government would protect us adequately
from overseas interference in it. The technical solutions to this are
then straightforward [but, if it is not strategically correct, they are
merely answers looking for a question to fit them].
This is really for ISPs to decide; my further details are on the
technical aspect.

How hard would it be to use?   Not very hard at all.  It is vital that
the user  can be led through what looks like, to him, a straightforward
process of signing up, then just send and read mail through his usual
mailer program to our interface. I have outlined what a sign-up session
might look like, and written some code.

==========================================================/'''''three

How complicated are the internals?  Slightly more complicated than
present crypto systems, but not that hard to put together from the
pieces provided in the PGP or free-PGP libraries. And you don't have to
know how the engine works to drive a car.
What would be at the server end?  There is almost certainly code around
which allows you to set up "this web-page is a mail-service:  click here
to sign up, click here to collect your mail, click here to compose mail
on-line or send prepared mail."  

With slightly more work you could write custom scripts to do things like
"Only send mail from me if it has my PGP signature" and/or "...if I have
PGP encrypted it to someone."  Or "only deliver mail to me if it has a
valid PGP signature to a key on one of the usual servers", or "if it
appears to be encrypted to my public key." A user who chose to do those
things would block the mail-spamming which is the bane of hot-mail
accounts, and be pretty sure nobody else could hack his mailbox
successfully.  This is in addition to the session crypto provided by the
client.

How practical is all this?  I asked a colleague who is doing philosophy
at LSE,   but knows PERL-scripting for servers in practical detail, how
hard it would be to actually implement this: "not hard at all is the
answer."  Nothing in it is that much different from the way many present
programs work, and what is new in overall nature is merely a matter of
bolting together existing components.  It could easily be done in PERL
or Java on the server.  A client program for users could easily be made
in Java, or in PERL - being sure to ship one of the existing PERL
interpreters for their machine - for many different kinds of user
machine.  

Some of the functionality we want is embodied in SSL (Secure Session
Link), and rather more in SSH (Secure SHell) which already exist,
although users would have to make sure that they updated old browsers to
the more recent 128-bit crypto modules. None of it would be that
difficult to write anyway, given a small amount of programming effort.  


BIG-BROWN (EASE OF USE).  
On the next page I have drawn out in WinWord the simple series of steps
for a tabbed dialog box ("wizard") to guide the user through setting up
an account.  As an exercise, and because it looks clearer than on paper,
I also wrote some actual dummy code to produce an interface like this.
It takes surprisingly much code to produce visual interfaces -- perhaps
6 or 7 pages for this - but much of it can be automated with Visual
Basic or Visual Java.  I did this in a single afternoon without sweating
too hard [and I'm not even fully up to speed on using JBuilder], so it
is not vastly difficult; see http://www.xemu.demon.co.uk/BigBrown.jar  .


BIG-BROWN (INTERNALS).
The internal systems, although not visible to the user, would be a touch
more complicated than current systems.  I assume readers know the basics
of public-key crypto before going on to something slightly more
complicated.  We would probably have multi-layers of cryptography as
follows.

The server end has a permanent "identifying" public key which is
certified through to the user as valid by various means.  It uses this
to sign assorted temporary public "keys-of-the-month" it has created:
when they cease to be used, they are erased.  The purpose of this is
that, if the interlopers do not compromise all of these keys in the
current month then they are not into the message text.  If they have
private-key control of the main key then they can create new
temporaries.

The client end ditto has the key which it permanently uses with the
server. It uses this to certify a temporary public key which it keeps in
memory and deletes at end of session.  Private key-control would create
new temporary keys, but it cannot decrypt a session key which was
encrypted in one of the old keys (and hence the text which was encrypted
in that).  


''four''\======================================================



            Diagrams omitted 









===========================================================/''five'''

The client starts with only the protection of one of the server's
public keys-of-the-month. He encrypts to this what his current temporary
public key is, though of course only he has the decode end.  The server
obliges by proposing a 128-bit IDEA session key apparently decryptable
to the client's temporary key.  Now we have a session key known each
end.

Some people have proposed a belt-and-braces approach in which there is
also a mutating idea key.  When the account is established the agreed
key modifier at  each end is zero.  At the end of a session, a key
modifier is agreed based on the hash of the session. Next time round,
you don't get the correct IDEA key... you get one which will be correct
when XOR'ed with the key-modifier.   Schemes of this kind used alone can
only be unzippered starting from the first message onwards with  none
missing from the sequence.  For extra fun either end might want to
propose additional material xor'ed into the key modifier, though this
has less application here. [Hmmm. Told you it was complicated. But all
of this is just calls to existing crypto library functions].

SMALL ENVELOPES, AND SHREDDERS.

There are certain things that concern me about PGP as a "per-message"
envelope for nullifying interception of content at the ISP, chiefly as
concern making it easier to get started with so more people will use it.
I am also interested in a variety of "shredders" for dealing with
demands for filed plain-text of old messages received, or with keys that
will still decrypt old intercepted messages [by saying and proving you
having got them].  The latter requires belt-and-braces as above.

(a) Making small-envelopes easy.
I like the seamless integration of the Turnpike mailer to PGP and  far
as encrypt / decrypt and sign/verify goes, but I would very much like to
see it prompt the user with two Wizards.... one about making the key and
attaching a photo, the other to lead through the phone verification
steps a few days later; I found these aspects moderately hard as a
newcomer to the program, and feel help is needed. I did a piece on
usenet concerning this, as below.  I am also all for encouraging key
exchange and verification through webpages with keys and photos on
webpages of our various organisations.

On Mon, 31 Jul 2000 21:54:28 +0100,
in demon.ip.support.turnpike, art<TooWvzGEeeh5Ew1T@xemu.demon.co.uk>,
re WISHLIST: Turnpike could do its own Make/verify key Whizzard, 
Dave Bird <dave@xemu.demon.co.uk> writes:
>WISHLIST:   Turnpike could do its own  Make/verify key Whizzard

(b) Installing shredders. 
I am interested that mailers allow you to set up a clear storage policy
as system default and then per addressee between store encrypted
messages:
In clear, Encrypted to me,
Encrypted to recipient (default),
Or not at all..................... and be able to print out that the
policy is and when it was last changed.  I am also looking at some sort
of key modifier system based on hash of the last message.  It may be
that you have to keep a small amount of current key information i.e. if
your new message fails to get through and cause a change of modifier
then you know how to reach the old key.  Also it would be nice to prompt
every so often to "phone me with some extra modifier info":  thus even a
fully stolen system cannot be sustained unless you can compel permanent,
not one-off, compliance.  


DAVE BIRD,
2000/aug/08
My key fingerprint 2B0D 5195 337B A3E6 DDAC  BD38 7F2F FD8E 7391 F44F
My physical signature................. verifying I own the key
identified above.

''six''\============================================================


Proposed Response to RIP
Author: Damian Steer                 Date: Wed Aug 2
Introduction

http://www.shellac.freeserve.co.uk/ripbust.html
The RIP Bill, which passed into UK law recently, poses a threat to the
(supposed) privacy enjoyed by many internet users and also the security
of commercial transactions on the internet. This paper offers some
suggestions for how one might reasonably preserve privacy and security.
The particular threats from RIP that I deal with are 
· The interception of communications. 
· The requirement that individuals hand over keys to decrypt encrypted
communications. 
These threats can, I believe, be reduced using currently available
technologies. My proposals suggest a manner in which ISPs can aid
clients. 
The fundamental point in all which follows is that the ISP's servers
must be locate outside the UK. These methods are of no use if the server
can be monitored directly.

Secure Sockets Layer (SSL)_____________
SSL is a widely used technology which provides encrypted pipelines
between a client and server. It is most commonly used for web
communications where security is paramount, for example commercial
transactions. (It was been the case that browsers shipped outside the US
came with rather weak encryption, but this has now changed.) In addition
to this it provides authentication methods to ensure that the server is
indeed the server the client wants (and, optional, methods to verify the
clients identity). SSL works in the following way (I shall skip the
authentication details here, and much of the detail). The client A
wishes to connect to server B. B has a public and private key for
encryption and decryption respectively. B sends its public key to A. A
then creates a conventional key and sends it to B, encrypted with the
public key. A and B now share a conventional key, which they can use to
encrypt their communications. The conventional key is forgotten at the
end of the session.

This system achieves much that we require. Communications are encrypted,
and the user does not have the knowledge to decode these communications,
even if ordered.

However there are two potential problems. Firstly the server's private
key is all that is needed to decrypt the entire communication. Secondly
there is the question of what services can use SSL. In principle the
answer is 'any'. However, currently SSL is principally used for HTTP.
Some mail programs (e.g. Outlook Express and Netscape Mail) can use SSL.
However for better integration one really need to create an SSL 'tunnel'
to provide wider services, over a range of client software. Such tools
are rather scarce.

Secure Shell (SSH)_____________________________
SSH is very similar to SSL. Its main use is to provide secure
connections for telnet-style connections. It can, however, provide a
great deal more than this as we shall see.


SSH operates much as SSL does, though with a variation. Once again I
will skip much of the detail. In SSH a client A connects to a server B.
B has two key pairs. The first, X, is a key pair which never (or rarely)
changes. This (public) key is sent to A to provide authentication, in
part. A second key pair, Y, is temporary, and held in memory always.
This key is changed periodically, say every hour. B sends A Y as well. A
picks a (conventional) key and encrypts it to X and Y and sends this to
B. A and B now share a conventional key, to use for communication.
Immediately SSH scores over SSL in that, even if someone has the server
key, X, there is no way to recover the communications since Y has been
destroyed.

In addition SSH provides a way to tunnel arbitrary communications across
the encrypted pipe. SSH can 'join' a local port on the client to a port
on the host. So, for example, if port 110 on the localhost is connected
to 110 on the server then any mail client can connect to the localhost
and download mail via pop3 securely.

This capability is available for unix, windows and macintosh clients,
often with free software. SSH allows security for clients with, usually,
a minimal financial cost, since the SSH software is cheap, and the user
can continue to use their current software.

NOTE: ftp is slightly problematic, since it uses ports in a curious way.
This is not too hard to circumvent. One particular use of SSH would be
to set up a web proxy on a server, and have the user access this via
SSH. This would prevent monitoring of web browsing behavior.

Conclusion . Does this circumvent all the problems of RIP? Clearly not.
All it does is help establish secure communication to servers outside
the UK. This is, at least, a start. 

=====================END=OF=DOCUMENT================================


- --          .       ___                     .       
      '-|:::|@\-[x]/__/|              .-|:::|@\                    
        ||--|"" .  |__|/                ||--|"" .                   
          '-|:::|@\      (")"""-.         .-|:::|@\  --+--.(")"""-'         
            ||  |""       ||""|             ||  |""    '   ' |""|

DEMOCRACY: two wolves & a lamb     LIBERTY: a lamb with a kalashnikov
        voting what's for lunch     contesting  the  vote
          


-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBOZEbrn8v/Y5zkfRPEQJ/AwCgissUIHCqyp1RhcdJ3rxpO+kCvdAAoIBp
ApSce2xzshKYuMbVAbMTq7oN
=BWEX
-----END PGP SIGNATURE-----