Links

I’ve just finished adding Infinite Garble Extension (IGE) mode for AES to OpenSSL.

IGE has the cute property that if you corrupt the ciphertext, then the plaintext is corrupted all the way from that point forwards – cryptographically corrupt, of course, so the plaintext is essentially unpredictable from the corruption forwards.

Why is this useful? One compelling reason is integrity checking. In order to be sure the received message is intact, I can simply append a block that is all zeroes. If, when I decrypt, the final block is not all zeroes, then I know the ciphertext has been tampered with. If it is all zeroes, then I know (to within a subatomic fraction) that the ciphertext is intact.

Another is Minx, a system for anonymising Internet traffic which defeats traffic marking attacks by making all packets valid, and all damage to packets comprehensive. Minx uses a variant on IGE, bi-directional IGE (biIGE), which spreads damage to the ciphertext over the whole plaintext. This is also implemented in OpenSSL.

I wrote a brief paper on OpenSSL’s implementation of IGE and biIGE modes. It includes test vectors.

Snapshots of OpenSSL 0.9.8 should include it, and the head will also have it shortly.

I’ve been wanting a Firefox plugin for PGP for ages now. So I was quite excited to hear about freenigma. For about one minute, that is, until I read this

Does freenigma send my mails to the freenigma server for encryption?

No. All mail is encrypted or decrypted directly in the webmail client (i.e. directly in the browser). But how does that work?! For the experts: when making an encryption request, the freenigma extension sends nothing more than the list of recipient addresses to the freenigma server. In response, it receives a random session key for symmetric encryption within the client as well as an asymmetrically encrypted session key for all the recipients. AES encryption is then performed within the client using the unencrypted session key. Then, the user script in the client combines the symmetrically encrypted mail text and the asymmetrically encrypted session key to create the OpenPGP binary format.

Oh dear. So freenigma can decrypt my mails (and anyone else they care to give the session key to). What’s more, it looks like they have your private key, too, so they can impersonate you.

They don’t say how you decrypt, but I presume the story will be described with the same disingenuousness: no, you don’t send your encrypted mail to the server, just send us the encrypted session key and we’ll decrypt that for you. How comforting. Not.

They’re also a bit strange generally…

Why doesn’t freenigma encrypt attachments yet? Because we would have to first send the file to our server in order to encrypt it. And from a security perspective, that isn’t a clean solution.

Eh? So why can they encrypt the message locally but not the attached file?

And…

In addition, the separation of content and encryption is important because this is the only way to ensure that the data cannot be decrypted by an unauthorised third party.

Hang on – but that’s exactly what you haven’t done. The data can be decrypted by unauthorised third parties. These guys either don’t get it or they’re deliberately dissembling. Neither indicates someone you should trust with your crypto.

In short, this is not an extension I’ll be installing.

So now we need a Firefox extension that does this properly, more than ever. If someone wants to do it, I’d be more than happy to help. I even have a C library to do the PGP stuff (OpenPGP:SDK). Any volunteers?

I’ve long thought French wine was overrated. Its gratifying to know that wine-tasters agree. A rematch of the 1976 Judgement of Paris once again had the Californian wines on top. Even more gratifying that the first-placed red was made by my favourite winemaker – Ridge.

Well, I don’t know if they actually do, but since the government and the police are happy to make such claims on the flimsiest evidence, I’m following suit. And here’s my evidence. Kim Cameron blogs about an article he read in the Sydney Morning Herald…

the Child Support Agency had 405 privacy breaches in nine months – two of which required mothers and their children to be relocated at taxpayers’ expense.

There ya go. What could be clearer? Now all I need is to find “proof” they help terrorists.

On a more serious note

Smartcard Privacy Taskforce head Allan Fels said the breaches highlighted why data on the proposed new card should be kept to a minimum.

I have nothing to add to that.

Someone called “Steve” commented on an earlier post

By accepting the term “identity management” you’re already conceding too much. Think anonymous “rights management” or “capability management” instead. There’s a body of security literature on “ticket-based” systems in which a user’s right to do something can be verified securely without knowing the identity of the user. That should be the starting point. I would be opposed to a National Identity Card, but perhaps a ‘Nonymous Authorization Card would be A Good Thing — got the NAC?

The incorrectness of the term “identity management” is something that’s been nagging at me for a while. It gives entirely the wrong message – though what we’re really interested in is not exactly what Steve suggests. I think I prefer the term “attribute management”, because it isn’t just about authorisation, its about managing information about yourself.

But I’d be happy to hear other suggestions.

An Anonymous Authorization Card is exactly what should be used instead of an identity card. He’s spot on on that point.

Catching up with my email after being out and about for a while, I came across this article by the Open Rights Group

Microsoft, Yahoo! and Google are each singled out for criticism in the report. Although they have defended themselves by claiming China’s laws force them to censor internet material, it is significant that none of the companies has been willing or able to precisely specify which laws or legal processes oblige this censorship.

This rather missed the point. As my friend Richard Clayton (and many others, but I’m familiar with his paper) has documented, the firewall filters based on keywords, so search engines either comply with the filtering rules or get blocked. The firewall itself is obviously run by the government, who choose the keywords, so to that extent it is Chinese laws that force compliance with censorship.

In any case, I’m generally struggling with the concept that some kinds of censorship are OK when others are not. No-one seems to mind that Yahoo!, for example, complied with France’s demand that it not allow the sale of Nazi memorabilia. Similarly the UK’s rules on “hate speech” disallow certain topics; but that, apparently, is hunky dory. It seems to me that all censorship is to be despised, so why pick on China in particular?

There is also this important question: are the citizens of China better served by a censored search engine or no search engine at all? Keyword-based filtering is well known to be far from perfect, so presumably the average Chinese citizen can easily figure ways around it. Furthermore, all they need is a good proxy and they can easily get at the uncensored versions of the ‘net available in the rest of the world.

(Declaration of interest: I am a director of the Open Rights Group and an employee of Google).

Once more I am amazed by the complete bollocks floating around in the wake of last week’s terrorist alert.

Franco Frattini, apparently the vice-president of the EU, said

… that the internet should be made a “hostile environment” for terrorists. “I think it’s very important to explore further possibilities of blocking websites that incite to commit terrorist actions”

The Guardian’s Alan Travis goes one further and invents some new laws, just for fun

A new legal framework is to be developed by June to ensure that illegal material such as manuals or instructions for homemade explosives or bombs are removed from the internet [his lower case].

Right, because Al-Qaida will helpfully publish their manuals in Europe where you can get them shut down. Or are they really suggesting the Great Firewall of Europe? Oh yeah, don’t forget that chemistry books are illegal – you did know that, right?

Also, apparently, EU interior ministers are considering

… introducing positive profiling of air passengers based on biometrics rather than ethnic background.

What does this mean? They’ll test my DNA for terrorist tendencies? Phrenology? Read the lines in my hands? Should I expect a huge recruiting drive for people called Gypsy Rose Lee?

What it means, of course, is they’ll figure out whether you’re bad by knowing who you are. Ooo, cunning plan. And this involves biometrics because, well, passports are so 20th century. And because we all know that biometrics will be The Solution To The Terrorist Problem, and here’s further proof. Please ignore the fact that every terrorist on a plane had ID when they boarded, that’s entirely immaterial.

There’s been more comment on identity management and anonymity. It seems there’s two points that are commonly being overlooked or ignored.

Firstly, when I say anonymity should be the substrate I am not just talking about the behaviour of identity management systems, I also mean that the network itself must support anonymity. For example, currently, wherever you go you reveal your IP address. Any information you give away can be correlated via that address. People sometimes argue that this isn’t true where you have a dynamic address, but in practice that isn’t the case: most dynamic addresses change rarely, if ever – certainly they tend not to change unless you go offline, and the rise of always-on broadband makes this increasingly unusual. Even if the address does change occasionally, you only need to reveal enough information in the two sessions to link them together and then you are back to being correlated again.

Secondly, people seem to think that privacy is an adeqaute substitute for anonymity. I don’t believe this: privacy is all about voluntarily not linking stuff you could link. Anonymity is about making such linking impossible. Microsoft’s Cardspace claims to provide anonymity where, in fact, it is providing privacy. Stefan Brands comes close with his selective disclosure certificates, but they are still linkable, sadly. These systems only provide privacy if people agree to not make the links they could make. Anonymity provides privacy regardless of people’s attempts to undermine it. That’s why you need to have anonymity as your bottom layer, on which you build whatever level of privacy you can sustain; remember that until physical onion routing becomes commonplace you give the game away as soon as you order physical goods online, and there are many other ways to make yourself linkable.

Kim Cameron’s blog draws my attention to a couple of articles on anonymity. The first argues for anonymity to be the default. The second misses the point and claims that wanting anonymity to be the default makes it a binary thing, whereas identity is a spectrum.

But the point is this: unless you have anonymity as your default state, you don’t get to choose where on that spectrum you lie.

Eric Norlin says

Further, every “user-centric” system I know of doesn’t seek to make “identity” a default, so much as it seeks to make “choice” (including the choice of anonymity) a default.

as if identity management systems were the only way you are identified and tracked on the ‘net. But that’s the problem: the choices we make for identity management don’t control what information is gathered about us unless we are completely anonymous apart from what we choose to reveal.

Unless anonymity is the substrate, choice in identity management gets us nowhere. This is why I am not happy with any existing identity management proposal – none of them even attempt to give you anonymity as the substrate.

One of the recurring themes in my musings about identity management is my desire for unlinkability – if every transaction (in the broadest sense of that word) is independent of every other then it makes it difficult (I’d like to say impossible, but I’m a cynic) for anyone to build up a picture about you (for whatever value of “you” you’d like to choose).

But the thing that drives a coach and horses through this worthy goal is physical goods. All too often you end up wanting something delivered – a book, a CD, beer – and it has to go to somewhere linkable to you.

So, it occurred to me that you could arrange the physical equivalent of onion routing. Choose a friend, encrypt your address with his public key. Then choose another and encrypt friend one’s address and your encrypted address with his key, and a third and encrypt the second’s address, friend one’s encrypted address and your doubly-encrypted address to him. Give your provider of goods the third’s address and the encrypted package.

The provider then wraps your parcel up three times. On the outside of the third wrapper he puts the address of the third friend and the encrypted package. When it arrives at friend three, he decrypts the package, getting friend two’s address and a new encrypted package, which he then applies to the outside of the parcel and sends it on. Friends two and one repeat the process, the parcel arrives at your house, no-one knows where it came from and who it went to. Yes, friend one knows you got something, but has no idea where it came from. Friend three knows where it came from but not who it went to, and friend two separates them.

Any volunteers?

The end result of the blog deathmatch between me, Kim, Eric and Dick was a deathly silence on what I consider to be the core issue.

OK, its nice that Microsoft are developing identity management software that might not suck (but remember, it still doesn’t satisfy my Laws of Identity) but the question that’s being posed about Google applies equally to Microsoft, and, indeed, anyone else with an identity silo.

So, here’s the question: is Microsoft going to accept third party authentication for access to Microsoft properties?

How about it, Kim?