COMSEC: February 2008 Archives


February 27, 2008

C. Jennings, B. Lowekamp, E. Rescorla, J. Rosenberg, S. Baset, H. Schulzrinne, REsource LOcation And Discovery (RELOAD), draft-bryan-p2psip-reload-03.txt.

D. McGrew, E., Rescorla, Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time Transport Protocol (SRTP), draft-ietf-avt-dtls-srtp-02.txt.

J. Fischl, H. Tschofenig, E., Rescorla, Framework for Establishing an SRTP Security Context using DTLS, draft-ietf-sip-dtls-srtp-framework-01.txt.

E. Rescorla, Keying Material Extractors for Transport Layer Security (TLS), draft-ietf-tls-extractor-01.txt.

T. Dierks, E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.2, draft-ietf-tls-rfc4346-bis-09.txt.

One of the first rules of crypto is that if there's a crypto primitive that's possible to build, no matter how stupid, someone will eventually build it. Nothing wrong with that—that's what cryptographers are supposed to do. But just because something is possible doesn't mean it's useful. Case in point, identity-based signatures. You may have heard of Identity-Based Encryption, in which the public key and private key are derived from your identity (e.g., your email address). Anyone can compute the public key, but you need to get the private key from a key generating authority (KGA) which serves a similar role to the CA in a PKI system. The value proposition here is that you don't need a copy of someone's certificate in order to encrypt a message to them—you can compute their public key knowing only their identity (and which KGA they use). More on this here. This means that there's no need for a certificate directory, which has historically been one of the inconvenient parts of PKI.

Unsurprisingly, IBE has a signature variant, known as Identity-Based Signatures. The basic concept here is the same: the public key is derived from your identity and you get your private key from the KGA. The value proposition is the same too: anyone can verify your signature without having your certificate. The problem is that it doesn't really add much value. In a PKI system, when you send a signed message you send (Message, Signature, Certificate). In an IBS system, you sent (Message, Signature, Identity). Otherwise, the data flow is the same. Basically, IBS is just a fancy (OK, really fancy) way of compressing the signer's certificate. 1

So, why am I going on about this? Someone just suggested using IBA in the IETF SIP WG. (draft here, mailing list discussion here, starting with my review.).

1. Indeed, as Hovav Shacham pointed out to me, the difference between an ordinary PKI system and an IBS system is to some extent a matter of semantics. Think of the certificate as part of the signature and certificate verification as part of the signature verification. It's true that the signature isn't deterministic, but then plenty of signature schemes (e.g., DSA), aren't.


February 20, 2008

Cayman bank Julius Baer Bank and Trust has convinced a federal judge to shut down DNS service for
On Friday, Judge Jeffrey S. White of Federal District Court in San Francisco granted a permanent injunction ordering Dynadot, the site's domain name registrar, to disable the domain name. The order had the effect of locking the front door to the site -- a largely ineffectual action that kept back doors to the site, and several copies of it, available to sophisticated Web users who knew where to look.

Domain registrars like Dynadot, and GoDaddy .com provide domain names -- the Web addresses users type into browsers -- to Web site operators for a monthly fee. Judge White ordered Dynadot to disable the address and "lock" it to prevent the organization from transferring the name to another registrar.

The feebleness of the action suggests that the bank, and the judge, did not understand how the domain system works, or how quickly Web communities will move to counter actions they see as hostile to free speech online.

The site itself could still be accessed at its Internet Protocol address ( -- the unique number that specifies a Web site's location on the Internet. Wikileaks also maintained "mirror sites," or copies usually produced to ensure against failures and this kind of legal action. Some sites were registered in Belgium (, Germany ( and the Christmas Islands ( through domain registrars other than Dynadot, and so were not affected by the injunction.

There's also a mirror at cryptome.

For those of you who don't know how this all works, there's registries, who actually run the domain name (.org in this case) and then there are registrars, who actually deal with the customers. Any given top level domain typically has multiple registrars that service it, all of whom populate the same database, operated by the registry. So, the locking thing stops Wikileaks from transferring their domain to another registrar who would then reactivate it.

OK, so this order controls the registrar. But can Wikileaks just go to the registry and get them to move it to some other registrar, locking notwithstanding? In this case, Wikileaks is under .org, which is run by the Public Interest Registry. Operationally, the PIR is run by Afilias. Both of these are based in the US, so presumably the injunction could be expanded to include them as well. On the other hand, as the article notes, there are plenty of registries with no US connection and the only way for a US judge to take down them domains under them would be to go after ICANN, which, despite complaints about the US running the DNS seems pretty unlikely.

As you may be gathering at this point, this is all pretty pointless. It's basically impossible to censor stuff like this once it gets out. We're seeing the first level of countermeasure here, but even if by some miracle the judge managed to shut down every domain name serving the contraband material (and since the decision loop for spreading those domain names is a lot faster than your average judge's decision making process), people can just move to IP addresses published by some other means (like other people's web sites). And there are about three levels of escalation up from there, all of which are progressively harder to censor.

It will be interesting to see if JBBT goes after, though.


February 16, 2008

The EFF has obtained a document under FOIA describing an incident in which an email provider which was served by an NSL for some email communications and accidentally sent far too much information to the FBI:
In late February 2006, a surge in data being collected by the FBI's Engineering Research Facility (ERF) was identified by ERF personnel. As a result ERF investigated the issue and recognized that the collection tools used to collect email communication from the subject of the investigation were improperly set and appeared to be collecting data from the entire email domain. due to an apparent miscommunication, the private internet provider accidentally collected mail from the entire domain and subsequently conveyed the email to ERF.
(NYT story here).

I'm sort of curious what kind of tools the ISPs are using here. You certainly can reconfigure your mailer to forward copies of emails to certain addresses to somewhere else, though mail going out is a little trickier. In any case, I'd be a little surprised if the FBI expected something quite so DIY. Maybe when they send you an NSL it comes with a pamphlet telling you how to reconfigure Outlook.

Apparently, this happens reasonably often. The FBI calls it "overproduction":

A report in 2006 by the Justice Department inspector general found more than 100 violations of federal wiretap law in the two prior years by the Federal Bureau of Investigation, many of them considered technical and inadvertent.


In the warrantless wiretapping program approved by President Bush after the Sept. 11 terrorist attacks, technical errors led officials at the National Security Agency on some occasions to monitor communications entirely within the United States -- in apparent violation of the program's protocols -- because communications problems made it difficult to tell initially whether the targets were in the country or not.

Past violations by the government have also included continuing a wiretap for days or weeks beyond what was authorized by a court, or seeking records beyond what were authorized. The 2006 case appears to be a particularly egregious example of what intelligence officials refer to as "overproduction" -- in which a telecommunications provider gives the government more data than it was ordered to provide.

The problem of overproduction is particularly common, F.B.I. officials said. In testimony before Congress in March 2007 regarding abuses of national security letters, Valerie E. Caproni, the bureau's general counsel, said that in one small sample, 10 out of 20 violations were a result of "third-party error," in which a private company "provided the F.B.I. information we did not seek."

To quote Broken Arrow, " I don't know what's scarier, losing a nuclear weapon or that it happens so often there's actually a term for it." Outstanding!


February 15, 2008

Now that the House has at least temporarily refused to pass the extension of the administration's warrantless wiretapping power, there's a lot of talk about how it's destroying the security of America. For instance, here's President Bush:
"Our intelligence professionals are working day and night to keep us safe," Mr. Bush said, "and they're waiting to see whether Congress will give them the tools they need to succeed or tie their hands by failing to act."

Obviously this could be true, but we have no way to tell whether it is or not because from the beginning the Bush Administration has kept pretty much all the details about the program, including whether it's done anything useful, secret, even from Congress:

(CBS/AP) With legislation that would legalize President Bush's eavesdropping program entangled in a battle over the side issue of corporate immunity, the White House sought to move the process forward by acceding to requests from the Senate Judiciary Committee to view classified documents its members have long demanded.

However, the White House continued to draw a line between Senators and House members.

Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., had demanded that other members of the panel have the same access to the same documents before he considers giving immunity to telecommunications companies that may have tapped Americans' telephones and computers without court approval. The measure is an amendment in the Senate's version of the bill rewriting the Foreign Intelligence Surveillance Act (or FISA).

White House Counsel Fred Fielding had offered to let Chairman Patrick Leahy and ranking Republican Arlen Specter see documents that might persuade them to include liability protection for telephone companies, but initially only to them.

Later Thursday, the White House agreed to expand the documents' distribution.

I'm not saying that this program isn't essential. The problem is that we have no way of knowing because the administration has deliberately denied the public the information it would need to assess what the program is and how and whether it works. We're told that that information is classified and that it's strongly implied that if we did have the information we would agree that it was important.

Again that could be true, but I remember back in the 90s when the debates over cryptography export controls were going on and we were told almost exactly the same thing, namely that wiretapping was really important and that if we just could see the classified information we would be in favor of keeping them. There was widespread skepticism about these claims on the not entirely implausible theory that the NSA might not be entirely objective about the tradeoffs between their desire to listen in on everyone's communications and people's desire to keep them private, and that just maybe it was a lot easier for them to make their case if, you know, the public didn't know anything. Anyway, when the NRC committee studying crypto policy investigated them they concluded that"

This unclassified report does not have a classified annex, nor is there a classified version of it. After receiving a number of classified briefings on material relevant to the subject of this study, the fully cleared members of the committee (13 out of the total of 16) agree that these details, while necessarily important to policy makers who need to decide tomorrow what to do in a specific case, are not particularly relevant to the larger issues of why policy has the shape and texture that it does today nor to the general outline of how technology will and policy should evolve in the future.

The basic problem here, as with the cryptography issue, is that there's a conflict of interest when the people who favor some particular policy also control the supply of information about the merits of that policy—they have a natural incentive to characterize the evidence in the way most favorable to their position. This is of course natural, but it should make you pretty suspicious when you're told that you can't have the information you would need to make an informed decision.