Today at the Chaos Computing Congress, a group of researchers (Alex Sotirov, Marc Stevens, Jake Appelbaum, Arjen Lenstra, Benne de Weger, and David Molnar) announced that they have found a way to forge website certificates that will be accepted as valid by most browsers. This means that they can successfully impersonate any website, even for secure connections.

This is a big deal. But as Ed explains, it is based on an making worse a known weakness in the “MD5 with RSA” hashing algorithm. It can be fixed by having Equifax, which uses this now shown-to-be-insecure hast, replace the hash with something better. And having Equifax (and anyone else using it) revoking all existing certs based on this now vulnerable hash. (Which will cause a new wave of people ignoring security warnings…)

And, as Ed wisely notes,

… this is a sobering reminder that the certification process that underlies web site authentication —- a mechanism we all rely upon daily —- is far from bulletproof.

I’d need to know a lot more to form a view of how accurate these claims (by “anonymous” no less) are. Might be nothing to it.

I mention it because it’s an interesting issue, and one that’s sure to come up again elsewhere, in similar guises.

I can see how if parties are communicating by encrypted email (or otherwise) with someone known or suspected to be a member of a gang, then by ordinary principles of traffic analysis, police might decide they were worth knowing more about. The use of encryption on stored data, however, does not by itself suggest people are anything other than prudent.

SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”

Really, we can’t help it.

This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work.

It’s fun and you should read the whole thing.

But it’s also a bit frustrating — because Bruce restricts his discussion to how engineers think. To me, what he is describing is a big part of “thinking like a lawyer”. And when Bruce asks whether this sort of demented worldview, one in which you shake things to see how they break, can be taught, I think, “Hell, yes: I’ve been doing it for years.”

Most lawyers don’t have the math to be a cryptographer or the technical chops to do security analysis of a complex program. But good lawyers — whether transactional or litigation oriented — do have a “security mindset”: A big part of learning to ‘think like a lawyer’ is learning again and again how things broke. That equips you to try to build things that won’t break (or at least won’t break in old ways); it also trains you how to break them.

Bravo to Stefan.

You can use their encryption key — which means it’s recoverable: they have a backdoor if you loose lose it, or if someone else turns up with a subpoena — or you can grow your own.

I chose the latter. Which produced this great warning pop-up:

I understand that if I ever lose this key, that neither I nor MozyHome will be able to decrypt my data and I will be hosed.

I clicked “yes”.

(Only later did I find out that Mozy will only backup files resident on a fixed disk. I wanted to back up my USB drive. Oh well. At least I got a laugh.)

Although the article does a great job of describing some recent cases and issues, the academic in me wishes that every time anyone writes about this stuff they’d have the space and time to provide what I see as some critical context for the debate as to when a person can be forced to hand over the key to a cryptosystem.

There are plenty of technical issues here (what happens if you really have forgotten your password? or if someone has put random gunk on your hard drive, making it look like there’s crypto there?), but even more important fundamental ones. In particular, the current debate over the extent to which the 5th Amendment protects encrypted messages matters so much because our understanding of the 4th Amendment has changed. A hundred years ago, the Supreme Court thought it was obvious that asking a person to turn over his private papers was a constitutional violation. Even 30 years ago the Court thought that the 4th Amendment protected some zone of private papers such as a diary from demands that they be turned over. (Note that there can be an important difference between finding something in a search and demanding that the subject of the search find it for you.) Today, although the Supreme Court has never actually decided the diary issue, it’s pretty clear that no other writing — and probably not the diary either — is protected from such demands.

It’s the evisceration of the 4th that puts such pressure on the 5th. It may be that as a society we really don’t want to allow any zone of privacy beyond what you can keep in your head. But as devices record more of our lives, and as we rely increasingly on what some of us only half-jokingly call our prosthetic memories, I think that it is increasingly unrealistic to exclude at least some bits from the intimate zone of privacy if we wish to remain true to the purposes of the 5th (and 4th) Amendments.

So pay attention to Ross Anderson’s UK Crypto Export Duplicity:

Officials promptly did an end-run around this by making regulations to pass into UK law an EU regulation controlling the export of dual-use intangibles (reg 1334/2000), thus in effect defeating the will of parliament with a classic piece of policy laundering. We argued repeatedly at the time that the introduction of such regulations would criminalise many academics - for example if I put a remark on our security mailing list about cryptanalysis and it goes to George at Microsoft via Redmond - and also criminalise many software developers, who use algorithms such as AES much like duct tape. A government peer told me, “Look, dear boy, you can never get laws to fit the boundaries exactly - just trust us and keep proper records.” Officials said that they had no plans whatsoever to use export control laws against academics.

…

Earlier this year I was invited to a meeting at DTI along with folks from the Royal Society and UUK. The officials gleefully announced that they’d realised that academics weren’t using the export control procedures and asked our opinion about how we could help them `raise awareness’ and `market’ their services. I reminded them that they’d promised not to. They denied this to my face. They also claimed that it had always been illegal to export intangibles and that the Act had made no difference. I reminded them that until the Export Control Act was passed they had no sanctions available against someone who exported crypto electronically, as the Export of Goods (Control) Order on which they’d previously relied applied only to physical goods. In fact the whole Act was justified to parliament by this arguement. They denied this to my face - even though I’d sat through the debate in the Lords, in the opposition experts’ box.

A federal judge in Vermont has ruled that prosecutors can’t force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase.

U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.

Niedermeier tossed out a grand jury’s subpoena that directed Sebastien Boucher to provide “any passwords” used with his Alienware laptop. “Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him,” the judge wrote in an order dated November 29 that went unnoticed until this week. “Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop.”

Full text of the decision in In Re Boucher, 2007 WL 4246473 (D. Vermont, Nov. 29, 2009).

Long ago I wrote a lot about encryption keys, and touched on this issue. You can read the articles at The Metaphor is the Key: Cryptography, the Clipper Chip and the Constitution, 143 U. Penn. L. Rev. 709 (1995) and especially It Came From Planet Clipper, 1996 U. Chi. L. Forum 15.

The heart of the argument is that things in your head are not like objects in your possession: the core value of the Fifth Amendment is that you can’t be made to speak in ways that indicate your guilt. Giving up a passphrase to an encrypted message ties you to the encrypted information; if the info is, say, child porn, it creates a very strong inference that you knew what the data were and that you possessed them (there are exceptions, including email some else sent to you that is decryptable with you private key, but ignore those scenarios for now).

Other people, notably the redoubtable Orin Kerr, who argue that there is no Fifth Amendment issue here tend to focus on the analogy of possession of a physical key to a physical lock. The law is pretty clear that you can’t stop the cops from taking a physical key on the grounds that the stuff inside that safe will tend to incriminate you.

But the law is also clear that the Fifth Amendment protects you from having to make an oral or written disclosure which is “testimonial” – that, is, whose content might tend to tie you to crime. (Note that “content” means “informational content” – you can be forced to give a meaningless writing sample for handwriting comparison purposes.) This is why the cops are not able to force suspects to take them to the dead body.

It seems to me that the pure compelled disclosure case is not that hard, and that this Magistrate Judge got it right. Note, however, that this decision, emanating from the lowest-level official in the federal court system, is not precedential for other courts; and since it is pretty brief its persuasive power may not be all that great either.

Nor do I think that making a defendant decrypt something without divulging the key would in any way solve the problem, as it still ties the defendant to the content.

The hard case for me would be if the police provided limited “use immunity”: they would promise not to make the fact that your key decrypted the info any part of the prosecution. Thus, for example, the indictment would just say the information was on your hard drive, without mentioning that you had the only key to decrypt it. I think, given the current state of doctrine, that courts might well hold this to be consistent with the Fifth Amendment, making the underlying provision little more than a fairly cumbersome technicality. Doctrinally, that is not such a hard result to foresee, but it is not as simple to explain why this would apply to a coded message and not a dead body.

The flip side of the hard case is when the government provides use immunity and the suspect/defendant claims he doesn’t know or has forgotten the passphrase. Then what?

In fact, I do have one ancient PGP key for which I seem to have forgotten the passphrase, so I know it can happen. But in most cases the police are likely to view this sort of memory malfunction as unduly convenient.