Implications of a common private keys directory in 2.1

[Carola Grunwald]

Andrew Gallagher <andrewg at andrewg.com> wrote:
>On 23/11/16 17:54, Carola Grunwald wrote:
>> Andrew Gallagher <andrewg at andrewg.com> wrote:
>> 
>>> If you are worried about an attacker on the wire doing statistical
>>> analysis of your message sizes and patterns of use, you will
>>> probably have to go the whole hog and transport over Tor. And even
>>> that is no panacea.
>> 
>> Not real-time Tor but remailers providing latency. You got it.
>
>Aha, this is the subtlety I was missing. Yes, this sounds like an
>interesting project.
>
>I still don't understand what you gain from per-user keys though.

When you deal with pseudonymity you have to avoid similarities of your
aliases. So the WME keys they use to secure their messages have to be
different.

Going into details there are several scenarios where WME can help
protect privacy. One of them is easy to explain.

Think of two partners who strive for absolutely hidden communication
though they know about their identity. Alice's ordinary mail client
sends a standard mail message to her proxy server, where it gets PGP
encoded, which makes up the body of the WME message, with only a To:
header containing the destination's pure address and possibly a hashcash
token and further dummy headers to surpass spam filters added. This
message is now converted into a remailer message and sent through Tor to
the entry remailer. When Bob's counterpart receives the message it
decrypts it, checks the signature and adds a header about its status on
top of the net message, and forwards it to his mail client.

With Tor involved for an adversary it's very hard if not impossible to
detect that Alice sent mail. Concerning Bob he can only see that a
remailer message with a single PGP block including no key-ID arrives
from nowhere.

In case Bob also has to hide that he receives any messages he has to use
a pseudonymous remailer through Tor.

If now both only know their addresses at pseudonymous remailers
individual anonymity is secured in all directions. And that's where you
really need individual WME keys, each reflecting the holder's address at
the respective nym server.

>
>>> And if we are only encrypting the content of the mail, then it
>>> provides less security than TLS, which encrypts everything from
>>> the handshake onwards.
>> 
>> I'm talking about Whole Message Encryption including the complete
>> header section.
>
>But the SMTP envelope contains plaintext addressing info. TLS protects
>this on the wire, while PGP encryption of the message (even the
>headers) does not.

First of all I see no reason to do without TLS. Then with remailing only
the address of the next hop is visible, the final destination is
protected by multilayer encryption up to the exit remailer. Another
advantage of WME compared with MIME acrobatics is that the recipient
even without running a proxy server can easily decrypt the WME layer to
get a complete RFC compliant message ready for manual import into his
client software.

>
>>> How does this provide the user with any more assurance than DKIM
>>> verification?
>> 
>> DKIM doesn't hide the sender's identity from external adversaries
>> who try to analyse message flow.
>
>That wasn't my question. I was asking what advantage a per-user
>signature gives you compared to a server signature over a custom header.

I anyway have to encrypt the message. So for me it seems natural to
simply add a signature here instead of thinking of something completely
new.

>
>> - In a TLS session the communication partners' IP addresses are
>> public, moreover the sender domain is published by the receiving MTA
>> by retrieving its public key from the DNS in order to verify the
>> DKIM signature. OTOH with my kind of Whole Message Encryption
>> combined with an asynchronous message transfer providing latency
>> e.g. through remailers adversaries have no chance at all to link
>> sender with recipient(s).
>
>But if you have a per-user signature on the message content, surely the
>sender can still be deduced? At least on the last hop...

With PGP the encryption layer protects the signature, which is why only
the final recipient with his key/passphrase combination gets hold of it.

Kind regards

Caro