What email encryption is actually in use?
Tyler Durden
camera_lumina at hotmail.com
Mon Nov 4 11:35:21 PST 2002
Peter Trei wrote...
"Durden's question was whether a snooper on an IPSEC VPN can
tell (for example) an encrypted email packet from an encrypted
HTTP request.
The answer is no.
All Eve can tell is the FW1 sent FW2 a packet of a certain size.
The protocol of the encapsulated IP packet, it's true source
behind FW1, it's true destination behind FW2, and the true
destination port are all hidden."
Yes, this was indeed the gist of my question. I was aware that there are
actually hard and soft switches that are aware all the way up to the
application layer, apparently (I also know that some softswiches have
actually been deployed in RBOC/Baby Bell territory.)
But from your previous email, you indicated that the secure IPSEC tunnel is
created by taking the packets, encrypting S/A, D/A, payload and protocol
fields (ie, pretty much everything) and then dumping them into the payload
of another packet, and setting the Protocol field of the parent-packet to
"IPSEC". All that is now visible are the firewall addresses.
That's a lot, methinks! In other words, there's practically a bright red
flag sticking up saying "I'm encrypted! Look over here!"...it's child's play
(well, if you consider making an ASIC child's play!) to then look at the S/A
and D/a to see if they are interesting. If they belong to the IP spaces of
two large companies, for instance, then look elsewhere (though I hear rumors
that the NSAs of the world are branching out into industrial eavesdropping
for their parent companies, ehr, for their parent countries).
If a secure VPN tunnel forms between al-Jazeera's firewall and, say, some
ISP near Atlantic Avenue in Brooklyn (heavy Arab community), then all sorts
of spyglasses could pop up.
Thus, I suspect a lot can be gleaned (and is) from communiques without
actually de-encrypting...the philosohpy probably is, "why violate civil
rights unless we really, really have to? Extract as much as we can without
actually de-encrypting, and if the probably of something being "interesting"
is high enough, then we'll send it downstairs to be opened" (and even then,
determining how hard it is to open the communique might also be of
interest...is it legal to open somebody else's email but not read it?)
Here's a little quote for ya, since it seems to be the in-thing to do...
"The revolution is right where we want it: out of our control."
(Royal Family and the Poor)
>From: "Trei, Peter" <ptrei at rsasecurity.com>
>To: cypherpunks at lne.com, "'Major Variola (ret)'" <mv at cdc.gov>
>Subject: RE: What email encryption is actually in use?
>Date: Mon, 4 Nov 2002 12:58:55 -0500
>
> > Major Variola (ret)[SMTP:mv at cdc.gov]
> >
> >
> > At 10:13 AM 11/4/02 -0500, Tyler Durden wrote:
> > >This is an interesting issue...how much information can be gleaned from
> >
> > >encrypted "payloads"?
> >
> > Traffic analysis (who, how frequently, temporal patterns)
> > Size of payload
> >
> > Is it possible for a switch or whatever that has
> > >visibility up to layers 4/5/6 to determine (at least) what type of file
> > is
> > >being sent?
> >
> > Yes.
> >
> > Modern network equiptment can examine all the way up to "layer 7".
> > Can tell that you're sending an .mp3 and will cut your QoS, if that's
> > the policy.
> >
>Durden's question was whether a snooper on an IPSEC VPN can
>tell (for example) an encrypted email packet from an encrypted
>HTTP request.
>
>The answer is no.
>
>All Eve can tell is the FW1 sent FW2 a packet of a certain size.
>The protocol of the encapsulated IP packet, it's true source
>behind FW1, it's true destination behind FW2, and the true
>destination port are all hidden.
>
>Peter
_________________________________________________________________
Unlimited Internet access -- and 2 months free! Try MSN.
http://resourcecenter.msn.com/access/plans/2monthsfree.asp
More information about the Testlist
mailing list