Friday, September 12, 2008

Email Security Is Hard

The The United States Computer Emergency Readiness Team (US-CERT) is
a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation.

This is an organization created that I would expect to be on top of security-related issues. And it would seem, at first glance, that these people do know their stuff:

US-CERT PGP Key Information

Let me explain what this means. Public keys are cryptographic keys that may be published so that you can - depending on how they are used - encrypt communications to the publisher so that communications will remain private and/or verify that a message actually originated from the publisher. For the latter reason US-CERT signs email alerts with their public key so that the recipient can verify that US-CERT really sent the email and it is not just some hoax.

The only catch is that you have to have some way of knowing whether the key you have is really from the publisher or from someone pretending to be the publisher. If the key was from someone pretending to be the publisher that person could now send you messages that you would think are signed by the publisher - not a good situation.

You can download the US-CERT keys from the US-CERT website but how do you know the website has not been hijacked or spoofed?

The solution offered by US-CERT is simple and effective: you call a phone number and verify that the key fingerprint is the one told by phone. This makes a successful attack much more difficult: not only does the attacker have to hijack or spoof the website, the phone line must also be similarly attacked (assuming you verify the phone number independently before calling).

This is great use of technology and it is great that US-CERT explain this in clearly on their website. It is absolutely commendable that US-CERT provide this service and I wish that a lot more organizations would follow suit.

So I called the number. To my surprise, a human being picked up after 2 or 3 rings; I had expected an automated system.

I explained that I wanted to verify the PGP fingerprint of the US-CERT master key. The man clearly did not know what I was talking about. I explained about the website and the PGP key fingerprint and was asked what agency I work for. I don't and when I said so the man told me to call another number, which I did.

Again a man answered and I explained my desire to verify the US-CERT master PGP key signature. He clearly did not know what I was talking about, so I offered to give him the URL of the US-CERT website where I found the information.

He declined, asking instead for my name, affiliation, geographic location, and phone number and promising that a tech would call me back. I have been waiting for the call back ever since.

It is clear that someone at US-CERT understands public key cryptography and how to use it correctly and that someone has managed to get the information on the website. But unfortunately the information has not actually trickled down to the people staffing the phones. And clearly my request was an unusual one, so there are not many people who actually attempt to verify the public key.

I think this is a perfect illustration of why we don't all routinely encrypt our email: it is simply too difficult to get right. If an organization of experts that is tasked with protecting a nation from cyber attacks can not get this right, what are the chances that "the rest of us", the non-experts, will ever get it right?

Not too good, sadly.

[My PGP fingerprint is on the Contact page of this site, in case you are wondering. You are welcome to verify it if you want to communicate privately and securely.]

No comments:

Post a Comment

I'd love to hear from you! Please remember to keep it civilized.