Bruce Schneier says that privacy is controlling your data. How true. I would just add that control is not enough, I want exclusive control and ownership of my data. And if you are using Clipperz password manager it’s probably because you share a similar vision.

More than a year ago, I wrote a post about the terrifying announcement of the forthcoming Regulation of Investigatory Powers Act (RIPA) in the United Kingdom. RIPA went into effect few days ago and it’s even worst than expected.

UPDATED ENTRY

When we launched our online password manager, we dubbed it the first example of a zero-knowledge web application. We simply meant that Clipperz knows nothing about its users and their data. It was a simplistic and inaccurate definition: the zero-knowledge paradigm needs to be better defined. Our fault.

In the previous post I wrote about our zeal in building zero-knowledge web applications and our pledge to never introduce features that could compromise the integrity of our model.

Now I present a comparative analysis of Clipperz and PassPack with regard to the implementation of one-click logins. The analysis will clearly show the benefits of adopting a rigorous zero-knowledge methodology.

A true zero-knowledge web application knows nothing about its users and their data. We have been fascinated by this simple idea since 2005 when we started this blog. Since then it became our obsession.

Nothing was more appropriate for Clipperz than being reviewed by Charles Martin on his blog Before you are gone that displays the intriguing and remarkable subtitle “What happens to your Online life when your Real life has ended?”.

Everybody has probably heard [about this][1] before, but it’s worth repeating: Firefox’s storage of passwords is not secure!

The title of a recent Lifehacker post was very intriguing: “Keep your password safe at public computers”. The content sounded even more promising since it was about an academic paper from Carnegie Mellon University with the hearthening title: “How to login from an Internet cafe without worrying about keyloggers”.

I readily downloaded the PDF files and dived into reading it. What a disappointment! The proposed solution to defeat keyloggers was impractical and flawed in many aspects. I was amazed that a prestigious institution like Carnegie Mellon could produce such an amateurish study!

Then I took a closer look at the paper and discovered that Carnegie Mellon was not involved at all: the authors (Cormac Herley and Dinei Florencio) are from Microsoft Research and I did not found any connection with the University except that this paper was presented at SOUPS 2006, the Symposium On Usable Privacy and Security held at CMU last July (!).

The fact that CMU was not directly involved was reassuring. The fact that Microsoft is saying “use this method and you are safe from keyloggers and spywares” is quite scaring. Why write a professional looking document and present it to a conference? Wouldn’t be better to just write a short blog post and openly discuss this weak and quite old idea?

However the paper was widely linked and it has been dugg more than 1400 times, but the wrong attribution to Carnegie Mellon was never pointed out.

For those interested: the two authors delved into this idea even deeper and produced another paper about a system called KLASSP (KeyLogger Avoidance using a Shared Secret Proxy), the name says it all …

Image from Antispam.br

During the last two days I had a chance to test drive Freenigma, the recently released email encryption service for webmail users.

What I like more of Freenigma is its “Johnny can encrypt” approach. For the average Johnny cryptography is insanely complex, while Freenigma makes a point of hiding this complexity under a very simple user interface.

Using the service you are barely aware that you now own a pair of public and private keys, or that you are exchanging encrypted session keys with the recipients of your messages, and so on.

Everything looks smooth and simple from the installation of the Firefox extension to the activation of the service. If you can handle the list of your friends in a IM client or managing your contacts in a social network then you can encrypt your email messages with Freenigma.

Freenigma still has some limitations (mainly related to attachments and browser support), but I’m sure I’m going to be a regular user of this simple, powerful (and free) service.

Yesterday Stefan Richter from Freiheit - Freenigma is a joint venture of Freiheit and g10code - was so kind to answer few questions about the service and the technology behind it. Here is a transcript of the interview.

Firefox 2.0 Beta is out since few weeks and it’s already quite popular. However Freenigma is only supporting Firefox 1.5. What are your plans with regard to Firefox 2.0 and Safari?

SR: We will test our extension this week in Firefox 2.0. So our aim is to support the new version asap. And we think about versions for Safari and Internet Explorer.

But you can use Freenigma not only for Web-Mailers: Werner Koch, the developer and maintainer of GnuPG, wrote a C reference implementation for a Freenigma client. This will soon be released as a command-line tool and a C library. We already have Perl bindings and with the C library available it will be easy to provide Python, Perl and whatever-you-like-language bindings.

This means you can encrypt files on your disk with the same freenigma account that you use for your Web-Mail. With a shell script! :-)

Or you can use it with your favorite mail client, like Mutt, Kmail or Evolution. (We already have a Kmail plugin for Freenigma).

You see, we really want to “Encrypt the planet”. ;-)

Your “Terms of Use” document contains a stunning bit of information: strong encryption is illegal in France! Is that really true or just a cautious statement?

SR: Yes, it is true. France does not allow strong encryption for their citizens. It is really difficult to find out which countries around the world are prohibiting cryptography.

Subjects of email messages are not encrypted by Freenigma. Wouldn’t be more secure to encrypt them as well?

SR: Hmm. This makes it really difficult to read the subject lines in your inbox. The subject line would get quite big because it would be a complete PGP message block. But maybe we could pack it with the mail body and extract it in the decryption process?! Hmm, then it would not be very compatible with GUI mail clients anymore.

I think you should not put confidential infos in the subject line… :-)

How is the random session key generated? Which algorithms and entropy sources are used?

SR: It is generated on the server side by GnuPG. So we use the same code and the same algorithms and entropy sources as any other GnuPG-based encryption.

Which size is the AES key? Which block cipher mode is implemented?

SR: 128-bit and we use CFB.

Which size are the asymmetric RSA keys?

SR: 1024-bit.

Could you provide some information about Freenigma infrastructure? Especially from a security and availability point of view.

SR: Security is our main focus, of course. But even if people would be able to steal the servers, they could not access the keyrings, because we don’t store the passwords (mantra). The mantra is only stored in the keyring of every user.

So here we traded convenience against security: When you lose your password, you will never be able to read your old encrypted mails again. Even we can’t help you. But this was important for the overall security. This also means, that nobody else can.

And we don’t log the passwords. We hand them directly over to GnuPG and after the crypto operation they disappear. We (and others) are physically unable to access the keyring.

We know how to build software that runs 24/7, because my company built some very large e-commerce systems in the german speaking market and in Scandinavia. Our customers include the number 2 and 3 Internet-Bookstores, the direct competitors of Amazon.de, so we have experience with robustness and reliability in “uncooperative environments” ;-) .

And now few hints for Gmail users.

• If your account is configured with a custom “From” address, Freenigma won’t work unless you add this address to the list of email addresses in your Freenigma account.

• Freenigma works great even with the hosted domain version of Gmail, see below!

Today’s mail servers, file servers and other data storage servers typically must be fully trusted since they have complete access to your data and are supposed not to reveal them without your authorization.

Personal health records are definitely the more common type of sensitive data we produce and own. Nonetheless we are not really in control of those data. They are spread in folders, binders and drawers at hospitals, homes and physician offices. Most patients are unable to gather all the medical records generated during their lives.

UPDATE - Good news for webmail encryption: read my review of Freenigma.

Mark Langenhoven and Richard Jones have both developed simple tools to use Gmail while safeguarding the privacy of your email messages. These are not bullet-proof systems, but they provide an easy way to encrypt email messages and keep using your favorite webmail interface. Mark used a Greasemonkey script, while Richard adopted a Firefox extension.

Mark solution does not rely on any certificates or browser built-in list of authorities, but it requires to generate an RSA pair of keys. Unfortunately the provided interface to generate the public and private keys is quite basic and no information are given about the chance to use other RSA pairs of different size. To encrypt your message just add the recipient public key and click “Encrypt”.

Richard, on the other hand, developed a Firefox extension to build S/MIME support for Gmail. It requires the user to obtain an S/MIME email certificate - there are several ways to get one for free - and install it in the Firefox certificate database. If there is an entry for the recipient email address in the certificate database, then the body of the email and any attachments are automatically placed in an S/MIME attachment and encrypted with the recipient’s public key. This encrypted message is then sent to Google for delivery.

Mark and Richard cannot guarantee to keep the prying eyes of NSA out of your mailbox, but they can definitely add more privacy to your email relationships.

picture above from WebProNews.com

The UK government has recently made some claims about implementing the provisions included in Part 3 of RIPA, the Regulation of Investigatory Powers Act. This means that, following a lawful search with a warrant issued by a judge, the police can request the keys to any encrypted material that is seized. Refusal to produce keys can then be treated as a crime in its own right.

Legal systems in most countries have laws that will prevent the government from passing such an Act. In the US the fifth amemdment, which is part of the Bill of Rights, asserts”

No person […] shall be compelled in any criminal case to be a witness against himself.

The italian law has a very similar provision, the “nemo tenetur se detegere” principle. It states that a person under investigation can refuse to make declarations.

But what if the encrypted files are disguised as innocent family pictures? No police or judge can request a key if they don’t know or cannot reasonably prove that a key exists.

It’s easy to imagine a mass adoption of steganographic tools where secret documents and communications are hidden inside irreproachable pictures. Similarly, tools like TrueCrypt can conceal encrypted material in a way that prevent its detection.

The UK government is going to deprive honest an law-abiding citizens of their liberties while criminals can carry on theirs businesses as usual, with just a little software upgrade.

UPDATE - Unfortunately Australia is following the same path as UK, at least in Queensland.

Queensland Police are to be given power to force suspects to hand over passwords and encryption codes. Civil libertarians warn the laws could allow corrupt police to fake evidence, because they will have access to suspects’ digital signatures. The legislation, to come into force in July, covers mobile phones, PCs, handhelds and other electronic devices. Non-compliance carries up to 12 months’ jail.

Image created by Neil Johnson, also appearing on the cover of his book Information Hiding: Steganography and Watermarking - Attacks and Countermeasures.

During the last months several laptop thefts made the news. Kevin Costner’s case did some noise, but the loss of pictures from his wedding was hardly something to raise a general privacy concern. Then came Ernst &Young with four stolen laptops and thousands of personal data records exposed. Few weeks later Boeing revelead that a second laptop has been lifted containing the names, social security numbers and other sensitive information of thousands of current and former employees.