I don't think I've seen educated speculation here about what the court order that Lavabit received actually ordered them to do. Here is my own guess and I'm wondering if people have thoughts.
First, from an interview with Ladar Levison ( http://possibility.com/LavabitArchitecture.html ) it seems clear that they wrote ciphertext to disk for each message in a users' account: "* Do you use any particularly cool technologies or algorithms? The way we encrypt messages before storing them is relatively unique. We only know of one commercial service, and one commercial product that will secure user data using asymmetric encryption before writing it to disk. Basically we generate public and private keys for the user and then encrypt the private key using a derivative of the plain text password. We then encrypt user messages using their public key before writing them to disk. (Alas, right now this is only available to paid users.)" So, in excruciating detail I read this to mean: 1. When a user signs-up, they create a log-in password. 2. The system creates a key pair. 3. The private key is encrypted symmetrically using some hard variant of the log-in password. 4. Both keys stored to disk. Clear private key wiped from memory on log-out. 6. Whenever a message is stored for the user (regardless of login state), the system encrypts it with the public key. 5. When a user logs in, their login password is turned into the hard variant and used to symmetrically decrypt the private key. This private key is placed in secure memory, etc. 7. When the user views a message (or presumably searches an encrypted index of messages), it uses the private key in memory to decrypt it. 7. When the user logs out, the private key in memory is wiped. This means that access to decrypted message content was only available when a user was logged in. From a surveillance perspective, this means that the private key would have to be read from memory or during the write to memory. (I still don't know how password changes would work here... maybe they just re-encrypt the private key with the new hard variant?) This is all to say that I suspect the government's order requested ongoing access to the private key(s) in memory for some subset of Lavabit users, such that they could ask in the future for the encrypted contents of those users' accounts and easily look up these private keys to get the message cleartext. It's unclear to me if this would require an order that ordered Lavabit to write software to do this (e.g., a backdoor), but it sounds like that's the case. And it seems clear that by shutting down the service last week, no one can log-in again such that their ciphertext is safe. best, Joe -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy & Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 j...@cdt.org PGP: https://josephhall.org/gpg-key fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
