Re: HushMail: free Web-based email with bulletproof encryption

[Arnold G. Reinhold]

At 9:11 PM -0400 5/19/99, Keith Dawson wrote:
>Hush Communications has quietly begun beta testing a significant
>development in email privacy. HushMail [1] works like Hotmail or
>Rocketmail -- you can set up multiple free accounts and access them
>from any Web browser anywhere -- but when you email another HushMail
>user your communication is protected by unbreakable encryption. ...

Reading the "high level technical description of HushMail account creation
and usage" at https://www.hushmail.com/tech_description.htm I saw no
indication that salt is added to the passphrase prior to generating the key
used to protect the user's private key.  If true, that is a serious
security flaw, facilitating  dictionary attacks and the opportunity to
crack multiple keys at once.

Lack of salt is also an easy omission to fix -- without affecting existing
users. A flag or zero salt in their database would indicate a key generated
with the existing code, i.e. no salt. As long as there are only a few
salt-free users, the above attacks are not worthwhile.

Kudos if they are using salt, but that is a detail worth mentioning in
their tech description page (they get points in my book for just having
one).

While they are at it, some key stretching would help, perhaps just running
SHA several times as they do for creating session keys (where the value of
doing so is doubtful).

I am not sure I understand: "8a. Only half of the hash value is sent, which
reduces any potential ability for those with physical access to the
HushMail server data to mount a high- speed brute force attack on the
encrypted private key." If an attacker has half of the hashed passphrase,
that is all he needs to mount a search attack on the passphrase. Once he
has the passphrase, the jig is up.


>You need to come up with a secure pass-phrase, and in this process
>HushMail gives only minimal guidance. You might want to visit Arnold
>Reinhold's Diceware page [4], where he lays out a foolproof pass-
>phrase protocol utilizing a pair of dice.
>

Thanks for the plug. Their advice is indeed pitiful and I suspect most
users, in the middle of the setup process won't even bother to look at what
they wrote. They will just use the same strategy they employ for login
passwords and end up with little or no security.  A suggestion that users
pick a passphrase before starting the process would be helpful, maybe as a
step on the New Account screen.

It would be much better if HushMail offered to pick a passphrase for the
user at key generation time. HushMail would be welcome use one of my word
lists.

>   ...Unfortunately, HushMail
>does not work on Macintoshes, due to limitations in Apple's Java
>implementation. (Mac users can crawl HushMail under Connectix
>Virtual PC. Note that I don't say "run." I've tried this
>interpretation-under-emulation and do not recommend it.) The company
>is trying urgently to connect with the right people at Apple to get
>this situation remedied.

I am curious what this limitation is that they could not work around.
...
>
>[1] https://www.hushmail.com/
>[2] https://www.hushmail.com/faq.htm
>[3] https://www.hushmail.com/tech_description.htm
>[4] http://world.std.com/~reinhold/diceware.html
>

ECC Final Seminar Announcement Tuesday, May 25, 1999 (fwd)

[M Taylor]

-- Forwarded message --
>Subject: ECC Final Seminar Announcement Tuesday, May 25, 1999
>Date: Thu, 20 May 1999 14:38:52 -0400 (EDT)
>From: Lesley Ireton <[EMAIL PROTECTED]>


Please post or circulate
Electronic Commerce Canada Inc. presents:

Seminar Announcement
Tuesday, May 25, 1999
Location: Sussex Room, Government Conference Centre, 2 Rideau Street,
Ottawa, ON
Time: 8:00 a.m. - 10:30 a.m.

Admission is free - bring a friend - no pre-registration required

8:00 - Coffee
An opportunity to network with people of common interests.

8:40 - Welcome and Announcements
David Johnson, President, Electronic Commerce Canada Inc.

8:45 - Trusted Electronic Service Delivery

Sun Microsystems has emerged as an industry "thought leader"
in the fast growing fields of e-commerce and electronic service
delivery. Sun Microsystems will discuss new architectural
approaches to building secure, scalable and reliable network
services that underpin a range of "e-business" solutions for
private and public sector organizations and discuss the
implications between the recent alliance between
America Online (AOL) and Sun Microsystems called the "Sun
Netscape Alliance".

Presenter: Gordon Sissons
Mr. Sissons has been with Sun Microsystems for five years and is currently
the manager of Sun's Systems Engineering Organization in Ottawa and
Atlantic Canada. With a diverse background encompassing system development,
PC-LANs, UNIX and proprietary minicomputer environments, and with over ten
years
of experience supporting various private sector and Federal Government
clients, he is well aware of the revolutionary changes taking place in
e-Commerce and electronic service delivery. In addition to his current
management responsibilities, he has most recently been developing and
implementing a planning methodology called SunESP, aimed at ensuring the
successful deployment of several of Sun's largest data-center class systems
installed in Canada.

9:30 - Planning and Delivering the Health Canada GoC PKI.

The Health Canada presentation will cover some aspects of the following:
What
is SESD?, Key Accomplishments, Challenges, Lessons Learned and Next Steps.
The nitty-gritty work of actually putting PKI into place will be discussed.

Presenter: Janet Arnold, Health Canada

10:30 - Adjournment

Future ECC Events - A complete list of Fall Seminar dates is available on
our web site at 

Electronic Commerce Canada Inc. 582 Somerset Street West, Ottawa, ON K1R 5K2
Tel: 613-237-2324  Fax: 613-237-9900 e-mail: [EMAIL PROTECTED]  internet:
www.ecc.ca

ECC Seminar Series - A new topic every month.  Contact the ECC Secretariat,
c/o The Willow Group, 582 Somerset Street West, Ottawa, ON K1R 5K2
Visit our web site for more information <>
--_-1285150161==_ma
Content-Type: text/enriched; charset="us-ascii"

Please post or circulate

Electronic Commerce Canada Inc. presents:


Seminar Announcement

Tuesday, May 25, 1999

Location: Sussex Room, Government Conference Centre, 2 Rideau Street,
Ottawa, ON

Time: 8:00 a.m. - 10:30 a.m.


Admission is free - bring a friend - no pre-registration required


8:00 - Coffee

An opportunity to network with people of common interests.


8:40 - Welcome and Announcements

David Johnson, President, Electronic Commerce Canada Inc.


8:45 - Trusted Electronic Service Delivery


Sun Microsystems has emerged as an industry "thought leader"

in the fast growing fields of e-commerce and electronic service

delivery. Sun Microsystems will discuss new architectural

approaches to building secure, scalable and reliable network

services that underpin a range of "e-business" solutions for

private and public sector organizations and discuss the

implications between the recent alliance between

America Online (AOL) and Sun Microsystems called the "Sun

Netscape Alliance".


Presenter: Gordon Sissons

Mr. Sissons has been with Sun Microsystems for five years and is
currently the manager of Sun's Systems Engineering Organization in
Ottawa and Atlantic Canada. With a diverse background encompassing
system development, PC-LANs, UNIX and proprietary minicomputer
environments, and with over ten years

of experience supporting various private sector and Federal Government
clients, he is well aware of the revolutionary changes taking place in
e-Commerce and electronic service delivery. In addition to his current
management responsibilities, he has most recently been developing and
implementing a planning methodology called SunESP, aimed at ensuring
the successful deployment of several of Sun's largest data-center class
systems installed in Canada.


9:30 - Planning and Delivering the Health Canada GoC PKI.



The Health Canada presentation will cover some aspects of the
following:  What

is SESD?, Key Accomplishments, Challenges, Lessons Learned and Next
Steps.  The nitty-gritty work of actually putting PKI into place will
be discussed.


Presenter: Janet Arnold, Health Canada


10:30 - Ad

Re: HushMail: free Web-based email with bulletproof encryption

[Ian BROWN]

Perry Metzger wrote:
>Some parts of this description make me nervous. Why are PRIVATE keys
>being stored on a server, for instance?

It's still hard to give applets access to client-side data in a secure and 
browser-independent way, but obviously this would be a great improvement.

>Why use SSL to send keys when you could use SSL to just send the data?

I think it's because the crypto library they are using (Cryptix) doesn't do 
SSL yet ;) I presume the applet and its startup parameters can be transferred 
over SSL by the browser, but the applet can't use that SSL pipe itself.

Ian

Re: HushMail: free Web-based email with bulletproof encryption

[Steven M. Bellovin]

In message , Keith Dawson writes:
>[Some parts of this description make me nervous. Why are PRIVATE keys
>being stored on a server, for instance? Why use SSL to send keys when
>you could use SSL to just send the data? Etc., etc... --Perry]

There are a number of possible reasons for that; the one most likely in
this case is so that you can read your mail from anywhere.  That is,
if you're seriously paranoid you're not going to dial up to your ISP
before logging in to hushmail -- the call is traceable, and your machine
may have been bugged (remember Aldrich Ames?).  Instead, you'll go to
your library or some other public machine, install Linux, read the mail, reformat the 
library computer's disk..  Well, you see my main point; if the key is stored on your 
own machine, you can't read your mail from elsewhere.  You
also have to worry about backing it up properly.

A second possible reason is the Java sandbox -- how can an applet write
to your disk?  Yes, newer versions of Java can let that happen, but I
don't know if any browsers support that.  And of course, if they do the
users would have to administer it, a dubious proposition.

Re: HushMail: free Web-based email with bulletproof encryption

[Robert Hettinga]

At 9:11 PM -0400 on 5/19/99, Keith Dawson wrote:


> and are stored
> on a server located in Canada.

And the code was written in Anguilla?

Is there an echo in here?

:-).

Cheers,
RAH
-
Robert A. Hettinga 
Philodox Financial Technology Evangelism 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: HushMail: free Web-based email with bulletproof encryption

[Bill Frantz]

I spent some time looking at the web pages.  In answer to Perry's questions:

At 6:11 PM -0700 5/19/99, Keith Dawson wrote:
>[Some parts of this description make me nervous. Why are PRIVATE keys
>being stored on a server, for instance?

Because you can't store data on a user's machine from a Java applet.  IMHO,
signed applets, which can kind of access the user's disk, are a technology
whose time is not yet.  There are currently 3 different signing models, the
Netscape model, the Microsoft model, and the Javasoft model.  (Macintosh
Runtime for Java (MRJ) implements the Javasoft model and is used by
MSIE/Mac on System 8.5.  I don't know anyone who has succeeded in
distributing a signed applet using the Javasoft model.)

The web pages are very up front in saying that the security of the system
is critically dependent on the passphrase.  I agree.

>Why use SSL to send keys when
>you could use SSL to just send the data?

Then the server would have access to the plaintext.  Ideally, the applet
would generate the symmetric keys and encrypt them with the public key of
the receivers.  I can't remember the details of symmetric key generation,
but they are recommending SSL to avoid Trojan applets.

On the surface, the biggest danger in this system is having a TLA force
them to serve a Trojan applet to one or more clients and using that to
recover the passphrase.  I have not looked at the (available) source, or
verified that the applet derives from that source.

>Etc., etc... --Perry]
>
>FYI, I just put up this piece as a Tasty Bit of the Day at
>http://tbtf.com/#tbotoday .
>___
>
>1999-05-19:
>
>..HushMail: free Web-based email with bulletproof encryption
>
>Hush Communications has quietly begun beta testing a significant
>development in email privacy. HushMail [1] works like Hotmail or
>Rocketmail -- you can set up multiple free accounts and access them
>from any Web browser anywhere -- but when you email another HushMail
>user your communication is protected by unbreakable encryption. The
>crypto, implemented in a downloadable Java applet, was developed
>outside of US borders and so has no export limitations.
>
>Here are the FAQ [2] and a more technical overview [3] of the Hush-
>Mail system.
>
>HushMail public and private keys are 1024 bits long, and are stored
>on a server located in Canada. All information sent between the
>HushApplet and the HushMail server is encrypted via the Blowfish
>symmetric 128-bit algorithm. The key to this symmetric pipe is ran-
>domly generated each session by the server and is transferred to the
>client machine over a secure SSL connection.
>
>When you sign on as a new user you can choose an anonymous account
>or an identifiable one. For the latter you have to fill out a dem-
>ographic profile, to make you more attractive (in the aggregate) to
>HushMail's advertisers. The HushApplet walks you through generating
>a public-private key-pair. The process is fun and slick as a smelt.
>You need to come up with a secure pass-phrase, and in this process
>HushMail gives only minimal guidance. You might want to visit Arnold
>Reinhold's Diceware page [4], where he lays out a foolproof pass-
>phrase protocol utilizing a pair of dice.
>
>HushMail relies heavily on Java (JVM 1.1.5 or higher), so it can
>only be used with the latest browsers. The earliest workable version
>of Netscape's browser is 4.04, but some features don't work in
>versions before 4.07; the latest version, 4.5, is best. For Internet
>Explorer users, 4.5 is recommended, but the latest Windows release
>of IE 4.0 (subversion 4.72.3110) works as well. Red Hat Linux
>version 5.2 is also tested and supported. Unfortunately, HushMail
>does not work on Macintoshes, due to limitations in Apple's Java
>implementation. (Mac users can crawl HushMail under Connectix
>Virtual PC. Note that I don't say "run." I've tried this
>interpretation-under-emulation and do not recommend it.) The company
>is trying urgently to connect with the right people at Apple to get
>this situation remedied.
>
>One of the limitations of this early release of HushMail is that en-
>cryption can only be used to and from another HushMail account. It
>is not currently possible to export your public/private key-pair, to
>set up automatic forwarding of mail sent to a HushMail account, or
>to import non-Hush public keys. I spoke with Cliff Baltzley, Hush's
>CEO and chief technical wizard. He stresses that Hush's desire and
>intention is to move toward interoperability with other players in
>the crypto world, such as PGP and S/MIME. The obstacles to doing so
>are the constraints on technical resources (read: offshore crypto
>programmers) and legal questions of intellectual property. Baltzley
>believes that HushMail's positive impact on privacy worldwide will
>be enhan