FBI "black bag" jobs can defeat PGP

from usenet, alt.security.pgp16 Jan 2001:

PGP Broken

Well, not really. No one has broken the cryptographic algorithms that protect PGP traffic. No one has found a software flaw in the PGP program, allowing someone to read PGP-encrypted traffic. What someone did was to install a keyboard sniffer on a computer. That someone was then able to eavesdrop on every keystroke the user made: his PGP passphrase, the plaintext of messages he typed, everything.

The victim is an alleged mobster, Nicodemo S. Scarfo, who was using PGP to encrypt his e-mail messages. The attacker is the FBI, who ran a black-bag operation against Scarfo and installed the keyboard sniffer. But the principles surrounding this case could have profound effects on all of us.

There are lots of constitutional issues here. The FBI did obtain a warrant, but it is unclear if the warrant allowed this sort of surveillance. Scarfo's attorney certainly doesn't think so, and many civil rights groups agree. Lots of people are watching this case, which may force the courts to sort out some of these complicated issues.

My interest is more in the technical issues. The story graphically illustrates an important lesson of computer and network security: it's only as secure as the weakest link. PGP provides just one piece of an e-mail security solution. It protects messages in transit from the sender to the receiver. It protects against eavesdropping and impersonation attacks that happen during transit, in the network. PGP does not protect either endpoint. Keyboard sniffers can capture plaintext and passphrases. Trojan horses and viruses can send signed PGP traffic in the computer user's name. A clever attacker can even find printed copies of PGP-encrypted e-mail in the trash. Last year I cowrote a paper that described a social-engineering attack that could trick someone into decrypting his own PGP mail for an eavesdropper.

I worry that many cryptographers -- I have been as guilty as everyone else -- have lulled people into a false sense of security. We toss about phrases like "2048-bit RSA" and "trillions of years to break," and we believe them. Instead of building a defensive wall, we're planting a huge stake in the ground and hoping the attacker will only take the path that runs into the stake. We can argue about whether the stake should be a mile tall or a mile and a half tall, but the reality is that a smart attacker will simply go around the stake.

To be sure, cryptography is a good stake. It blocks the narrow gap where the attacker could easily pass through, protecting against non-invasive attacks. Attackers can still "go around" the stake, but by doing things such as breaking into Scarfo's home and installing the keyboard sniffer. Many attackers are not motivated enough -- or even capable of doing so.

There is another lesson we can learn from the story: in order to do its job, the police do not need any escrow techniques for cryptographic keys, nor laws to force people to reveal their passphrases or keys on demand. The lack of such things makes mass surveillance much more difficult, but effective law enforcement is clearly possible.

A final comment in the Philadelphia Enquirer story is quite telling: "Manno [Scarfo's attorney] would not discuss what his client was storing on the encrypted program but said Scarfo was using software known as PGP. 'It stands for Pretty Good Privacy,' the lawyer said with a chuckle." That chuckle might raise the hackles of your average cypherpunk, but you have to admit he's right.

News Reports:

Philly Inquirer Scarfo case could test cyber-spying tactic

Wired FBI Hacks Alleged Mobster

The Register Mafia trial to test FBI spying tactics

USA Today Computer data key to racketeer case

Slashdot FBI Bugs Keyboard of PGP-Using Alleged Mafioso

The FBI application to the court: Sealed Application

The resulting court order Order

The author's PGP attack paper A Chosen Ciphertext Attack against Several E-Mail Encryption Protocols