

Protecting E-Mail from Eavesdropping - qubitsam
https://www.schneier.com/blog/archives/2013/07/protecting_e-ma.html

======
raintrees
This is probably quite obvious, but I do not yet see it stated here:

Another response I take from what Mr. Schneier didn't say is that the more of
our normal data we encrypt, the sooner we again have the "drinking from the
fire hose" situation he referred to.

If we can make more and more of our apps use encryption by default without any
steps needed by the end-user, we can work towards overwhelming the "save all
encrypted data streams" scenario described.

------
sjmulder
> We've known how to send cryptographically secure e-mail since the early
> 1990s.

Can we even trust encryption? How can we know that the NSA haven’t found
weaknesses in common encryption algorithms? They have some of this field’s
best people in the world on this.

~~~
jgrahamc
You can't know that. You can even worry about the fact that James Bamford
wrote in Wired in 2012 [1]:

"According to another top official also involved with the program, the NSA
made an enormous breakthrough several years ago in its ability to
cryptanalyze, or break, unfathomably complex encryption systems employed by
not only governments around the world but also many average computer users in
the US."

What do many average computer users use? TLS is my guess. So, perhaps they've
found a way to get into RC4, or made an advance in factoring. And the history
of cryptanalysis says that they are likely years and years ahead of what's
known outside. So, what can you do?

Well, you can read the ECRYPT II report [2] and see for yourself what Europe's
cryptographers think about the security of various algorithms and what key
lengths they recommend.

For example, the report recommends that an asymmetric key of 3,248 bits should
be secure to 2040 (they recommend a symmetric key of 128 bits for the same
period). So, the subtext is that an 2,048 bit RSA key is going to be breakable
soon by a powerful adversary.

The report says, for example of RSA OAEP: "If used, we recommend at least
|N|>1024 for legacy systems and |N|>2432 for new systems."

My brief summary is that I'm happiest with RSA keys of 4,096 bits or above and
with symmetric keys of 256 bits.

[1]
[http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/](http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/)

[2] [http://www.ecrypt.eu.org/](http://www.ecrypt.eu.org/)

PS I'd be curious to know what key length Snowden used for the GPG key he
apparently used when communicating with Greenwald.

~~~
damarquis
Anonymous sources might be supplying real information but they could also be
trying to manage beliefs.

Undoubtedly the NSA is ahead of everyone else in cryptanalysis but I think it
is also advantageous for the NSA to have foreign governments think the NSA has
a bigger lead than they actually do. This belief would cause foreign
governments to use larger key sizes, and so drive up their costs, or switch to
less well tested encryption methods that the NSA might be able to break.

~~~
jlgaddis
> ... but I think it is also advantageous for the NSA to have foreign
> governments think the NSA has a bigger lead than they actually do.

I would think it is more advantageous for the NSA to have others believe that
it has _less_ capabilities than they actually do.

The NSA is well known for its disinformation campaigns. Why wouldn't they try
to make others (governments, end users, etc.) believe that they _don 't_ have
the ability to break various key sizes.

This could provide a false sense of security to others and cause them to
believe that, for example, a 2048-bit PGP key is more than sufficient when, in
fact, it isn't.

~~~
damarquis
I'm not arguing that there aren't situations where then spreading the belief
that their capabilities are less than actual would be a good thing. If the
goal is to break a specific subset of all encrypted messages then this is
exactly what they would want.

But there are also situations where they would want the opposite. For example,
suppose the NSA has no advantage in breaking RSA over public knowledge, but
can easily break NTRU and their goal is to read as many encrypted messages as
possible. Then if they can get everyone to believe they can break RSA but not
any cryptosystem based on lattices then some people will switch to NTRU. Now
its much cheaper for the NSA to achieve their goal of breaking lots of
encrypted messages since they have a very efficient algorithm for reading NTRU
encryptions.

(This belief could be spread simply by having an "anonymous but very senior"
official talk to Wired about how the US government has made a major step
towards building the first scalable quantum computer)

In short, what they should want the world to believe depends on their
capabilities and goals. Without knowing those anything is possible.

------
malandrew
Is there anyway to make email metadata, such as headers, more secure against
eavesdropping?

------
kimlelly
If you also want to have your meta data encrypted (which you have not with
Email):

Just use
[http://retroshare.sourceforge.net/](http://retroshare.sourceforge.net/) for
your entire communication needs (it's not only file sharing!).

EDIT: Ok, maybe I was too naive thinking NSA & Co do not have their people on
HN...

~~~
gjm11
You know, when you spam HN with an endless stream of advertisements for
something and get downvoted, there are simpler explanations available than
that HN is under the thumb of government goons who are out to get you.

~~~
kimlelly
Disinformation campaigns, for example.

~~~
jlgaddis
Or we just get tired of the same spam on every article.

