hushmail OpenPGP encryption

[habilis]

In my business I need to keep things very private. I also think that the new initiative by Gerorge Bush to spy on us without a court order is disturbing. I need to make sure my email, which would be web-based through hushmail via Safari would be totally unreadable by any external sources/hackers.

In the general questions area in hushmail there is the question posed:

What if my message is court subpoenaed?
Answer: Hushmail, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even Hush can access the encryption keys of individual users, in the case of a subpoena Hush would only be able to provide the encrypted (coded) version of the transmitted email

So what I'm asking is if a government agency did indeed obtain a court order to read my email, would they be able to read my email or only see the code and not be able to decrypt it? Or could they decrypt it easily or at all?

Thanks.

 

[ElDiabloConCaca]

hushmail uses AES encryption, which is pretty secure (as opposed to RSA, which is inherently insecure). While no encryption algorithm is completely unbreakable, it would, on average, take an inordinate amount of time to "break" it.

My guess is that your mail is pretty secure. The part you quoted there says that hushmail would only be able to provide the ciphertext, not the plaintext of your email. All they'd see is the encrypted message.

I don't know if the courts would be able to force you to give up your private key, which would aid in decrpyting the message... I would assume they could.

 

[Satcomer]

All public keys off the net have been broken, or the source key has been given, long before or quickly after they are released. Most every major world government have laws the prevent their citizens from hiding that information. A law was passed, before the net ever was released (at least in the US) that basically said no crypto will be released without the source codes (in the US at least) given to No Such Agency. It has always been like that and most likely will always be like that. In most every civilized nation on earth have similar laws. So if, as a US citizen) they need a court order or show a court after that they had a extra ordinary situation and would have to prove to the courts after the fact. This has not changed. The gray area comes when so do overseas communications to a non-US citizen. The jury is now out on that fact now so stay tuned.

Other well known governments are far more quick to intercept, without any courts involvement. You would be very surprised to learn that since the rise of the European union a lot of national laws are trumped in these kind of areas.

 

[ElDiabloConCaca]

What do you mean by " all public keys off the net"?

Of course the source code to just about every known encryption algorithm (DES, AES, RSA, etc.) is known. You can look it up and write your own code for any of the known cryptographical algorithms. But having the source code doesn't help all that much when trying to crack an encrypted message -- it's the strength of the private keys (meaning, how "secret" one keeps their private key) that is the true test, as long as the algorithm is secure. It will keep most, if not all, prying eyes off your data.

AES has not been "broken" yet, and by "broken" I mean anything faster than an exhaustive, brute-force attack, which would break ANYthing. Apple's own FileVault uses AES, I believe.

Americans are free to encrypt anything they like within the United States, and as long as it doesn't violate any inter-continental laws.

 

[Satcomer]

What do you mean by " all public keys off the net"?

I was tired when writing that. What I meant was any encryption anyone could download or buy from the internet (keys released to the public) all subject of having to be given to the government. That was the compromise that allowed encryption to be sold, by law.

AES has not been "broken" yet, and by "broken" I mean anything faster than an exhaustive, brute-force attack, which would break ANYthing. Apple's own FileVault uses AES, I believe.

I meant it when I said EVERY key available on the internet has been broken or the codes were given to the government.

End transmission.

 

[habilis]

So Satcomer, you're saying the government does indeed have the key to decrypt my message if they wanted? I don't know jackshit about PGP and keys so how do you know this for sure?

 

[ElDiabloConCaca]

There is no "universal" key to each algorithm. A "key" is simply a number -- in which case, EVERYone has your key, since everyone can count (or at least I hope so!).

Which number your key is, out of 2^(key size - 1), is the question.

I meant it when I said EVERY key available on the internet has been broken or the codes were given to the government.

I have no idea what this means... how can you "give" a number to the government? For example, in a public-private key encryption algorithm, you need two numbers: a public number, which people can use to encrypt a message to you, and a private number (which you keep) that decrypts any message sent to you. How can the government have that number if it's secret? I don't quite understand what you're saying... can you elaborate?

Encryption isn't sold... you can write a 3-line Perl program that implements RSA encryption for free with a little Googling. That doesn't mean that the government has some sort of "universal" key that will unlock any RSA encrypted text, though. You need two prime numbers to start, then you also have a public key and a private key. To say that the government already has these numbers is just false, because they come out of your head, and anyone who doesn't know the numbers will have to go through, on average, 2^(key size/2) numbers to find your number.

The government doesn't have "your" number to decrypt your messages. In the United States, you can freely encrypt anything you want without having to give jack shizzle to the government -- you don't need to give them your keys nor any methods to decrypt what you've encrypted.

 

[Satcomer]

So Satcomer, you're saying the government does indeed have the key to decrypt my message if they wanted? I don't know jackshit about PGP and keys so how do you know this for sure?

I am sure because of what I do. Plus the laws are on the books from the early 90's. I can't remember the name of the law, but it was in all the newscasts at the time when PGP first came online. There was a court battle but I forgot what year it happened.