Automatic encryption of stored messages

Mikhail T. mi+thun at aldan.algebra.com
Wed Apr 28 17:14:09 EDT 2010 

28.04.2010 15:25, cyrus-sasl-request at lists.andrew.cmu.edu ???????(??):
> This is another problem, but server can't encrypt messages because it
> should have access to a symetric or assymetric keys saved on the
> server. Then you back to the problema, the hacker may access the key
> and decrypt messages (this chicken and egg problem).
>    
My proposal addresses this problem. I fear, you have not read it -- 
despite two opportunities already -- before rushing to the reply-button. 
Allow me to afford you one more explanation.

The new messages arriving to the server will remain unencrypted -- no 
worse off than they are now -- until the user logs in (and provides the 
key).

Again. Under my proposal, the server does have the key to a user's 
messages, but /only while the user is logged in/. _Older messages of 
disconnected users are not readable even to the server's root_.

My proposal does not solve the problem completely, but it does reduce 
the damage. This is useful.
>> >  The proposed method uses each user's own password to encrypt their mails --
>> >  only the mailboxes of the currently-connected users would be exposed to a
>> >  hacker (or coercer).
> If the hacker owned the server he can
> - use "tcpdump -s 0 -A | grep --line-buffered -e LOGIN -e USER -e
> PASS" to get password in next user authentication.
> - read TLS private key file and look traffic with tcpdump.
> - read TLS private key from memory.
> - switch imapd daemon to a version that save user/password on a file.
>    
This would only give the hacker ability to access e-mails of people 
currently connecting to the server, while the exploit is ongoing. My 
plan -- for the third time -- aims to protect mailboxes of those, not 
currently connected. I believe, this could be valuable in a substantial 
number of installs.
> Server should't encrypt data. Root can do anything.
>    
Both statements are wrong (as all generalizations)... I demonstrate, how 
the server can do encryption usefully -- so that even root can not 
decrypt it, until the user logs in to check their e-mail.

If a break-in happens, while a I'm on vacation, my old e-mails weren't 
exposed. That's as useful as being able to lock my house, while I'm 
away, even if I have to open it up upon returning...
> Server should't encrypt data.
>    
You are now contradicting your own earlier advice (to use encrypted 
filesystem)!

I must say this explicitly, Reinaldo, that you are coming off as an 
annoyed, impolite, and discourteous individual and this is my last 
e-mail to you, unless your response shows better manners. I don't want 
to emulate your tone /again/...

This need not be -- and is not -- about anybody's ego, you know...

Yours,

    -mi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20100428/d721de3e/attachment.html

More information about the Cyrus-sasl mailing list