'Re: HushMail: free Web-based email with bulletproof encryption'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cryptography
Subject:    Re: HushMail: free Web-based email with bulletproof encryption
From:       "Arnold G. Reinhold" <reinhold () world ! std ! com>
Date:       1999-05-20 19:55:25
[Download RAW message or body]

At 9:11 PM -0400 5/19/99, Keith Dawson wrote:
>    Hush Communications has quietly begun beta testing a significant
>    development in email privacy. HushMail [1] works like Hotmail or
>    Rocketmail -- you can set up multiple free accounts and access them
>    from any Web browser anywhere -- but when you email another HushMail
>    user your communication is protected by unbreakable encryption. ...

Reading the "high level technical description of HushMail account creation
and usage" at https://www.hushmail.com/tech_description.htm I saw no
indication that salt is added to the passphrase prior to generating the key
used to protect the user's private key.  If true, that is a serious
security flaw, facilitating  dictionary attacks and the opportunity to
crack multiple keys at once.

Lack of salt is also an easy omission to fix -- without affecting existing
users. A flag or zero salt in their database would indicate a key generated
with the existing code, i.e. no salt. As long as there are only a few
salt-free users, the above attacks are not worthwhile.

Kudos if they are using salt, but that is a detail worth mentioning in
their tech description page (they get points in my book for just having
one).

While they are at it, some key stretching would help, perhaps just running
SHA several times as they do for creating session keys (where the value of
doing so is doubtful).

I am not sure I understand: "8a. Only half of the hash value is sent, which
reduces any potential ability for those with physical access to the
HushMail server data to mount a high- speed brute force attack on the
encrypted private key." If an attacker has half of the hashed passphrase,
that is all he needs to mount a search attack on the passphrase. Once he
has the passphrase, the jig is up.


>    You need to come up with a secure pass-phrase, and in this process
>    HushMail gives only minimal guidance. You might want to visit Arnold
>    Reinhold's Diceware page [4], where he lays out a foolproof pass-
>    phrase protocol utilizing a pair of dice.
>

Thanks for the plug. Their advice is indeed pitiful and I suspect most
users, in the middle of the setup process won't even bother to look at what
they wrote. They will just use the same strategy they employ for login
passwords and end up with little or no security.  A suggestion that users
pick a passphrase before starting the process would be helpful, maybe as a
step on the New Account screen.

It would be much better if HushMail offered to pick a passphrase for the
user at key generation time. HushMail would be welcome use one of my word
lists.

>   ...Unfortunately, HushMail
>    does not work on Macintoshes, due to limitations in Apple's Java
>    implementation. (Mac users can crawl HushMail under Connectix
>    Virtual PC. Note that I don't say "run." I've tried this
>    interpretation-under-emulation and do not recommend it.) The company
>    is trying urgently to connect with the right people at Apple to get
>    this situation remedied.

I am curious what this limitation is that they could not work around.
...
>
>    [1] https://www.hushmail.com/
>    [2] https://www.hushmail.com/faq.htm
>    [3] https://www.hushmail.com/tech_description.htm
>    [4] http://world.std.com/~reinhold/diceware.html
>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic