Old Fashioned Security

The other day I decided to write one of my very good friends
a letter. Not one of those new-fangled electronic letters - no - but a real
honest-to-goodness pen-and-paper it-costs-real-money-to-send ye-olde-fashioned hand-written
letter.

Given that sending a real letter is something of a special
occasion in this day and age, I like to spend a little extra time and effort
and pick out some nice paper and envelopes for the task (no stealing the
Microsoft corporate logo paper in the mail room!).

So I went to The Paper
Tree at Bellevue Square to
check out some of their fancier fare. Amongst all the wedding invitations and
so on I found some nice paper prints, and there on top of the case was
something I'd never seen before: sealing
wax and little bronze seals! Now of course I've seen people seal letters
the old fashioned way in movies before, but I'd never actually seen the stuff
in real life (who knew people still did that?) and being something of a
security guy I thought it would be cool and somewhat novel to utilise this
technique in my letter.

So along with some nice paper and envelopes, I also picked
up some blue sealing wax (whenever I had heard the term before, I always
assumed it was "ceiling wax" -- ie, something you put on your ceiling!)
and, after asking the sales associate whether I should choose my first or last
initial, a letter "T" seal (no points for guessing what her answer
was...)

After getting home and actually writing the letter, I had to
try and seal it. Hmmm... that could be a problem. Need to practice first so I
don't set it on fire or make a big mess all over the place. I got one of those
useless return envelopes from my bank (I pay my bill online, so who needs
return envelopes?), went over to the stove and turned one of the burners on to
low (by the way, don't tell Rob
about this, okay? Thanks!). After a few mishaps I managed to get the wax at a
point where it was warm enough to smudge onto the envelope and stamp with the
seal, although it's not an easy thing to do. I managed to get the final seal on
the real letter with only two attempts (it's a rather thick seal ;-) ) and
after wrapping it in some more paper and sticking it in a normal envelope (to
protect the seal from being knocked off by the letter-sorting machinery at the
post office) I sent it on its way.

Anyway, the seal has some interesting properties. It has two
main purposes:

• To
  identify the sender of the letter
• To
  deter people from opening the letter

The first property is similar to the way we use digital
signatures today. If Microsoft digitally signs some software, you can check
that signature and know that the software really did come from Microsoft.
Nobody else can sign code with our key (unless of course they steal it or make
a lucky guess), just as nobody could use an Official seal without stealing or
duplicating it.

Additionally, if you know that Official letters are always sealed,
you can be wary of any letters you receive that are not accompanied by a seal
-- most likely, they are forgeries. In the same way, you should expect all
software you download from the internet to have a digital signature, and if it
doesn't you should be wary of it. Unfortunately, this doesn't work in reality
for two reasons:

1) Most
3rd party software is not signed. If you download software from a shareware
site then it is unlikely to be signed, most likely because certificates cost a
lot of money and it's hard to justify one when the product itself is free (or
very cheap)

2) Just
because software is signed, doesn't
mean it is good! A virus writer or
other bad person can obtain a certificate and use it to sign their code just as
easily as Microsoft can. The FriendGreetings
episode proved this.

Remember that the only thing a signature tells you is that the person who signed the content is in
possession of the private key. (Now hopefully that person is the rightful
owner of the private key, but it's possible for keys to be compromised).
Signatures do not mean software is trustworthy or free of viruses or anything
like that. But if you trust the person who signed the code and you believe that
they would not sign malicious code and would take the necessary precautions to
make sure it did not contain viruses or other badness, then the presence of the
signature can help you make a decision about installing or running the code.
But if someone merely claims that
software came from a source you trust but does not provide a signature to back
it up, then you must rely on some other evidence (or just blind faith /
desperate hope) if you decide to execute the code. Certainly you should never
run code that claims to come from Microsoft unless it is signed with our key.
Unfortunately a LOT
of people are installing the W32.Swen
"latest critical patch" virus (which obviously isn't signed by
us) -- I now get upwards of four or five HUNDRED
virus mails a DAY!

The second property of the seal is interesting. It acts as a
deterrent to stop unauthorised people from reading the letter, but it doesn't
stop them. Unlike an encrypted message, which will prevent anyone from reading
the content unless they have the right key to decrypt it, a sealed message can
be read by anyone who breaks the seal. But once the seal is broken, they
presumably cannot reseal it, so anyone else who receives the message will know
its contents has been compromised.

The problem with this as a deterrent is that it only works
if the recipient is expecting a letter. If Alice sends Bob a sealed letter, but Bob is
not expecting it, then Charlie the postman can simply steal the letter, break
the seal, and read the contents. Bob will never know of the compromise, because
he wasn't expecting the letter and will of course never receive it. Obviously
if Alice was expecting a reply, she may become
suspicious after a while when no reply is received (and Charlie can't simply
pretend to be Bob and reply on his behalf, since he doesn't have Bob's seal and
he knows Alice
will be suspicious if she receives an un-sealed reply). But how is Alice to convey this
suspicion to Bob? How is she to let Bob know that he should expect a sealed
letter from her, other than by sending him... another sealed letter? Obviously
the answer is that there has to be some other out-of-band communication --
carrier pigeon, tin-can-and-string telephone, face-to-face meeting, etc -- but
then why not deliver the message itself in this way? Maybe because this alternate
mechanism offers no privacy, but does guarantee delivery. For example, Alice could announce in
the local paper that she is going to send Bob a signed letter. It's not very
private, but it would be hard for him not to get the message. Unfortunately
this has a problem because unless the paper itself requires sealed
communications, it could be someone else who is impersonating Alice that puts the advert in the local
paper... but then you have to trust someone somewhere, and if you can't trust
the local media then who can you trust? :-)

Of course the real problem is that even when the seal does
act as a deterrent (Bob is expecting the sealed letter from Alice, and Charlie knows this) it still
doesn't stop Charlie from reading it if he believes the value from reading the
letter outweighs the risks of being caught having read it. For example, if he
believes the letter contains a hot stock tip and thinks that he can capitalise
on it and move to the Bahamas
before Alice
and Bob find out, there's nothing stopping him doing so. This is why we have
real encryption -- to hide the content of a message from someone.

One thing that plain vanilla encryption doesn't give us, but
that the seal does, is an indication that someone has read the message. If Bob
receives a letter and the seal is broken, he knows someone has read the
contents and he can take appropriate action to have the courier beheaded or
whatever. But if he receives an encrypted message without any kind of seal, he
has no way of knowing if someone else has compromised the decryption key and is
silently decrypting the message before passing it on to him.

Now there are digital equivalents to this -- DRM systems,
for instance, can provide for one-time-only decryption of songs, etc -- but as far
as I know they all require a trusted 3rd party to hold the actual decryption
key, and they're not in as wide a use today as simple encryption and digital
signatures are (S/MIME, PGP, etc).

Anyway, I hope my letter made it to my friend intact! :-).

Random trivia for the
day (night):

I've been using Microsoft Word since 1.1 (when it came with
a limited version of Windows!) and I'm a huge keyboard junkie. I often show
people keyboard shortcuts that have been in the product forever, but may or may
not be well documented. One of the ones I used tonight was the Shift+F3 case
change feature. Select some text, and hit Shift+F3. The text will cycle through
ALL UPPER CASE, Proper Case, and all lower
case. It's a neat trick to save time instead of deleting text and re-typing
it.