[go: up one dir, main page]
|
|
Log in / Subscribe / Register

DeadDrop and Strongbox

By Nathan Willis
May 22, 2013

In mid-May, US news magazine The New Yorker unveiled Strongbox, a service that lets whistleblowers and other potential news sources contact its reporters securely and anonymously. The security model is ambitious; it is reachable only on Tor, hides source identities (while preserving continuity across repeat visits), encrypts messages and uploaded files, and allows a monitoring station to watch for possible security breaches. It is also open source, and is the work of the late programmer and activist Aaron Swartz.

Wired's Kevin Poulsen wrote about the system's origin in a blog post timed to coincide with the debut of the service. The goal, he explained, was to create a modern system through which journalists could safely communicate with anonymous sources, since the old methods had not kept up with the pace of technology—including both legal access methods and "outright hacking". Poulsen had met Swartz in 2006 when Condé Nast (parent company to both Wired and The New Yorker) purchased news site Reddit (where Swartz worked). Poulsen asked Swartz to build the secure communications gateway in 2011, after seeing Swartz's work on Tor2Web.

The security model designed by the two incorporated several stringent requirements, such as ensuring that it was impossible for the news organization to know the origin of files or messages (thus it could not be compelled to disclose that origin), but it should also be able to run on servers at the news organization's offices (to reduce the likelihood of tampering). Swartz insisted that the project should be released as open source software, and they settled on the name DeadDrop. Outside security researchers audited the architecture of the system as well as the code. By December 2012, DeadDrop was reasonably stable and a launch was planned. But those plans came to a sudden halt with Swartz's suicide in January 2013.

Strongbox debuts

In the subsequent months, Poulsen consulted with Swartz's friends and family before eventually deciding to proceed with the launch, which finally happened on May 15. The public front-end of the service runs as a "hidden service" on Tor, accessible only through a .onion pseudo-domain. The front end itself is almost deceptively simple; when a user (the would-be whistleblower or source) logs in for the first time, the system creates a unique code name composed of four English words. In the future, the same user can visit the service from any location and log on again using the four-word code (hopefully without writing it down). When logged in, the user can type a message into a web form and optionally attach files to upload. Journalists can leave secure messages for the user in reply, which the user is encouraged to delete after reading.

Obviously the system cannot provide absolute security; among other things, if the user discloses personally identifiable information in his or her messages, the anonymity is gone. If the user writes down the unique code word identifier, someone else could copy it and spoof the user's identity. But if the instructions are followed correctly, the framework does offer a fairly strong guarantee of anonymity and protection against eavesdropping—certainly a far better offer than PGP encryption or a TLS-protected web form do alone. Instructions and a privacy pledge are posted on the Strongbox home page; hopefully anyone concerned enough about security and anonymity to use the system will take the time needed to learn how to use it correctly.

Drop it

The Strongbox site does not go into much detail about how the system works, but there is a good deal more to examine on the DeadDrop project site at GitHub. The threat model document provides an overview of the system from the outside source's perspective as well as the journalist and administrator's. The same application server provides the front end seen by sources over Tor (which we have already described) and the front end seen by journalists inside the news organization on its internal network. The other two pieces of the puzzle are the "secure viewing station" (SVS) where journalists decrypt and read messages and the auditing system.

But security starts on the application server. The four-word code name generated randomly for the source is never stored in the clear, but it is used. The SHA256 hash of the code name is stored on the server as the directory name for the user. Every message sent by the source includes the code name in the POST request, and the application checks its hash against the stored hash to authorize the request. The application also creates a GPG v2 key pair for each new user, and uses the code name as the secret key passphrase (which, again, is not stored in the clear). Replies from the journalist are encrypted with the public key from this pair, so that only the intended source can decrypt them, but the decryption happens automatically using the code name in the HTTP request, so the source is not required to store or memorize a separate passphrase.

Every message or file uploaded by a source is also encrypted, but with a different key pair, for which the application server only stores the public key. The journalist interface to the application is only available through a VPN requiring two-factor authentication. The application uses private SSL certificates distributed to the journalists' computers, with the certificates and revocation lists generated offline. When a journalist logs in to the system, he or she is presented with a list of new messages, and must download them in encrypted form and take them to a separate machine (the SVS) to read. The SVS is intended to be a diskless workstation booted from a live CD and not attached to the network. The private key for the application is stored on the SVS live CD, so the journalist can read messages and files. As an additional measure of security, the application presents a different set of code names in the journalist interface, so that the source's code name and hash are not known.

Finally, the application server and the SVS are kept on the news organization's premises, under lock and key and monitored for unauthorized access. The application server has a hardware entropy source attached to generate strong cryptographic keys, and journalists are instructed to re-encrypt any files they take from the SVS to their personal workstations (using yet another GPG key pair). There is a separate machine running the OSSEC intrusion detection system and logging events from Tor, AppArmor, the firewall, and grsecurity. Just as the system provides guidance to sources using the service (including potentially unfamiliar pieces like Tor hidden services), there is a set of guidelines for security on the journalists' side of the system: GPG key type and key length, VPN settings, and browser certificates. There is an installation guide that walks the reader through the entire process, starting with installing the operating system with full-disk encryption.

Follow the money code

How much will Strongbox or any other DeadDrop installation ever get used? Those of us on the outside may never know for sure. Despite the best efforts of the designers to make DeadDrop easy-to-use, it should be clear to anyone who reads the threat model that balancing high security and ease-of-use remains a tall order. There are some very nice features in DeadDrop. The code name feature is quite clever; it allows both source and journalist to reliably feel confident that the same person is accessing any particular user account, but by using separate code names for the source and journalist front-ends, anonymity is preserved. Using the source's code name as both the POST authentication method and the GPG passphrase is a compromise, but it also reduces the burden of complexity placed on the source—who, in the real world, may already be taking on an enormous risk by talking to a reporter.

The downside is that some of DeadDrop's security stems from parameters that are hard or impossible for small organizations to implement, such as the constantly-guarded SVS and on-premises application server. Those features mandate dedicating a facility in a brick-and-mortar location (and ideally one that is distinct from the rest of the organization's network infrastructure). But physical security is a vital part of maintaining the overall integrity of the system; without it, someone could copy information from the server, install a keylogging device, or attempt any number of other attacks.

It is interesting to compare the design of DeadDrop to similar whistleblowing applications, like GlobaLeaks (which is arguably the best known). GlobaLeaks also allows sources to submit information to a news organization (or to any other entity running the service, of course), including a Tor hidden service front end. But GlobaLeaks does not implement the persistent identity across repeat visits feature (although it does allow a whistleblower to return to a specific "tip" by saving or remembering a ten-digit "receipt" string). GlobaLeaks also does not offer end-to-end encryption of uploaded messages and files, nor does it utilize DeadDrop's rather complex offline SVS scheme to ensure that communications are not monitored or intercepted.

Of course, to some budding journalists and whistleblowers, GlobaLeaks' lack of complexity may well be a plus. DeadDrop's architecture is set up to protect against a wider assortment of attacks, but along with the usual administrative overhead, a more complex system brings with it the increased chances of human error. That is almost always the case with security; the better password is harder to remember, the safer authentication method is easier to mess up—and in either case, the temptation to write down a secret for fear of forgetting it is an obstacle to which there is no technological solution. Then again, Whistleblowing fundamentally requires some leaps of faith; a source must trust the news organization to begin with or DeadDrop would not make them do so. But DeadDrop remains a valuable object for those interested in developing secure communication systems, regardless of whether or not their plans involve contacting The New Yorker.

Index entries for this article
SecurityAnonymity
SecurityInternet/Tor

to post comments

Timely!

Posted May 23, 2013 2:24 UTC (Thu) by jmorris42 (guest, #2203) [Link] (7 responses)

Wondering how you guys could post this and fail to note how timely it is. Had it went live on schedule nobody would have noticed, but the delay just happened to cause it to hit the news at exactly the time when multiple assaults on media outfits trying to catch whistleblowers also hit the papers.

We probably always needed something like this, but few would have actually used it. Especially back in the days of Bush, the Patriot Act and whining about the evil government coming after your library records... lots of talk but nobody actually believed it would happen. Well now it happened and lookie who it was that went and done invoked the Espionage more in four years than in the decades it was on the books before.

Timely!

Posted May 23, 2013 7:04 UTC (Thu) by micka (subscriber, #38720) [Link] (6 responses)

You seem to talk about precise events that are occuring now.
I might not be be in the same part of the world than you (US ?) so I'm not aware of these possibly related events.Do you mind giving pointers ?

Timely!

Posted May 23, 2013 8:46 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link] (1 responses)

>Do you mind giving pointers ?
Probably not without a system like the one described in the article.

Timely!

Posted May 23, 2013 9:05 UTC (Thu) by micka (subscriber, #38720) [Link]

Thank you, that was useful, now I understand.

Timely!

Posted May 23, 2013 11:57 UTC (Thu) by sorpigal (subscriber, #36106) [Link] (3 responses)

In the USA it was recently (within the last ~2 weeks or so) reported that the government had been monitoring the business and personal phones of some large number of employees (read: journalists) of a respected news organization. The upshot of this is that if any of these people over a rather long time frame (months, I believe) had called or been called by a confidential source the content of their conversation was recorded.

If I seem vague on details it's because I haven't really followed the story, but I had the same reaction: DeadDrop comes at *just* the right time. Barnum could not have picked a better moment to unveil a mechanism to allow safe communication between journalists and sources that makes a plausible promise to be free of government surveillance.

Timely!

Posted May 23, 2013 12:16 UTC (Thu) by micka (subscriber, #38720) [Link] (2 responses)

Ah I see. We (in France) had similar events. One journalist's phone bill was studied by an "intelligence" agency to find its source (who happened to be from the ministry of justice) in a political affair ( http://en.wikipedia.org/wiki/Bettencourt_affair ). Then that was the judge's phone bill...

Timely!

Posted May 23, 2013 20:20 UTC (Thu) by dlang (guest, #313) [Link] (1 responses)

This wasn't just one Journalist, this was a very large portion (if not the entire staff) of the New York Times, and not just for a short time but for several months.

Timely!

Posted May 25, 2013 21:18 UTC (Sat) by fandingo (guest, #67019) [Link]

s/New York Times/Associated Press/

Password scheme

Posted May 23, 2013 16:06 UTC (Thu) by aaron (guest, #282) [Link] (5 responses)

The source's password scheme is the one described in this XKCD comic.

Did Randall Munroe originate that, or what?

Password scheme

Posted May 23, 2013 16:55 UTC (Thu) by njwhite (guest, #51848) [Link] (4 responses)

Passphrases are always supposed to be like that, I think. The 'diceware' method is a popular way to generate them.

So these sorts of passwords have been around for ages.

Though presumably if you know you're targeting say 4 dictionary words, you can reduce the time to crack enormously (with a general offline dictionary attack, not relevant to dead drop's system.)

Password scheme

Posted May 24, 2013 21:54 UTC (Fri) by diederich (subscriber, #26007) [Link] (3 responses)

Selecting at random four words from the /usr/share/dict/words on my box (which contains 99171 entries) gives you more than 64 bits of entropy. At one billion tries per second, it will take up to 584 years to find the right combo.

You did say 'reduce'; most people select passwords that have less entropy, and are possibly not as easy to remember.

I'm not aware of any system that allows me to remember that many bits of entropy so easily.

Password scheme

Posted Jun 5, 2013 15:44 UTC (Wed) by robbe (guest, #16131) [Link] (2 responses)

> Selecting at random four words from the /usr/share/dict/words on my
> box (which contains 99171 entries) gives you more than 64 bits of
> entropy.
> [...]
> I'm not aware of any system that allows me to remember that many
> bits of entropy so easily.

Assuming we have the same words file (the number of entries match), this contains a lot of hard-to-remember variants. For example every name occurs in there as "Jack" and as "Jack's". It is definitely not the list of simple words used by XKCD 936 (dictonary size 2^11 == 2048).

For the sake of discussion, a script of mine generated this alternatives from the same 64 bits of randomness:

adzes rights Macumba's staleness's
AU's mastoscirrhus seel Bremerton's
Abgangszeugnisse Sollstärke blumigen Synthetik
17244702336126568816
gyskcgtcjfpsbg
cpprKpTOYLaG
uH25bi602OO
dLl%M4Aw.ZI
?bwto5p5Zs
y°USK8Tüöq
g-ßa+j6ög3bv

Decide for yourself if you're better at remembering the spelling of "mastoscirrhus" or "adzes" (or was it "adzes's") or a shorter random jumble of characters.

[an hour later]
I added another wordlist based on Ogden's Basic English containing a bit over 2000 words. Example output:

disgust saucer cool library overall moral

Password scheme

Posted Jun 6, 2013 7:30 UTC (Thu) by micka (subscriber, #38720) [Link] (1 responses)

There are lists created specifically for this usage.
Just take the diceware list or one language spcific one.

Password scheme

Posted Jun 6, 2013 13:07 UTC (Thu) by robbe (guest, #16131) [Link]

The diceware list contains too many obscure entries for my taste. YMMV.

We can agree that /usr/share/dict/words is usually not the best candidate.

DeadDrop and Strongbox

Posted May 24, 2013 10:41 UTC (Fri) by ras (subscriber, #33059) [Link]

So this will be the legacy of Julian Assange. To show the world how it could be done, but perhaps not how not it should be run.

That is enough I think. Well done Julian.

DeadDrop and Strongbox

Posted May 31, 2013 8:01 UTC (Fri) by sourcejedi (guest, #45153) [Link] (1 responses)

"The SHA256 hash of the code name is stored on the server"

Why is this design considered appropriate for a secure system?

Storing un-iterated, unsalted password hashes makes it easier to compromise large numbers of passwords once you've gained access. Every time someone gains access to a system with this design, we read articles criticising it...

DeadDrop and Strongbox

Posted Jun 17, 2013 7:03 UTC (Mon) by mp (subscriber, #5615) [Link]

It appears that what is actually stored is not simply SHA256 of the code name, but HMAC(local_secret, code_name).


Copyright © 2013, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds