Sunday, January 2, 2011

WSREP - Widespread Surveillance Resistant Email Protocol

I had an idea while showering today. I was thinking of how hashcash forces would-be spammers to expend considerable computation effort if they want to spam email servers that use hashcash. This imposes a dollars-and-cents barrier on spamming. This got me to thinking about the fact that, even today, the vast majority of email communications are sent in the clear. If the NSA or Mossad or fill-in-the-blank intelligence agency wants to engage in widespread, ECHELON-style surveillance of emails, the fact that they are sent in unmasked text is a great assistance to the would-be eavesdroppers.

Ideally, people might encrypt all communications but it turns out that encryption has a lot of overhead problems. The most significant problem with encryption is key management. If you send me an email and I've lost or misplaced the key, I can't read it. And this brings me to WSREP - Widespread Surveillance-Resistant Email Protocol!

Basically, WSREP is implemented by encrypting emails and sending almost all of the key along with the email. The WRSEP email reader then makes repeated, blind guesses at the missing bits of the key until it gets it right and then decrypts the email into plaintext on the client end. The obvious choice of encryption algorithm would be AES, since that is the new "official" encryption standard.

Let's say Alice wants to send Bob an email. She first types it up, then her WSREP-compliant email client prepends a clever check-phrase like "4thamendment4eva", then chooses a random 128-bit key and encrypts the body of Alice's email. It then chops off, say, 20 bits of the key and transmits the email with the 108-bit key to Bob. Bob's WSREP-compliant email client receives the mail and then begins randomly guessing the missing 20 bits until it gets those bits right (as indicated by successfully decrypting the check-phrase). The number of bits which are dropped should be chosen such that this process takes significantly less than a second on an average computer, say, 250ms. After the key has been guessed, the client decrypts the email, removes the cheesy, clever check-phrase and then displays the email to Bob. If SMTP is extensible, you might be able to implement this protocol with zero changes to email servers.

Now, let's say you're the NSA and you want to read everyone's email without exception. Granted, WSREP-masked emails are logically equivalent to plaintext since they're being transmitted with almost all of the key. The difference, however, is that the NSA must expend the same computational effort as anybody else to guess the missing bits, even if the NSA has "broken" the encryption algorithm in use. This puts a nice dollars-and-cents limit on the number of emails which the NSA can open and read, all while avoiding the nasty complexities of key management and the other difficulties of traditional encryption.

I thought it was a good idea. Hopefully someone out there who knows something about email clients sees this and agrees.