Thursday, November 08, 2007

2007-11-08 eDiscovery: Hand me the Keys: The Downside to Hosted Encryption Services reports today that Hushmail, which, ahem, "dominate[s] a unique market niche fo highly secure webmail with its innovative, client side encryption engine" bows to court order to provide client's email encryption keys. Link below.
How, you might inquire, do they obtain access to a *client* private key? In an effort to make the email process seamless, Hushmail offers a thin client, and runs the encryption engine on their side. As succinctly put in the Wired Article: "...this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages."
Let's do this in a step-by-step analysis.
1. Hushmail has control over its environmental variables.
2. Hushmail has control over its servers providing encryption services.
3. Hushmail encryption processes occur at Hushmail servers, not at the client.
4. Information (including key information) is transmitted between Hushmail server and client by SSL connection.
5. Key information is provided to Hushmail encryption engine in cleartext at Hushmail server.
6. Hushmail has access to the private key for some period of time.
7. Hushmail's keys can be compelled to be disclosed in court.
Client email not so Hush.
Third party custody of your encryption key, while a nifty idea for redundancy and data loss (meaning risk of non-decryption) might place that third party in a rather difficult position. Perhaps creating and enforcing a policy where private keys used for certain information are never sent in cleartext to a third party might be a good idea. Ya think?
In any event, creation of and adherence of a document retention policy to apply to 3rd party key custodian activities (and the keys held by them) in an auditable fashion, may be worth a thought.

The link from Wired: