Friday, January 25, 2008

Aggressively encrypt

Google Gmail (and others) who provide hosted e-mail may protect their users' privacy by structuring their back-end to keep things encrypted as much as possible. In the event of a subpoena or accidental security breach (but this won't stop security breaches by determined insiders) the plain text messages are simply not available.

The hosted e-mail provider maintains the user's public key (public enough for its own use; it need not be broadcast any further, though there is no danger in it), an encrypted version of the private key, messages encrypted with the public key, and an index also encrypted with the public key.

The user logs in and provides the password which is the key to the encryption (the key to an encrypted private key). The architecture (engineering challenge!) is that the plaintext key hangs around as little as possible on the servers, of course, never hitting disk, and possibly re-querying the user's brower (via cookies?) whenever the key is needed. The server in fact only gives encrypted messages to the browser, which are decrypted *by the browser* (javascript!?) to read the message.

Whenever a new message comes in (this part is unfortunately unencrypted), the server performs any actions required by the filters, then immediately encrypts with the user's public key and forgets the plaintext. At this point, the server has lost all ability to see the message until the user logs in again.

For messages between Gmail accounts (or a cabal of e-mail providers who share public keys of users), one can even avoid the initially unencrypted incoming message: let it be encrypted from end to end by the browser of the sender to the browser of the recipient.

When the user logs in to provide a password to the private key, the hosting company uses the power of ten thousand servers to rapidly decrypt and incorporate all the new mail into the mail index. (The mail index was similarly public-key encrypted like the messages.) It then again forgets the private key.

This may or may not be enough rope to allow for AdWords along side messages, but certainly a way of implementing it can be worked out while still maintaining as much encryption as possible.

No comments :