[Cryptography] How to build trust in crypto

Ralf Senderek crypto at senderek.ie
Mon Mar 17 14:01:05 EDT 2014 

To see what it takes to establish a secure online communication
it's interesting to look at the way Edward Snowden finally convinced
Glenn Greenwald, the journalist who published the NSA files, to
use crypto.

It took him about six months. [1]

In the beginning Snowden knew he needed a secure channel to Greenwald
but Greenwald's laptop was clear of PGP. In his first contact Snowden
asked for Greenwald's PGP public key several times but without success.
Snowden was then an anonymous contact, an untrusted source, no reason to
go through the pains of installing PGP/GPG, even though Snowden prepared
a video tutorial for him.

Snowden didn't give up, he knew about Greenwald's skills as a journalist
and his courage and contacted Greenwald's friend Laura Poitras who had
experienced some pretty bad treatment at border control that made her
a well-experienced user of PGP. This was the context Snowden knew about.

Now Ed had Laura's public key but his encryption key was somewhat
suspicious to Laura, because she could not rely on verified context
information about Ed. The man behind Snowden's public key could as
well be a girl from the NSA trying to entrap her. The working secure
channel was one-way.

Laura based in Europe needed to talk to Greenwald, but she had no secure
channel as Greenwald didn't use PGP, so she flew back to the US to meet
him. When both met and looked at the emails, their untrusted source
had sent, a picture formed and Snowden began to gain trustworthiness.
The idea of an interview was born, four months after the first frustrating
contact, initiated by Snowden.

Then a parcel arrived at Greenwald's door containing two USB sticks that
eventually enabled Greenwald to boot a pre-fabricated security distribution,
TAILS, to establish a direct, secure channel to Snowden. Using this channel,
Snowden revealed the first PRISM documents to Greenwald, still busy to 
sharpen his reputation as a trustworthy source to the journalist.

If anything, this may help to understand that building trust is not just
following a protocol, not just having the correct information, but a process
in which crypto plays one (important) role that is by no means independent 
of the context around it.


     --ralf


[1] http://cryptome.org/2014/02/snowden-drop.pdf

More information about the cryptography mailing list