25 October 2001. Thanks to Carl Johnson. See related files: http://jya.com/cejfiles.htm ----------------------------------------------------------------- 559 [page] UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT TACOMA UNITED STATES OF AMERICA, ) Plaintiff, ) ) v. ) Docket No. CR98-5393RJB ) CARL EDWARD JOHNSON, ) Defendant. ) _______________________________) Tacoma, Washington April 19, 1999 9:35 a.m. VOLUME 5 TRANSCRIPT OF TRIAL BEFORE THE HONORABLE ROBERT J. BRYAN UNITED STATES DISTRICT JUDGE APPEARANCES: For the Plaintiff FLOYD G. SHORT ROBB LONDON Assistant United States Attorneys 3600 Seafirst Fifth Avenue Plaza 800 Fifth Avenue Seattle, Washington 98104 For the Defendant GENE GRANTHAM 119 First Avenue South, #500 Seattle, Washington 98104 Court Reporter; Julaine V. Ryen Post Office Box 885 Tacoma, Washington 98401-0885 (253) 593-6591 Proceedings recorded by mechanical stenography, transcript produced by Reporter and Scopist on computer. INDEX WITNESSES FOR PLAINTIFF: STEVEN RUSSELLE Direct ....................................... 564 Cross ........................................ 578 Cross (By Defendant) ......................... 585 Redirect ..................................... 591 Recross ...................................... 595 Recross (By Defendant) ....................... 598 Redirect ..................................... 602 564 MR. SHORT: Thank you. Your Honor. The United States calls Steven Russelle. STEVEN RUSSELLE, PLAINTIFF'S WITNESS, SWORN OR AFFIRMED DIRECT EXAMINATION BY MR. SHORT: Q. Can I ask you first to pull the microphone down. There you go. Could you please state and spell your last name. A. Russelle, R-u-s-s-e-1-l-e. Q. And your first name is Steven, is that right? A. Yes, sir. Q. You are a detective with the Portland Police Bureau? A. Correct. Q. How long have you been with the Portland Police Bureau? A. Since 1978. Q. How long have you been a detective? A. Since '85. Q. Do you have some special training in working on computer crime-related cases? A. Yes, I do. Q. Could you tell us about that training? A. Well, I've been to the IACIS training in 1991. I reattended the second half of that two times in Portland on an informal basis. I've been to numerous other seminars and training sessions regarding computer crimes. Q. Now, when you say, I believe you said IACIS, what is that? 565 A. International Association of Computer Investigative Specialists. THE COURT: I assume you're from Portland, Oregon? THE WITNESS: Yes, sir. Q. (By Mr. Short) How long -- when did you first undergo such computer crime training? A. 1991. Q. And have you continued to receive training and also work on computer crime-related cases since then? A. Yes, sir, full-time computer crimes for about two-and-a-half years. Q. And before that? A. Occasionally. Q. All right. And do you do also some instruction in computer forensics work in computer investigations? A. Yes, sir, I do. Q. Can you tell us about that? A. I work a second job for a private company that teaches mostly Fortune 100 corporations and U.S. government agencies computer forensic issues. Q. Has your training and experience also involved cryptology 01 encryption? A. Yes, sir, it has. Q. What, specifically, have you done in that area? A. Well, specific classes that were designed to deal with that 566 include two; one eight-hour session through New Technologies, Incorporated, that dealt solely with encryption. I attended the International Information Hiding Workshop last year in Portland. That was a three-day workshop that dealt specifically with encryption. But almost every computer class, whether it's given or taken, encryption is an issue. Q. And are you familiar with the encryption software program PGP? A. Reasonably familiar with it, yes. Q. How did you become familiar with that program? A. Well, I've used it. Read their manuals, discussed it endlessly. Q. And when you say you've used it, do you mean on a personal level or professional or both? A. On a personal level. Q. All right. How did you become interested or involved in using PGP? A. PGP, several years ago, was the subject of a great deal of debate. It's pretty much the standard for civilian encryption, or it was then, and was the subject of a great deal of controversy years back, so I chose to learn it. Q. Okay. And use it at a personal level, as well. Do you encounter it as part of doing your computer crime duties? A. Yes. I've run into it on seized computers before. Q. Can you tell us the basic outline of what this PGP program 567 does? A. PGP is designed to encrypt data, and it can do that in one of two ways; through a public key system, whereby you hold a private key, or also known as the secret key, and publish a public key. And anyone who knows your public key can send you encrypted messages, and anyone whose public key you know, you can send encrypted messages to. Q. Now, you mentioned it can do encryption in one of two ways, and you just discussed the public key encryption. A. Correct. Q. What's the other type of encryption that PGP software can do? A. The other method is called conventional encryption, where your message is encrypted using some sort of a passphrase only. Anybody who knows the passphrase can decrypt the message, whether or not they know anything about anyone's public or secret keys. Q. All right. And PGP, by the way, does that stand for Pretty Good Privacy? A. That's correct. Q. And is it also capable of allowing you to create digital signatures? A. Yes, it is. Q. Can you explain what a digital signature is? A. A digital signature works a good deal like the public key 568 cryptography I just described. A message is generated, or it's going to be stored, and if you want to sign it, you tell the software that that's your intent. The software generates an MD5 hash --I think more recently an SHA hash --of that message, including a time stamp of the time this operation was done, and it performs a public key crypto operation on the message digest, the MD5 hash I just described. Q. Let's use an example. Let's say you're going to send an e-mail to somebody that you want to put a digital signature on. When you run through that process, what do you end up with? A. Well, you can end up with two things. You can end up with an encrypted message that contains a signed message, or you can wind up with a plain text message that anybody could read, that has appended to the bottom of it a digital signature. And anyone with your public key can verify that you're the originator of the signed message. Q. All right. The public -- the so-called public key, what do you do with the public key if you're going to get involved in sending messages or signing messages using encryption? What do you do with the public key? A. The public key is distributed to everybody who you intend to send messages to. It enables them to decrypt messages that you have encrypted with this public key encryption scheme. Q. Does it also allow them to check your digital signatures that you put on there? 569 A. Yes, it does. Q. How about the private or secret key? What do you do with that key? A. You keep that secret. Nobody is to know that. Q. When you use this digital signature, what does that allow the person who receives the e-mail to do? A. Well, the idea is that it confirms to them, with some assurance, that you're the originator of the message. Q. Does it tell you anything else about that message, if you use your public key to check the signature? A. Well, it can. In later versions of PGP it will tell you tl- date the message was signed. Q. Does it tell you anything about the integrity of the messac itself? A. Well, the -- yes, it does. Because the MD5 hash that's generated when you sign the message is checked when PGP checks the signature, it tells you that the message has not been altered in any way, and that the originator of the message is whoever signed it. Q. Now, you've mentioned the term MD5 hash. Without being to technical, can you explain what you are referring to there? A. A hash is a cryptographically secured algorithm. It takes message of any size and runs it through iterations of this mathematical algorithm to produce a fixed size output. MD5, for instance, will produce a 128 bit output, which is a digest of 570 the message. By cryptographically secure, I mean that no two message digest -- well, no two messages are going to produce the same message digest. In other words, if you change one bit of data in the message and run the MD5 on it again, the output is going to be different. Q. So that's how it assures the integrity or assurance that the message hasn't been altered? A. Yes. Q. Now, I want to ask you about some use of PGP that you did in relation to this case. Were you provided with some PGP keys? A. Yes, I was. Q. And were you provided with those keys, first of all, from an RCMP corporal named Steve Foster? A. Yes, he gave me one diskette with some keys on it. Q. All right. Can I ask you to take a look at Exhibit 21. There are two notebooks to your left there. THE COURT: I'm sorry, number again? MR. SHORT: 21. A. I've got it. Q. (By Mr. Short) Okay. And have you had an opportunity to compare this with the keys that you received from Steve Foster? A. Yes. This is a partial printout of the list of keys on that diskette. Q. Now, let me ask you, there's a number of keys listed here. I want to ask you about the first column on this where it shows 571 on each line, or in some cases there are two keys that are kind of overlapping with each other, and in other cases there's a single key. Can you explain what that means? A. The dual keys indicate there's a key pair present. In other words, the secret, or the private key, and the public key are in this key ring. Where there's a single key, it generally means you've got the public key for that person. Q. So if you have a double key then, essentially, this is a key that you have possession of -- you have possession of the secret key? A. That's right. Q. Now, did you also receive some PGP keys from John Rabatin of the U.S. Treasury? A. Yes, I did. Q. And I would ask you now to take a look at Exhibits 131A and 131B. A. Okay. THE COURT: I'm sorry, I lost the number again. MR. SHORT: 131A and 131B. Q. (By Mr. Short) Do you have those in front of you? A. Yes, I do. Q. Again, I would ask you, did you have an opportunity to compare this with the keys you received from John Rabatin? A. Yes, these are a partial list of the keys on one of the diskettes he sent me. 572 Q. Okay. Now, on 131A, we seem to have -- essentially all of the keys that are listed here have dual keys. A. Right. Q. So those would all be key pairs where there's a secret -- where the secret key is on this key ring? A. Correct. Q. And on 131B, we have all single keys. A. That's right. Q. So these would all be public keys that you would have either for yourself or for somebody else? A. Generally, yeah. Q. Okay. So am I right, this is essentially just splitting out the list as compared to the prior exhibit we looked at where they were all combined into one list? A. Correct. Q. Were you also provided copies of e-mail messages from Mr. John Rabat in? A. Yes. I got two messages on a diskette. Q. All right. Let me ask you to look at Exhibit 2A. 573 Q. Did you take these PGP keys that you had and run PGP on this message? A. Yes, I did. Q. All right. Why don't you tell us how you did that, or what you did. A. PGP decrypts this message and reports that it was conventionally encrypted, and then it prompts for a passphrase to decrypt the message. Q. And did you have a passphrase to use? A. Yeah. This is an e-mail, and in the e-mail header there's an entry that says "PASSWORD: sog." Q. Okay. A. So I entered sog as the passphrase and it decrypted the message and produced a signed PGP message. Q. All right. Did you print out a copy of the decrypted message? A. Yes, I did. Q. Okay. Is that Exhibit 2B? A. Yes, it is. Q. All right. MR. SHORT: We will offer Exhibit 2B. MR. GRANTHAM: No objection. THE COURT: It may be admitted. (Exhibit No. 2B was admitted.) Q. (By Mr. Short) Detective Russelle, may I ask you to look at 574 the end of that Exhibit 2B where there's page 4 of 4. A. Okay. Q. Do you see the portion where it says "BEGIN PGP SIGNATURE" and "END PGP SIGNATURE"? A. Yes. Q. Does that appear to be one of these digital signatures that you testified about? A. Yes, it is. Q. Did you check this signature using the PGP program? A. Yes. MR. GRANTHAM: Which exhibit, counsel? MR. SHORT: 2B, page 4. MR. GRANTHAM: Thank you. Q. (By Mr. Short) And when you used PGP to check this signature, what was the result? A. PGP reports that the message was signed by sog InfoWar@dev.null. Q. Could I ask you to turn back to the list of PGP keys, Exhibit 21, and point out which key you are referring to. A. 21? Q. 21. MR. GRANTHAM: Which exhibit is that on, again? MR. SHORT: Exhibit 21. MR. GRANTHAM: Thanks. A. On the last page, the third page, about two-thirds of the 575 way down, there's a key pair from son of gomez InfoWar@dev.null. That's the key that it refers to. Q. (By Mr. Short) Okay. So this key, son of gomez InfoWar@dev.null was the key that was used to sign that message, Exhibit 2B? A. Correct. Q. All right. Did you run the same operation using the keys that you received from John Rabatin, as well? A. Same results. Q. Same results? A. Yes. Q. Let me ask you now to take a look at another e-mail message. Exhibit 101. A. Okay. Q. Is this the other e-mail message you received from John Rabatin? A. Yes, it is. Q. Okay. Again, this is an e-mail that has some PGP content, is that right? A. Yes. This is a plain text e-mail message that is PGP signed and includes a PGP public key as an attached lock. Q. When you say plain text, I take it you mean it's not encrypted. A. Correct. It's human readable. Q. Did you check the signature, then, that's on the end of this 576 message? A. Yes, I did. Q. All right. And what was the result when you did that? A. It was a PGP signature that belongs to Toto at an e-mail address in Canada, and I would have to look at the list. Q. Okay. Before we -- let's refer back to that list in a moment, but before we do that, you also mentioned that at the bottom of this signature block it says "PGP PUBLIC KEY BLOCK." A. Yes. Q. Did you check to see what that public key was, as well? A. That's the public key that I'm referring to. It's Toto in Canada. Q. Okay. So you used the Toto secret key to make the signature, and then the public key is attached here if someone wants to check it? A. Correct. So anybody that received the message would have the public key to check the signature with. Q. All right. Now, if you would, refer to Exhibit 21, the list of the keys. A. Okay. Q. Do you see on that list, or can you tell us on that list where the key that was used to sign this message is? A. Yes. Again, on the last day --or rather the last page, about three-quarters of the way down, there's a key pair marked Toto with an e-mail address toto -- that's t-o-t-o -- 577 (c)sk.sympatico.ca. It's a 1,024 bit key. That's the key that is attached and verifies the signature. Q. So that would be the key that has the date of '97, March 16th on that? A. Yes. Q. Okay. Again, did you do the same operation using the keys that you had received from John Rabatin? A. Yes, with the same result. Q. All right. Did you also check a password -- let me ask you this. You testified earlier about secret keys and how people keep those to themselves. Are there ways that you use to protect your secret key? A. Well, PGP has built in a protection for your secret key that prevents you from accessing it -- prevents anyone from accessing it without knowing the passphrase. In other words, when you go to encrypt a message and PGP needs to access the secret key, it says, enter your passphrase. And unless you know the secret passphrase, you don't get access to the secret key and you cannot encrypt a message. Q. And so, also, you wouldn't be able to sign a message without the passphrase? A. That's correct. Q. All right. A. Further, PGP, and good security practices, would suggest that you not keep your secret key ring on any computer that 578 anyone has got access to. You would keep it on a separate diskette or some other medium that you supply to the computer only when you want to encrypt a message. Q. Okay. Did you check to see the passphrase that operated these two keys that you testified about, the Son of Gomez key and the Toto key? A. Yes. I was provided a list of possible passphrases and tested them. Q. Okay. And what was the passphrase that operated to allow you access or give you access to those secret keys? A. I don't have it in front of me. As I recall, it was something like sog, in small case letters, then 709, and then cej in small case letters, followed by CJP in capitals. It was similar to that. Q. And were you provided that by Jeff Gordon? A. Yes, I was. MR. SHORT: No further questions. MR. GRANTHAM: I just have a few. CROSS-EXAMINATION BY MR. GRANTHAM: Q. Detective Russelle, you told us that when you first became familiarized with PGP encryption that it was -- there was some controversy surrounding that? Is that what you said? A. That's correct. Q. Tell us what was the nature of the controversy, as you 579 understand it. A. These -- PGP was written years ago and posted to the Internet. The controversy was whether the security of the encryption system was adequate. Q. The security of PGP itself? A. That's correct. Q. All right. Was that controversy resolved some way? A. Well, apparently it was. PGP is now a commercial product. It costs money. Q. I thought you could download it for free; you could share their free software. A. You can still download from MIT and from other sources the older versions of PGP, that is correct. Q. Let me submit to you that Agent Gordon has testified in an earlier part of this proceeding that PGP using MD5 can be broken. Do you know if that's correct or not? A. To the best of my knowledge, MD5 is not broken, and public key cryptography in general is widely respected. Q. Did you discuss that with Agent Gordon, anything about whether people are able to break -- now able to break that code A. Well, we've discussed this from another angle, but it has little to do with the strength of public key cryptography or the conventional cryptography that I've described, and it has nothing to do with the strength of the MD5 hash that I describe as being a glorified message digest. The attacks that I've seen 580 and read about deal with the issue of falsely convincing someone's PGP software or other public key crypto software that the person who signed the message is in fact someone who did not. In other words, party A sends a message to party B and signs it. Party C posts a fake signature that will also indicate that party C signed the message. That's not the same as breaking the encryption at all, no. Q. Do you know if it's possible to generate a fake key or a key that will break -- that will allow you to translate an encrypted message without actually having the private key, by generating a new key that has that key loaded? A. I've heard of a paper recently published by some people who work for Certacom that describes what they call unknown key share attacks where that's exactly -- well, I won't say that's exactly what happened. What happens is, a third party can generate a key pair that will confirm falsely that the signed message was signed by somebody who didn't sign it. The key pair in some cases is a valid key pair for the encryption standard that's being compromised. However, it's not -- it's not an interchangeable key pair with the original. In other words, if I encrypted two messages that were different, signed them both and posted them, you would have to create two false key pairs; one, to falsely sign the first message, and a second to falsely sign the second message. Do you see what I'm saying? Q. I think so. But do you agree that there is the capability 581 of sophisticated computer people who do just that? A. To forge a digital signature, yes. To break PGP or MD5, no. Q. How about to, what's the word, decrypt or unencrypt a message even though you don't have the private key that was use to -- A. Mr. Grantham, I don't think this computation is feasible as long as the PGP key is of sufficient length to crack it with a fake key. Q. Well, what about 128 bit algorithms. Is that sufficient length? A. I would say so. I have never talked to anybody who has speculated that that was computationally feasible to break. Q. And you didn't discuss that with Agent Gordon or anyone else in this case? A. No, I didn't. The digital signature issue came up, and that's a completely different matter. Q. Okay. What was the context in which that came up? Why do you say that's completely different? A. Well, as I said, when you sign a message with a public key encryption system, generally a message hash, a message digest, is created with an MD5 hash or SHA or some similar algorithm. Frequently, and in the case of PGP that supposedly is time stamped and then the digital signature created by your private key, your secret key, is computed against that MD5 hash. When 582 somebody wants to confirm that you signed it, they run your public key against the signature, and the signature says, Mr. Grantham signed the message. I say it is possible, and papers have been published indicating that Russelle can forge a digital signature on the message which says that Russelle signed the message. And that signature is a forgery. It has no effect on the message itself or the MD5 hash value of the message. It just says that somebody who didn't sign it, did. Q. Fair enough. All right. Now, the dual key system that you've talked about, is the security of that dependent on the owner of the private key maintaining the secrecy of that? A. Correct. Q. All right. And you've testified that in order to do that, you should not even leave it on the same computer that your other data is on. A. That's the suggestion, yes. Q. Would it be fair to say that if for whatever reason the owner of those keys distributes his private keys to others, then any of those people could, in essence, forge his signature to a message? A. Correct. If the private key and the passphrase to it were distributed, that, in the case of PGP, that would be possible. Q. I've heard this analogy, and let me tell it to you to see if you can comment on this or tell me if it's correct. That a 583 digital signature is something like a rubber signature stamp that perhaps could be authenticated by saying that the stamp was made by the person that possesses the stamp. Is that a correct analogy of how this works? A. That's right. Q. But it doesn't tell you who it is, it just says anyone who has one of those stamps could have made the imprint. A. The assumption being that the private key has in fact been held private, correct. Q. If more than one person has access or possession of a rubber stamp, they can put on what appeared to be a valid digital signature. A. You're right. Q. Now, the private key itself, if an individual wanted to take their private key and distribute it to others, can I call them on the phone and just say here's what it is, or do I need to give them a disk that has computer data on it? A. These keys can't very well be communicated verbally. I suppose it would be possible, but most commonly you would send it electronically. Q. In some of the documents -- maybe if you still have 101 handy? A. 101? Q. Yes. As an example, the PGP signature there on the last page is what I'm wondering about. Is that -- oh, I didn't 584 know --I understood you still had that open. A. I didn't hear what you just said. Q. Yeah. There's something about the acoustics in this courtroom if I don't stand right up here. 101 -- THE COURT: It's your voice level, not the courtroom. MR. GRANTHAM: It's not the courtroom. A. I've got 101. Q. (By Mr. Grantham) All right. Where it says "BEGIN PGP SIGNATURE" and "END PGP SIGNATURE" and there's about three, plus part of a fourth line. A. Correct. Q. Is that the -- is that what would have to be transferred or communicated to a person? Is it that line of symbols that you're talking about? A. That's the signature block, yes. You were asking about public keys and private keys. The section following that is the public key block for this message, and it goes perhaps 15 lines. Q. So when you say it might be possible to do this in writing or over the phone, would a person have to, with appropriate names for those symbols, read the whole thing off? A. Well, yes. And that assumes that the party on the other end could put the header and the footer information back on in the right order, the right number of dashes, etc. It would be far easier to send it on a diskette or by e-mail. 585 Q. All right, thank you. I think that covers it. THE DEFENDANT: I have some questions here. MR. GRANTHAM: Hold on. THE DEFENDANT: I'm sorry, I thought you were done. Q. (By Mr. Grantham) Exhibit 2B is the last thing I wanted to ask you about. To decode that, do you need to have a private key or do you just need to have the message itself and know that the password is sog in order to translate it? Am I -- A. 2B is a decrypted message. Q. 2A then. A. If you start with 2A, what you have is a conventionally encrypted message, and that's one, as I said, is encrypted with just a passphrase, no secret key, public key stuff. In other words, if you know the secret word, you can decrypt it, and so can anybody else who knows the secret word. Q. Which in this case is included in the header. A. Yes, indeed it is. Q. So in order to decipher that, all you need is what's on the page; you don't need any of the -- A. You're right. And then once you've done that, you wind up with this plain text signed message. MR. GRANTHAM: That you, sir. I have nothing further. CROSS-EXAMINATION BY THE DEFENDANT: Q. Do you know who Phil Zimmermann is? 586 A. Yes, sir, I do. Q. At the time you started using PGP, was Phil Zimmermann still under indictment by the U.S. Government? A. Yes, he was. Q. And you didn't have any problem with using crypto produced by a potential criminal? A. I don't have a problem with crypto, period. Q. When a public key verifies a message, even when it's valid, key -- aren't there signed public keys and unsigned public keys? A. Well, yes, there are. Q. And what's the purpose of having other people sign your public key? A. Well, I -- excuse me. Mr. Johnson, the reason that a public key would be signed is to lend the trust of someone you know to the key that you've got. In other words, if you gave me your public key right now and I signed your public key, the implication is people who trust me would then trust your public key because I say I got it from you and I signed it. Q. Yeah. And if your key at any time is compromised, then your signature on my key wouldn't count for much. A. How did you start the question? Q. I said, if your key at some point in the future is compromised, then the signature on mine is not necessarily valid anymore. 587 A. That would be correct. If someone could not determine when I signed your key --in other words, that my signing your key preceded the theft of my key, then that would be the case. Q. Okay. So it's kind of like a dollar bill, where the government doesn't just photocopy it because anybody can do that. They use a special paper, special ink, and do different things where each level builds up the worth and the validity of it. So signatures, the more signatures you have of people you trust, the more valid -- the more trust you put in that signature. A. Exactly right. Q. So an unsigned key is kind of at the bottom of the pile, as far as you trusting that signature to be a specific person. A. That's the implication. That's not necessarily how I handle my keys. Q. Okay. And you say you keep secret keys secret, but what if you don't ? A. If you don't keep your secret key secret? Q. Yes. A. Then it's not a secret. Q. And if they're posted on the Internet, they're really not a secret. A. That's correct. Q. Who's Network Associates? A. Network Associates is the company who sells PGP right now. 581 Q. Okay. A. I think it's a conglomerate. They've got McAfee and some others. Q. What's the reference here? I can't -- what exhibit is it? Okay, Exhibit 21, I guess, page 2, 3? Anyway, do you see the Network Associates key there? MR. GRANTHAM: It looks like it's about two-thirds of the way down on the second page of the exhibit. THE WITNESS: Got it. MR. GRANTHAM: Maybe the third page. A. Yes, I see it. Q. (By the Defendant) So if you received a message signed by that key, you would assume that was from that Network Associates, Incorporated? A. That's what it implies. Q. At toto@sk.sympatico.ca? A. Right. Q. What about -- there's on the previous page Bill Stewart. A. I'm with you. Q. "Unauthenticated Pseudonym," whatever, do you know what that kind of key is? A. No, I don't. I can tell you that the symbol indicates that it's a public key. I'm not sure. Q. But just from the name, it's saying it's an unauthenticated key, which is basically the same as saying it's not signed, 589 which is -- Bill Stewart has three different kinds of keys. He says, I've got an occasional key, regular key, and unauthenticated key. People have different strengths and different trustworthy levels of keys that they use. A. Uh-huh. Q. Okay. A. I would add, the key often gets its name from the party who names the key. Q. As a matter of fact, the trust in any form of PGP when you accept a key from someone, does -- and puts it on your key ring, does it not give you an option saying, what level of trust do you personally want to put on this key? A. Yes, it does. Q. What are the levels, do you know? A. I couldn't tell you what they are these days. They go from invalid to -- Q. Okay. A. --to implicitly trusted, I think. Q. And you decided that, so even that counts on your judgment. You decided to implicitly trust this, even though they got it from a public bulletin board from God only knows who, right? A. You're right. Q. So the real security is in knowing who you got -- who got your key, the key prop, or who signed -- whose key you signed and vice versa? 590 A. Right. Q. Okay. Password protection. Does it prevent children with password correcting programs from accessing your program or your keys? A. Well, you've lost me with the question. Q. Does this password protection provided by PGP, does it prevent children with password correcting programs from accessing? A. Well, I haven't seen that, but that would make sense. Q. Well, yeah. But do you not find password corrected programs all over the Internet -- A. Yes, sir. Yes, you're correct, and that's exactly why you would pick a password like little sog709cejCJP. Q. Okay. Are you familiar with version 2.6.2 PGP? A. Yes. Q. Do you know what the command PGP minus KXA does? A. I think KXA -- I can't remember. I can't remember what KXA does. Q. Would you say that -- A. It's a key ring operation. Q. Yes. It extracts to an ASCII. A. Okay. Okay. Q. Yeah, an ASCII like we see here. An ASCII file. A. Okay. Q. Are you aware that if you perform that operation on the 591 secring PGP key you can pull the secret ring off? A. You can pull the secret rings off in every version of PGP that I remember. Q. And you don't need a password to do that, if you're sitting at a computer. A. Now, that, I don't know. Q. Or if you have access to a computer. But that's what the command is used for, and that's what it does. THE DEFENDANT: Okay, thank you. REDIRECT EXAMINATION BY MR. SHORT: Q. Detective Russelle, you testified earlier in your direct that the PGP manual tells you to keep your secret key secure, is that right? A. Yes. Q. And then you were asked some questions about that, what happens if you --if other people get that key. Is that right? In other words, if other people get access to your secret key, you were asked questions about that -- A. Okay. Q. -- during cross-examination. A. Yes. Q. Do you remember that? Would there be any reason to distribute your secret key to other people? A. The reason to use crypto is to conceal the meaning of a 592 message. If that's the reason that you're using it, it's counterproductive to distribute your secret key. Q. Okay. And you were also asked during cross-examination by Mr. Johnson about signatures to public keys and trust and validity. Do you remember that -- A. Yes. Q. -- cross-examination? This all goes to whether you can say that the person who used the key is a legitimate owner of the key, is that right? A. That's right. Q. Is any of that relevant at all if you know that the person has that key in their possession? If you know that they have the key, the secret key -- A. Then you know that they could have made the message. Q. And the issue of validity or trust of other people signing the key doesn't tell you anything, does it? A. That's right. Q. Okay. You used the term computationally feasible at one point when you were asked about whether PGP can be cracked. What does that mean? A. Well, it means that in terms of today's technology and the speed of today's computers, you can't put enough computers together to crack a message of the kind that we've discussed in any sort of reasonable length of time. Q. Okay. When you say reasonable length of time, are you 593 talking about a couple of years or are you talking about a lot longer? A. We're talking about millions of years. Q. You were also asked about passwords and whether passwords can be cracked, and you said something to the effect of that's why you use sog709cej and then all capitals CJP. What did you mean by that? A. Well, passwords are case sensitive. In other words, small case or upper case letters matter. A big C and a little c aren't the same. Numbers, of course, are different. And a goo< password is generally recognized as being at least eight characters long, a mix of upper and lower case letters, numbers and symbols, asterisks, commas, et cetera. Q. So this password of 12 symbols and letters with some numbers, some small, some large capital letters, would you consider that to be a strong password? A. That's reasonably strong. Q. You were asked also some questions about whether it's possible, and I believe you discussed whether it's possible to create a key, essentially a forged key, that would -- you could use on a message and it would say, yeah, it was signed with this key. Is that right? A. It's possible to forge those signatures. Q. In this case, were you provided a key from Jeff Gordon called Toto,2 to -- 594 A. Yes. Q. --do some testing on? A. Yes, I was. Q. All right. And what was the result of the testing you did with this key called Toto,2? A. Well, Toto,2 reported that the InfoWar message that we discussed earlier was originated by Toto,2 and not InfoWar. Q. Okay. So the Son of Gomez key that you testified about, this key purported to be able to verify that message as well, is that right? The Toto,2 key. A. It verifies the signature. Q. All right. And did you test that? A. Yes, I -- Q. Did you test Toto,2? A. Yes. Q. And what was the result of your testing? A. It does. It says the message came from Toto,2. Q. Did you check any other messages that were generated by the Son of Gomez key to see whether the Toto,2 key would work on those? A. Yes, and it does not. Q. Okay. So it only applies to the one message? A. So far as I can see, yes. Q. All right. Did you try -- did you also examine this Toto,2 key with the most up-to-date version of PGP? 595 A. Yes. The version 6.012, I believe, of PGP, the current version, will not accept the Toto,2 key as a valid PGP key. Q. Okay. But when you say it won't --it won't accept the Toto,2 key as a valid PGP key, what does that mean? A. Well, it means this: When you try to add the key to your key ring, PGP will either swallow it and add it to the key ring or it will not. The earlier versions of PGP that I tried accepted the Toto,2 key and added it to my key ring, so long as in some cases keys with corresponding digital signatures were removed first. In other words, it didn't want to duplicate keys with the same digital fingerprint. But in the case of PGP 6, it rejects the Toto,2 key as an invalid key and will not add it to the key ring. Q. So by invalid key, you mean it's not -- it's not a legitimate PGP key? A. Apparently so. Q. All right. And based on that and everything else that you've looked at, is it your opinion that the Son of Gomez key was the one that was used to sign that message in 2A, which you decrypted in 2B? A. I believe that it was. MR. SHORT: Thank you. THE DEFENDANT: I've got -- oh, you've -- RECROSS-EXAMINATION BY MR. GRANTHAM: 596 Q. You testified here on redirect that it would be counterproductive to produce a private and public key and then distribute the private key. But look at Exhibit 2B. Isn't it exactly as counterproductive to encrypt a message and then publish right in the header of the message the password that allows anyone to decrypt it? A. Well, including the passphrase in this conventionally encrypted message is counterproductive only if you don't want anybody who gets the message to be able to read it. There could be a reason for sending an encrypted message, a conventionally encrypted message and including the passphrase, and that is that PGP specifically, in most encryption programs, compress the messages before they encrypt them so it might be a shorter e-mail. It might be more convenient to distribute it this way and include the passphrase. Q. Yeah, but that's an entirely different consideration from encryption though; it's compression and then PGP sending a message. A. Oh, I can see it both ways. If the intent was to hide the meaning of the message, then including the passphrase would be ridiculous. Q. Yeah. So this message appears to be every bit as counterproductive in that respect as the question you were asked earlier about isn't it counterproductive to publish your private key? 597 A. The difference is significant. And by that I mean, when you distribute your secret key, you give away the whole house. Q. Yes. A. When you distribute the passphrase for a single conventionally encrypted message, you've given away a single message. Q. Yes. You testified that if we know that a person has a private key of the key pair that was used in a message, that he could have been the author of the message. A. Yes. Q. Is that right? A. Yes. The originator of the message most likely has the secret key and the passphrase to send. Q. That proves he could have sent the message. It doesn't prove necessarily that he did send the message. A. That's right. Q. And anyone else that had access to that also could have done it, as in the analogy of the rubber stamp that we talked about. A. Well, that was -- I mean, that's a reasonable conclusion if it's the only information available for evaluation. Q. All right. The Toto,2 key, this is a key that --is this a forgery, as you -- I mean -- well, no, let me strike that question. You were given a Toto,2 key to analyze, and it authenticated 598 -- would that be the right word? -- the message with the Son of Gomez password? A. Yes, it does. It says this message was written by Toto, comma, 2. Q. And what did it say when you -- you had earlier decoded the message using a different key. A. Right. Q. Which key was that, the sog key? A. Yes, the Son of Gomez key. Q. So you used that key and said the message is written by Son of Gomez. A. Right. Q. You took another key, you used that, it said it was written by Toto,2? A. Correct. Q. And they both can't be true. A. That's right. Q. So one of them is a forgery, but a successful forgery. A. Apparently so. MR. GRANTHAM: Okay. RECROSS-EXAMINATION BY THE DEFENDANT: Q. You were -- you said, like in terms of a reason to distribute a secret key would be counterproductive. But isn't there technology for doing exactly that? Corporate Key 599 Technology. Are you familiar with Corporate Key Technology? A. Are you talking about the sophisticated method of exchanging secret keys in a secret way? Q. Well, corporations either sign -- every key that they give their employees also signs to a corporate key which is shared among them. And the corporate key can read anybody's messages, or with some versions the employees can use kind of a subset. A. A sub key? Q. A sub key. A. Yes, that happens. Q. So that's a method for sharing secret keys within a group, and certain people will have access to that certain key, whatever level management decides? A. Well, I haven't seen that used with PGP. I suppose that's possible. There are methods of securely distributing keys. I don't argue that. Q. But doesn't PGP have a corporate message recovery that was a topic of great debate when it came out? A. Well, if I follow your question right, you may be referring to a distributed key method, whereby a key is broken into several parts and only a certain number of the parts can be brought together to reconstruct the key. Beyond that, I don't know what you mean. Q. Okay. So there are reasons for sharing secret keys, and that would generally apply within a group, like the corporation, 600 or a group of people that wanted to share the same information. A. Well, I suppose that there's reasons to share secret keys. Q. And if you were a corporation and you had -- you had a key that would read all of your employees' messages, you wouldn't want just one person in charge of the key. You wouldn't want just one copy, would you? A. Oh, I see what you're getting at. Sort of a master key. Q. Yes. A. With sub keys that will operate independently. Where are you going on -- I didn't get it. Q. Well, you wouldn't -- on something like that, you wouldn't want just one person to have one copy and be the only person to know the password of that if you're a corporation. A. I could imagine circumstances where that would be true. Q. Okay. And you mentioned that the Version 6.0.2 PGP will not accept the Toto,2 key as a valid PGP key? A. It wouldn't for me. Q. What about lower versions? A. The 5.5 did it. I have one of the --I think 5.52, one of the versions. Earliest I've got is a 5.0. It accepted it. And 6.2 and 6.221 accepted it. Q. And, as a matter of fact, every time a new version of something comes out, there's always problems or glitches, and there's valid keys and invalid keys. It doesn't matter whether it's an active version of PGP or regular version. They have 601 trouble communicating until they get the versions worked out. A. You're right. That's one reason that I had to take it to 6.0, because it would not accept a lot of keys on the key rings was supplied. Q. Yeah. A. It went Diffie-Hellman and then it wouldn't accept the RSA. Q. Okay. And, as a matter of fact, when the PGP moved from 2. to, I think it was 3 or 4, all the keys became invalid, did the not? Were they not a different type of key at that point in time? A. I don't know. Q. Okay. And what about the dates, such as on page 1 of Exhibit 21, the Bubba Rom DOS key, it's 89/12/06? A. Well -- MR. GRANTHAM: It should be the first page. THE WITNESS: Yes, I see it. Q. (By the Defendant) Okay. Was that date not before PGP was in existence? A. As far as I know, that is probably the case. Q. Okay. And what about dates in the year 2000? I notice this only goes to '97. What about dates in the year 2000? Will those be shown in this version of PGP keys? A. I haven't encountered those, but as I understand it, PGP in this version, 2.62, uses the UNIX date standard, which should be good for decades beyond 2000. 602 Q. So that is going to show up different on different machines according to what standards they are using? A. I believe if you decode the date stamp with PGP, PGP will print it as best it understands it. THE DEFENDANT: Okay, thank you. MR. SHORT: I just have one question. Your Honor. REDIRECT EXAMINATION BY MR. SHORT: Q. Detective Russelle, would one reason to share your secret keys be so that you could later deny that you authored a message? A. Yes. MR. SHORT: Thank you. MR. GRANTHAM: Nothing further. THE COURT: Thank you. Detective Russelle. (Witness excused.) -----------------------------------------------------------------