This afternoon, this headline caught my attention: “Police hack PGP server with 3.6 million messages from organized crime BlackBerrys”. When I read it, I thought: “either the journalist/title writer got it wrong, or PGP is broken”. There are a few things that struck me as odd in the title:

a “PGP server” usually contains a list of public keys, not messages. There is no reason for police to hack such a server: they can just download the keys if the police did have a reason to hack a server, it would have been to retrieve and decrypt PGP-encrypted messages, but that is nearly impossible without the associated private keys

So, I started reading the article. It states a few things. TLDR:

It affirms that “Dutch police say they’ve managed to crack data held on a private server protected by end-to-end encryption” – I have found some Dutch news outlets that say the same thing, but I haven’t found a Dutch police press release and no-one seemed to link to one.

“Toronto police seized Ennetcom’s main server last year and presented a copy of it to the Dutch police in September 2016.”. The seizure was done pursuant to a search warrant requested by the Dutch police and granted and executed to the Canadian (Toronto) police, as noted in the decision referenced by ZDNet (which is the September order)

The article goes on to protect the reputation of the Dutch as freedom-loving and not generally going about hacking other people’s servers.

The thing is, the Dutch police didn’t hack anything: the court documents show that “[t]he Dutch authorities (…) discovered that the ‘keys’ for the PGP encryption system were generated by the server, rather than by the device. As a result, the Dutch authorities came to believe that the keys to decrypt the PGP encrypted information, on the Ennetcom PGP BlackBerry devices, are stored on Ennetcom’s BlackBerry Enterprise Servers.” – and it turns out they were right. They did quite a bit of sleuthing to find the server, found it in Toronto hosted by a hosting company, requested and obtained cooperation from Canadian police and ultimately retrieved the information.

The technical issue here is therefore that private PGP keys were held in escrow. Had those private keys been generated on the devices and had they further used ephemeral keys for forward secrecy (i.e. generating a new public/private keypair for new messages and sending the public key along, after signing it with the non-ephemeral key), the Dutch police would not have been able to decrypt anything more than the messages decrypted on the (previously) seized devices themselves.

This shows two things, in my opinion:

you shouldn’t roll your own security schemes (or alter existing security schemes when adopting them) if you can help it if there’s a flaw in your security scheme (in this case: holding private keys in escrow) your adversaries (in this case: law enforcement) will find and exploit it

Also: Dutch police know what they’re doing.

The judge adds: “I should mention that, prior to the search warrants being executed in the Netherlands on the servers there, the Dutch authorities sent out a broadcast message to 19,000 Ennetcom users in English, Spanish, Dutch and French advising of the investigation and the reason for the service disruption. The message advised that the Ennectom (sic.) encrypted BlackBerry system being used by them had been seized by the police for an investigation. To date, the Dutch authorities report that no one has approached them to ask questions about, or to object to, the seizure.” To me, this seems like going well above and beyond what can be expected of a police force.

I’d also add that both the Dutch police (as shown) and the Canadian police and judge did their best to protect the privacy of the innocent: the court order goes to great lengths in considering that issue.