When emails leak, we can know whether they are authenticate or forged. It’s the first question we should ask of today’s leak of emails of Hunter Biden. It has a definitive answer.
Today’s emails have “cryptographic signatures” inside the metadata. Such signatures have been common for the past decade as one way of controlling spam, to verify the sender is who they claim to be. These signatures verify not only the sender, but also that the contents have not been altered. In other words, it authenticates the document, who sent it, and when it was sent.
Crypto works. The only way to bypass these signatures is to hack into the servers. In other words, when we see a 6 year old message with a valid Gmail signature, we know either (a) it’s valid or (b) they hacked into Gmail to steal the signing key. Since (b) is extremely unlikely, and if they could hack Google, they could a ton more important stuff with the information, we have to assume (a).
Your email client normally hides this metadata from you, because it’s boring and humans rarely want to see it. But it’s still there in the original email document. An email message is simply a text document consisting of metadata followed by the message contents.
To show how this works, I send an email using Gmail to my private email server (from gmail.com to robertgraham.com).
The NYPost story shows the email printed as a PDF document. Thus, I do the same thing when the email arrives on my MacBook, using the Apple “Mail” app. It looks like the following:
The “raw” form originally sent from my Gmail account is simply a text document that looked like the following:
This is rather simple. Client’s insert details like a “Message-ID” that humans don’t care about. There’s also internal formatting details, like the fact that this is a “plain text” message rather than an “HTML” email.
This is added by Gmail’s servers, for anything sent from gmail.com. It “authenticates” or “verifies” that this email actually did come from those servers, and that the essential content hasn’t been altered. The long strings of random-looking characters are the “cryptographic signature”. That’s what all crypto is based upon — long chunks of random-looking data.
The same could be done with those emails from the purported Hunter Biden laptop. If they can be printed as a PDF (as in the news story) then they can also be saved in raw form and have their DKIM signatures verified.
The lack of unconfirmed allegations that could be confirmed seems odd for a story of this magnitude.
However, while they could in theory, it appears they didn’t in practice. The PDF displayed in the story is up on Scribd, allowing anybody to download it. PDF’s, like email, also have metadata, which most PDF viewers will show you. It appears this PDF was not created after Sunday when the NYPost got the hard drive, but back in September when Trump’s allies got the hard drive.
*** This is a Security Bloggers Network syndicated blog from Errata Security authored by Robert Graham. Read the original post at: https://blog.erratasec.com/2020/10/yes-we-can-validate-leaked-emails.html