I’ve got your authentication right here

October 25, 2016

The latest find in the Wikileaks document drop has the White House on the defensive. In the email, Cheryl Mills (Hillary Clinton’s chief of staff) learns that Barack Obama claimed to have learned that Hillary was using a private email server “the same time everybody else learned it through news reports.” She replies:

we need to clean this up – he has emails from her – they do not say state.gov

Whatever the White House might claim now, this shows clearly that they saw a problem with Obama’s statement. You don’t clean up something that isn’t dirty. And, indeed, a few days later they walked back the president’s statement:

President Obama exchanged messages with then-Secretary of State Hillary Clinton at her private email address but did not know how the address was set up, the White House said Monday.

ASIDE: I actually find the revised statement plausible, but it’s not really exculpatory. You don’t have to know how the server is set up to know that there’s something shady about doing official business over “clintonemail.com”.

Anyway, now the email is public and people are calling it the smoking gun. Naturally, the White House would love to impeach the email, so the hapless White House spokesman is sent out with this:

“I can’t verify the integrity of these emails,” Earnest told reporters traveling with Obama as he fundraised in California, speaking of illegally obtained messages from Clinton’s campaign chairman, John Podesta, that were published by WikiLeaks and apparently show the Clinton camp challenging Obama’s assertion that he didn’t know Clinton was using a private email account.

Podesta’s emails were “stolen,” and, therefore, their authenticity cannot be verified.

Well, as a public service, let me help. The email includes a DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;

(You can see it yourself by clicking “view source” on the email.) The purpose of DKIM is to authenticate that an email came from a particular domain; in this case, gmail.com. It uses a mathematical technology called digital signatures. A digital signature is a string (all the nonsense text at the end of the signature) that testifies to the content of a message, and that can only be computed by the holder of a secret key (in this case, Google). A signed message cannot be forged or altered by anyone who doesn’t have the key. In DKIM, a mail server automatically adds this signature to outgoing mail, thereby proving that the mail has not been tampered with since it left the server.

So all we have to do to authenticate the mail is to verify the digital signature. This is very easy to do. The Thunderbird mail reader has a DKIM verifier plugin that you can install in about 15 seconds. Then you simply open the email and see:


Observe the fourth line: “DKIM Valid (Signed by gmail.com)”.

This tells us that this email definitely hasn’t been altered since it left gmail.com, assuming that Google has kept its secret key secure, and assuming that Russia can’t crack a 1024-bit RSA key or a SHA-256 hash. In 2016, both of these are very safe assumptions.

So what are we to make of Josh Earnest’s claim that the email can’t be authenticated? We know it’s false. We also know that Earnest didn’t bother to check with any experts before he made the claim. (Or, that he just outright lied.)