Silk Road forums

Discussion => Security => Topic started by: verdant_world on May 24, 2013, 03:29 pm

Title: work?
Post by: verdant_world on May 24, 2013, 03:29 pm

 ;)pefcpu

Title: Re: How does a signature work?
Post by: astor on May 24, 2013, 03:47 pm

No, it's a separate feature from encrypting and decrypting. Your PGP program should have a "sign" button or menu option. Take a look at the GPG4USB tutorial linked in my signature. It tells you how to do it in that program. There will also be a "verify" option. One person signs a message and everyone else verifies it with his public key.

The purpose of a signature is that it proves whoever owns that PGP key wrote it. It has actually been useful in this community. DPR usually signs his messages so the community can trust his announcements. Also, there was a case where a vendor's SR and forum accounts got hacked. He had to create a separate forum account, and he was asked to post a signed message that could be verified with the public key on his profile, to prove his identity.

If you've never messed with signing and verifying, grab my public key from the link my signature and verify this message:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Astor wrote this message.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRn4nRAAoJENAcophwbuIHnG0P/jqZzJ+/xl54n9yNQL59wMe/
mpUFtYtQa4ZiKaUmJWdGHjNbiMIx5WnYChGQGT9Dk53jMoL5bgGzV7qEul7k8tyE
Jzkf+5KZazhOTla8DAGMwZxrnRaWN5fdPh+rNKQ1uEcbYVjBhFAyM0fhiKISfeHZ
h8/Un9FIp9Q+NYJilGkTEpV1LeGspBFCn8JG1TvqYz3cCRMAJiQNiHI05fJZW+Qh
q4ChxF6LmvZ0Mh62bv2S5YGRkt0p0Z3X2ps4Y8zB0Owz/x+UEyQu+VAKMgaCmxhJ
QJsLXGwCrr0mdGo86DluRw22A3OTs5GqDglG8di04VgXAY1ZJK/Mi0+oFxCeUX+B
SsEc9ds95qwuGuHdBk3oFnscVM/OrMZBwHnGX2M66wiE0QycIefUufWJUqyEo28y
Hac8W+m7IadVyyygKmLzjS3PRMAgmFriazLYsz0NHPekC4NpS3qo+05UvxN5Gg/o
yebB68f0omKpHf84LLU1SW24kc8GhEzn/43tgic5JUo4gS+9qohQYr0uLkPBH9dt
yKN2LH4Z0pGmPzxixBh2pLBfspjWWoEqb+r30xGdiUoaiqEvFm2KR4FzVMDq/C+7
iJiDoRBVCQl6KosC6T+SDMzSQikk2WFOpbr7EF1MQL086qm7xCJmLs/w3CErFs2l
BeQCG1rHBApEO5snBxSo
=QqtJ
-----END PGP SIGNATURE-----

Title: Re: How does a signature work?
Post by: kmfkewm on May 25, 2013, 02:16 am

With RSA, signing is the same as encrypting, it is just you encrypt with the private key and decrypt with the public key. As it is implemented in cryptosystems, you take a hash value of the message to sign, then you encrypt the hash with the private key to get the signature. Then to verify the signature, the verifier takes the hash of the message, then they decrypt the signature with the public key and compare it to the hash value.

In addition to only operating on hash values, I believe you also need to use padding for it to be secure. Also, you need to make sure to use constant time comparisons in order to protect from timing attacks. However, the abundance of small (and highly important) details aside, at a core level, sign/verify is the same thing as encrypt/decrypt, just with the utilized keys reversed.

Of course you don't need to know any of this to use GPG, because they package it all up for you. But you were technically pretty much correct at a low level, just not from the high level perspective of using GPG to create and verify RSA signatures (in which case it is not the same thing as encrypt/decrypt, but rather is sign and verify).

Title: Re: How does a signature work?
Post by: Hendrix99 on May 25, 2013, 04:02 am

talk about the simple easy to understand answer followed by a super complicated scientific answer!
had a hard time wrapping my head around that one  :o

Title: Re: How does a signature work?
Post by: kmfkewm on May 25, 2013, 06:17 am

It is pretty simple really. Given an RSA keypair, anything encrypted with one key can be decrypted with the other. When you use RSA for regular encrypt/decrypt , you encrypt a random session key with the public key and then it is decrypted with the private key. When you use 'plain RSA' for signatures, you encrypt the message with the private key, and it is verified by being decrypted with the public key. However, using plain RSA for signatures is weak to all kinds of attacks. Instead you need to use the hash of the message, padding, and all kinds of other things need to be taken into consideration. But at a fundamental level, RSA sign/verify is the same thing as RSA encrypt/decrypt , but with the private key used for encryption and the public key used for decryption.

Title: Re: How does a signature work?
Post by: kmfkewm on May 25, 2013, 06:44 am

Using Astors post as an example:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Astor wrote this message.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRn4nRAAoJENAcophwbuIHnG0P/jqZzJ+/xl54n9yNQL59wMe/
mpUFtYtQa4ZiKaUmJWdGHjNbiMIx5WnYChGQGT9Dk53jMoL5bgGzV7qEul7k8tyE
Jzkf+5KZazhOTla8DAGMwZxrnRaWN5fdPh+rNKQ1uEcbYVjBhFAyM0fhiKISfeHZ
h8/Un9FIp9Q+NYJilGkTEpV1LeGspBFCn8JG1TvqYz3cCRMAJiQNiHI05fJZW+Qh
q4ChxF6LmvZ0Mh62bv2S5YGRkt0p0Z3X2ps4Y8zB0Owz/x+UEyQu+VAKMgaCmxhJ
QJsLXGwCrr0mdGo86DluRw22A3OTs5GqDglG8di04VgXAY1ZJK/Mi0+oFxCeUX+B
SsEc9ds95qwuGuHdBk3oFnscVM/OrMZBwHnGX2M66wiE0QycIefUufWJUqyEo28y
Hac8W+m7IadVyyygKmLzjS3PRMAgmFriazLYsz0NHPekC4NpS3qo+05UvxN5Gg/o
yebB68f0omKpHf84LLU1SW24kc8GhEzn/43tgic5JUo4gS+9qohQYr0uLkPBH9dt
yKN2LH4Z0pGmPzxixBh2pLBfspjWWoEqb+r30xGdiUoaiqEvFm2KR4FzVMDq/C+7
iJiDoRBVCQl6KosC6T+SDMzSQikk2WFOpbr7EF1MQL086qm7xCJmLs/w3CErFs2l
BeQCG1rHBApEO5snBxSo
=QqtJ
-----END PGP SIGNATURE-----

When he signed the message 'Astor wrote this message' he used the sign button on some GPG GUI, or perhaps he used the CLI command gpg --clearsign
Likewise when the signature is verified, the verifier likely either uses a verify button on a GPG GUI, or perhaps they use the CLI command gpg --verify

However, when the GPG sign command is used,

First GPG takes a hash of the message 'Astor wrote this message', as you can see from the signed text the hashing algorithm SHA512 was utilized. The hex value of the SHA512 of the signed message is:

41aef97732043975c8ba34dedb2aeb7c4419677b2fcde5d4c869184837d37a542870a136c812d5ae172b6d4b6ce7e19a07c534fef0fe0cf93ec315644347440a

next, GPG used Astor's private key to encrypt the hash of the message, and then it base64 encoded the ciphertext. The base64 encoded version of the asymmetrically encrypted (with Astor's private key) version of the previous hash value is:

iQIcBAEBCgAGBQJRn4nRAAoJENAcophwbuIHnG0P/jqZzJ+/xl54n9yNQL59wMe/
mpUFtYtQa4ZiKaUmJWdGHjNbiMIx5WnYChGQGT9Dk53jMoL5bgGzV7qEul7k8tyE
Jzkf+5KZazhOTla8DAGMwZxrnRaWN5fdPh+rNKQ1uEcbYVjBhFAyM0fhiKISfeHZ
h8/Un9FIp9Q+NYJilGkTEpV1LeGspBFCn8JG1TvqYz3cCRMAJiQNiHI05fJZW+Qh
q4ChxF6LmvZ0Mh62bv2S5YGRkt0p0Z3X2ps4Y8zB0Owz/x+UEyQu+VAKMgaCmxhJ
QJsLXGwCrr0mdGo86DluRw22A3OTs5GqDglG8di04VgXAY1ZJK/Mi0+oFxCeUX+B
SsEc9ds95qwuGuHdBk3oFnscVM/OrMZBwHnGX2M66wiE0QycIefUufWJUqyEo28y
Hac8W+m7IadVyyygKmLzjS3PRMAgmFriazLYsz0NHPekC4NpS3qo+05UvxN5Gg/o
yebB68f0omKpHf84LLU1SW24kc8GhEzn/43tgic5JUo4gS+9qohQYr0uLkPBH9dt
yKN2LH4Z0pGmPzxixBh2pLBfspjWWoEqb+r30xGdiUoaiqEvFm2KR4FzVMDq/C+7
iJiDoRBVCQl6KosC6T+SDMzSQikk2WFOpbr7EF1MQL086qm7xCJmLs/w3CErFs2l
BeQCG1rHBApEO5snBxSo
=QqtJ

which is attached to the message (note that I am skipping a padding step since I don't know the specification for it by heart):

when somebody verifies that Astor signed the message:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Astor wrote this message.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRn4nRAAoJENAcophwbuIHnG0P/jqZzJ+/xl54n9yNQL59wMe/
mpUFtYtQa4ZiKaUmJWdGHjNbiMIx5WnYChGQGT9Dk53jMoL5bgGzV7qEul7k8tyE
Jzkf+5KZazhOTla8DAGMwZxrnRaWN5fdPh+rNKQ1uEcbYVjBhFAyM0fhiKISfeHZ
h8/Un9FIp9Q+NYJilGkTEpV1LeGspBFCn8JG1TvqYz3cCRMAJiQNiHI05fJZW+Qh
q4ChxF6LmvZ0Mh62bv2S5YGRkt0p0Z3X2ps4Y8zB0Owz/x+UEyQu+VAKMgaCmxhJ
QJsLXGwCrr0mdGo86DluRw22A3OTs5GqDglG8di04VgXAY1ZJK/Mi0+oFxCeUX+B
SsEc9ds95qwuGuHdBk3oFnscVM/OrMZBwHnGX2M66wiE0QycIefUufWJUqyEo28y
Hac8W+m7IadVyyygKmLzjS3PRMAgmFriazLYsz0NHPekC4NpS3qo+05UvxN5Gg/o
yebB68f0omKpHf84LLU1SW24kc8GhEzn/43tgic5JUo4gS+9qohQYr0uLkPBH9dt
yKN2LH4Z0pGmPzxixBh2pLBfspjWWoEqb+r30xGdiUoaiqEvFm2KR4FzVMDq/C+7
iJiDoRBVCQl6KosC6T+SDMzSQikk2WFOpbr7EF1MQL086qm7xCJmLs/w3CErFs2l
BeQCG1rHBApEO5snBxSo
=QqtJ
-----END PGP SIGNATURE-----

first their GPG program notes that the hashing algorithm used was SHA512. Then GPG takes the SHA512 value of the message:

41aef97732043975c8ba34dedb2aeb7c4419677b2fcde5d4c869184837d37a542870a136c812d5ae172b6d4b6ce7e19a07c534fef0fe0cf93ec315644347440

next it unbase64s the signature, and then it decrypts the signature with Astor's public key, revealing the hash value (again I am skipping the step that removes padding). Next GPG compares the hash value of the message to the value it obtained after unbase64ing, decrypting and removing padding from the signature. If they both match, then it verifies that the message was signed by Astor, otherwise it says the signature is not valid.

41aef97732043975c8ba34dedb2aeb7c4419677b2fcde5d4c869184837d37a542870a136c812d5ae172b6d4b6ce7e19a07c534fef0fe0cf93ec315644347440
==
41aef97732043975c8ba34dedb2aeb7c4419677b2fcde5d4c869184837d37a542870a136c812d5ae172b6d4b6ce7e19a07c534fef0fe0cf93ec315644347440

When it compares the two strings, it must do so in constant time to avoid the possibility of a timing attack. Normally when two strings are compared, the comparing algorithm breaks on the first mismatch. In this case we need to compare every single character, even if there are mismatches, so that successful or unsuccessful verification takes exactly the same amount of time.

This is just a rough sketch of what GPG is doing when signing and verifying signatures with RSA, I definitely missed at least one step.

Title: Re: How does a signature work?
Post by: RS7FI8ZRkm on May 25, 2013, 07:04 pm

(head implodes)

Title: Re: How does a signature work?
Post by: astor on May 25, 2013, 08:11 pm

Quote from: kmfkewm on May 25, 2013, 06:44 am

When it compares the two strings, it must do so in constant time to avoid the possibility of a timing attack.

Can you explain this attack?

Title: Re: How does a signature work?
Post by: Mr. Fluffles Schrodinger on May 26, 2013, 01:01 am

Yep. There it goes.
My head is under something again.