Silk Road forums
Support => Technical support => Topic started by: Kryptonite83 on July 01, 2011, 02:25 pm
-
Well...I thought I was a bit tech-savvy, until I stumbled upon this site. Anyone mind enlightening a newb on the nuances of PGP/GPG:
1.) what exactly is it that this technology does
2.) what are they used for in reference to SR?
3.) Does a buyer need them? (both) Or is it used mostly by sellers?
4.) What risks do you encounter by not using them?
5.) Any good guides or tutorials for using PGP/GPG?
Thank you in advance for helping a struggling newb!!
-
There are probably other members better equipped to answer your questions, but here's what I can tell you.
1) It's not simple. I recommend reading the wikipedia page: http://en.wikipedia.org/wiki/Public-key_cryptography
but basically pgp allows you to scramble (encrypt) data with a persons "public key" so that only they can unscramble (decrypt) it with their private key.
2) Typically sellers will publish their public key so that buyers can encrypt messages and their mailing address so that only the seller can decrypt and read it.
3) If you want encrypted messages sent to you, you need to generate a pgp key pair (public and private keys) and give your public key to anyone sending you messages.
4) Encryption is built in to tor so that all traffic from your tor browser to the Silk Road hidden service is encrypted. All data is stored encrypted at Silk Road, so there is never a point where the data is not encrypted except when it is displayed in your browser. However, using pgp gives you yet another layer of protection so that even if Silk Road was compromised somehow (e.g. we were coerced into decrypting the server), your message or address would still be encrypted and only decryptable by your specific vendor.
5) Don't know. Gnu Privacy Assistant (GPA) seems to be a popular encryption software for widows and linux and a good place to start.
-
1. Read wikipedia. In short, it uses math to scramble your communications, primarily GPG relies on the difficulty of factoring huge numbers into primes but the ease of multiplying two primes into a huge number. It makes it so even if your communications are intercepted, they can not be decrypted into intelligible language and rather aim to be indistinguishable from randomness.
2. So buyers can encrypt their addresses and not have them intercepted if the server is ever seized or SR is compromised
3. Buyers and sellers both need to use GPG if one of them wants to, however GPG in the context of SR is almost entirely for the benefit of the buyer it does little to help the seller
4. Serious risks. If SR is compromised, you are fucked, is what it comes down to. Encrypting the drive is nice but when it comes down to it this isn't going to do much by itself. Is the server in a chassis with intrusion detection / the RAM in encapsulation material? If not the attacker who manages to locate the server will merely flash freeze the RAM and dump the key. Not to mention no matter how technically secure the server is, everything on the internet can be hacked by someone if they spend enough time on it. GPG on the other hand can not be hacked by anyone, however you could be hacked and have your private key stolen just like SR's server can be hacked and have its private key stolen. But centralization is bad particularly when there is zero reason for it. If the drive / container is encrypted + chassis intrusion detection + RAM in encapsulation material you can protect from someone with physical access getting the sensitive communications easily. And there are some other neat things you can do. For example, store everything in an encrypted container and set it to dismount immediately if anyone gains access to a shell. That might help from hackers some, but then you still need to detect the compromise prior to remounting or they will steal the key at this point. Fully server side encryption systems like this are mostly security circus imo, they can protect from some attacks but they are no replacement for GPG. And with out chassis intrusion detection + encapsulation of RAM, having it encrypted wont protect from a competent attacker with physical access. And if you don't have measures in place to dismount immediately upon a cyber intrusion being detected, it wont protect from hackers either because they will just steal the key from memory.
-
Thanks alot guys!