Author Topic: A few words on the life of a PGP Key  (Read 769 times)

Hux

  • SR Dev
  • Jr. Member
  • ***
  • Posts: 71
  • Karma: +64/-9
    • View Profile
    • Personal Message (Offline)
A few words on the life of a PGP Key
« on: January 03, 2014, 01:34:38 pm »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Introduction

I would like just make some words regarding PGP keys and their life expectancy, as well as comment on the poor use of them which is evident on this forum.

After reviewing the last few months some things are evident to us:

1. In almost all cases, brute forcing the password of a PGP key is easier than brute forcing the underlying encryption
2. LE amass large quantities of data against individuals, even if it is encrypted so that when raiding them if they choose to handover their keys (or they may bruteforce the password) they can decrypt the data and therefore prove the entire dataset was belonging to that individual
3. Humans have a habit of using strong crypto and technology to protect themselves but make an utter balls of basic OPSEC, highlighting it is us (not the technology) that is failing



A Fictional Demonstration

Now let us assume a market was started in January 2012 just like SR and the other markets and Vendor 1 operated there from day 1. He was a highly popular vendor who received thousands of orders which was great as all his orders were encrypted so he had a smart customer base. Unfortunately for Vendor 1 he was then busted in December 2012, but this is where the story splits into 2 parts:

The market was seized

In this case we set the date using the time frame that Silk Road was imaged versus being seized, which was 2 months I recall but others have been known to continue operating for over a year so this is actually only a fraction of the real possibilities. Law enforcement had been watching the server since October in our fictional scenario and even though the market actually did delete order data, it was not before each time law enforcement spied on it and stored the encrypted PGP messages elsewhere. At this point for law enforcement data collection is arbitrary.

Upon arresting vendor 1 his laptop was either unencrypted or he used a password which was brute forced using the intelligent keyword analysis which finds all words you have typed onto that computer and combines them like a dictionary attack to yield better results than standard brute force attacks. At this point, law enforcement now have at least 2 months worth of customer addresses (which can then further be used to prosecute others, especially in cases where vendors are selling to each other) and with the private PGP key on the computer that is very strong evidence against them if it reaches a full trial. It would also be reasonable to assume at this point law enforcement will name Vendor 1 as the same person both from the start of the operation in January right up to the end in December with the same PGP key being used throughout.


The vendor stored customer addresses

In this case a vendor had been storing customer addresses, we will use the example period of 3 months assuming he didn't start storing them until after 9 months of business (although this is unusual as most would probably begin from the start of their vending period). During those 3 months of storing data law enforcement made 2 orders from the vendor in their investigations and found both packages arrived to different addresses from different accounts.

Upon the vendor being arrested we again assume the hardware was unencrypted or used a password which can be intelligently brute forced. This yields both addresses which were encrypted to the vendor previously from the purchases through the market and would likely be an address which is not public and indistinguishable from others, therefore there is no way it could be publicly gathered data. Furthermore vendors are likely to store the username along with the address so this would make the case against them stronger.

It is not hard to imagine that law enforcement at this point were also watching any postal items the individual was sending and if the addresses stored matched those they had managed to see them sending out it would be a very strong case for the prosecution.



The case for limiting the life of public key cryptography

In both scenarios outlined in our fictional demonstration of some issues, there are real life comparisons which I don't need to insult your intelligence with by pointing them out. The problem in both cases is that the encryption kept them safe for a while, but the problem with public key cryptography (PKC) is that its use is also the downfall because it can prove a person is who they say they are. Something like this WILL be used against you and you have to assume if the hardware that has been used can be compromised by law enforcement through exploits, unencrypted drives or intelligent brute force methods, then the PGP private key will almost certainly be an easy target.

So - how does limiting the life of keys help?

Ok, it is obvious limiting the life of a key isn't a perfect solution by any means but it certainly will help introduce doubt into any case law enforcement may try to bring against you. In the first case of a market seizure, the information encrypted to the key the vendor held at the time was limited to 1 month if he had chosen to use a monthly key rotation. In the second, the damage control measure is not as useful (another reason not to store data to add to the long list of existing ones), but it at least still provides that the key law enforcement originally encrypted to for the orders they made is not the one currently in use.

How useful that small benefit is on the 2nd case would depend on what way your lawyer wants to fight the case but it is at this point at least useful to point out - AT LEAST IT IS SOMETHING. The accumulation of small difficulties in cases are usually what is going to help you the most if you are unfortunately caught. Lawyers are not there to dispute facts with the prosecution, they are there to undermine the confidence in evidence that the prosecution puts to the jury which ultimately is what they are told to base their decision on.



Final remarks

Is this going to make the ultimate difference in security? No. But if you are looking for a golden bullet then you are probably mistaking the idea of 1-step ultimate security for convenience from what I have witnessed. My own PGP key has a life of 3 months, I am not a vendor and I am nothing to do with the operations of Silk Road either, so it is reasonable to assume this is proportionate to the threat level I face. Vendors should ideally change at least once a month and sign their next key when changing to then put (the obsolete key) in deep storage far away from yourself or outright the secure deletion of it.

Other very knowledgeable people are here volunteering their time to help in matters such as PGP, general OPSEC and specific/more specialized forms of security - make use of what knowledge they are willing to share. I intend to write much more specific and advanced topics in future covering a wide range of issues and I hope if you have read this far then what I have said above will at least get you thinking of some of the threats I outlined.

Hux

Fingerprint: 85B20E7623AAE8D07FF68A79A6B54E14E4193CEB
Topic/Source: http://silkroad5v7dywlc.onion/index.php?topic=13717.0
Profile: http://silkroad5v7dywlc.onion/index.php?action=profile;u=17927
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSxr19AAoJEKa1ThTkGTzrym0P/36Fp4cmHomdovC+3QrDh3j3
/lV9ArlHvc9TiKqYB1iRKxpC1OCdQdl9GRQ/O04gHx1V2VLWJty3PTlrqlqhnEek
46mcNwOEV1nEjSLyAFYNqmv2QRpe1z393UOKWeQpO+UctMNQc1FtM/L6o883NIt3
uLYWDKpPRF6+FrlaJv2e09TaB0MzwSULx84+rHA21Kjrv0paq45lpi0boJUocNIh
Gj8xUwsHBfw5NFS46ECH8McOikcpkWTUlTbYwSlwbV01nurC0p1XNQ/iUE7SvQCN
93mrFM5Cl0ImXj/G2He3Tv6r8iOPUmH0SDF8IQlf7OBPHP+RUioIwhKBL0WUGaML
yx0fooTn7ICbVjKc/JlyK6XHV4kNDSOwiQdg9y7k8aom++Hu2d5Royod9873y5bQ
Yv4XqgAPm5nbx99xx48BMRsA13cplIvtTlF1i++ncnZmOHEa/E+GUa3pxocEjKyW
Lo8Yi54nMjHagAE7DbCoxMOwuOdvXOL88ehLV3rjm4OW4ycccTX4m6L0xaCKMcit
FUd7V/M44/kO/w+M+f94M4JpUWZnMF+82aiMWE+i5UXl562OhGvmWltvUYUynbdj
jmD0glcDOzWcN7NDIJj5NY/m2Y8xB1EXFvzX9uiAL2mqf4zEFcXkoCFbmLunq2X/
0YoiyHjh3WzBdmC5ERma
=eD31
-----END PGP SIGNATURE-----


Tip: To verify the above signature, quote the contents into a reply and paste that into your PGP program to verify it as it uses BB coding which will not show up if you copy the unquoted form.
« Last Edit: January 03, 2014, 01:39:49 pm by Hux »
No encryption is future-proof. Everything we considered secure 20 years ago is now weak even to home computing. If you want to stay safe, don't trust encryption - trust good data retention policies.

El Presidente

  • Sr. Member
  • ****
  • Posts: 288
  • Karma: +134/-5
  • Buena Mierda
    • View Profile
    • Personal Message (Offline)
Re: A few words on the life of a PGP Key
« Reply #1 on: January 03, 2014, 02:16:28 pm »
This is indeed a problem and the issue comes down to us using the same key to prove authenticity that we use to provide encryption which is not ideal (although it is convenient).

Our view is that it would be preferable to use PGP to only provide authentication of parties and, during perhaps an initial exchange, to agree upon a session key or more likely a passphrase that would be used for that one transaction only to encrypt communications between parties - probably using a symmetric algorithm.




=================================================
The All Market Vendor Directory - http://directory4iisquf.onion
=================================================

Hux

  • SR Dev
  • Jr. Member
  • ***
  • Posts: 71
  • Karma: +64/-9
    • View Profile
    • Personal Message (Offline)
Re: A few words on the life of a PGP Key
« Reply #2 on: January 03, 2014, 02:38:05 pm »
Some very interesting developments is group OTR. OTR encryption schemes should be used whenever possible of course and to my knowledge you can actually pair up Torchat with OTR through Pidgin which is a very interesting idea but there are still weaknesses with TorChat unfortunately. I do agree to some extent overall El Presidente but the point remains a "password" shouldn't be used for a single exchange but rather a disposable PGP key.
No encryption is future-proof. Everything we considered secure 20 years ago is now weak even to home computing. If you want to stay safe, don't trust encryption - trust good data retention policies.

El Presidente

  • Sr. Member
  • ****
  • Posts: 288
  • Karma: +134/-5
  • Buena Mierda
    • View Profile
    • Personal Message (Offline)
Re: A few words on the life of a PGP Key
« Reply #3 on: January 03, 2014, 03:41:59 pm »
Yes - per-transaction PGP keys would work well and provide authenticity for the duration of the transaction. It is added complexity but not unreasonable - a high volume vendor would probably not agree we suspect.

Unfortunately without additional client side software the options are limited or we force a series of procedures onto users which, realistically , they will attempt to bypass. Perhaps if a simple PGP wrapper could be put together which would support the following flow then the level of complexity could be reduced for vendor & buyer end-users.

1) Buyer creates order and generates and sends a unique buyer transaction key
2) Vendor accepts order and responds with a vendor transaction key encrypted to buyers transaction key. This message is signed by the vendors long-term published key
3) Buyer encrypts address details to the vendor transaction key
4) Any additional communications for the duration of the transaction occur using the buyer or vendor transaction keys only
5) Upon finalization both buyer and vendor transaction keys are destroyed

The vendors long-term key can be cycled as often as needed, as long as it is published and ideally signed by the previous key.

That could work but there would have to be some changes to the market structure to permit it to happen. Firstly to postpone address transmission until the transaction keys are established and secondly to make life easier higher volume vendors trying to pair up potentially hundreds of transaction keys with hundreds of buyer accounts, every day.

« Last Edit: January 03, 2014, 03:48:58 pm by El Presidente »
=================================================
The All Market Vendor Directory - http://directory4iisquf.onion
=================================================

pK

  • Vendor
  • Hero Member
  • *****
  • Posts: 705
  • Karma: +115/-22
  • Australian MDA Vendor.
    • View Profile
    • Personal Message (Offline)
Re: A few words on the life of a PGP Key
« Reply #4 on: January 03, 2014, 04:47:59 pm »
+1, Great post. You should consider another thread, except regarding PGP versions and encryption techniques.
MultiSig -  Express Post - Seamless Communication.

Escrow available on alternative markets.

Forum Review - http://silkroad5v7dywlc.onion/index.php?topic=13368
Marketplace Profile - http://silkroad6ownowfk.onion/users/pk

snowwhite421

  • Sr. Member
  • ****
  • Posts: 312
  • Karma: +56/-22
    • View Profile
    • Personal Message (Offline)
Re: A few words on the life of a PGP Key
« Reply #5 on: January 03, 2014, 10:07:17 pm »
+1 very well thought out post exposing potential weak points in peoples OPSEC. This is something that isn't thought about enough, let alone talked about enough. Your chain is only as good as its weakest link, and things like storing customers addresses should not be trusted to a chain that has been around for a while and battered by the elements. Should replace the chains often (although id say that vendors SHOULD NOT be storing customers addresses, at all! print the labels off and send their goods promptly, and get rid of anything that could compromise them.)

Hotsince82

  • Jr. Member
  • **
  • Posts: 85
  • Karma: +7/-3
    • View Profile
    • Personal Message (Offline)
Re: A few words on the life of a PGP Key
« Reply #6 on: January 03, 2014, 10:41:49 pm »
How does the two factor pgp auth work for SR then? ive always wondered that does constantly siging in and decryting the pgp string given allow for your private key to eventually be sussed out. im really unclear on this issue, as i dont know the full workings of pgp

Nightcrawler

  • Guest
Re: A few words on the life of a PGP Key
« Reply #7 on: January 04, 2014, 08:31:58 am »
This is indeed a problem and the issue comes down to us using the same key to prove authenticity that we use to provide encryption which is not ideal (although it is convenient).

Our view is that it would be preferable to use PGP to only provide authentication of parties and, during perhaps an initial exchange, to agree upon a session key or more likely a passphrase that would be used for that one transaction only to encrypt communications between parties - probably using a symmetric algorithm.

Actually, you're NOT using the same key for both encryption and authentication, unless you're using an old-format key, e.g. one generated by Kleopatra.
Encryption sub-keys are separate from the primary key, used for signing/authentication.  You can set a separate expiry date on the encryption sub-key, and periodically replace/destroy older sub-keys.

Messages encrypted with destroyed sub-keys cannot be decrypted by anyone, short of breaking the public key.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

El Presidente

  • Sr. Member
  • ****
  • Posts: 288
  • Karma: +134/-5
  • Buena Mierda
    • View Profile
    • Personal Message (Offline)
Re: A few words on the life of a PGP Key
« Reply #8 on: January 04, 2014, 05:14:06 pm »
This is indeed a problem and the issue comes down to us using the same key to prove authenticity that we use to provide encryption which is not ideal (although it is convenient).

Our view is that it would be preferable to use PGP to only provide authentication of parties and, during perhaps an initial exchange, to agree upon a session key or more likely a passphrase that would be used for that one transaction only to encrypt communications between parties - probably using a symmetric algorithm.

Actually, you're NOT using the same key for both encryption and authentication, unless you're using an old-format key, e.g. one generated by Kleopatra.
Encryption sub-keys are separate from the primary key, used for signing/authentication.  You can set a separate expiry date on the encryption sub-key, and periodically replace/destroy older sub-keys.

Messages encrypted with destroyed sub-keys cannot be decrypted by anyone, short of breaking the public key.

Nightcrawler

Very true. Technically they are not the same key taking sub-keys into account.

What we were trying to say is that PGP is great for proving identity but the OP hit the nail on the head by saying that, short of changing keys (or regenerating and then deleting the encryption sub-key) we are creating a potential problem as we aggregate historical data encrypted using the same key which in the use-case here on the markets is really not necessary.

The vendor example is spot on, once the transaction is complete it is not necessary, in fact it is highly undesirable for the vendor (or an entity coercing the vendor) to be able to access any of the encrypted data.

One solution is to periodically change the encryption sub-key, perhaps once a month but that could be asking quite a lot of many vendors - especially given the patchy software support for modifying sub-keys. That said Seahorse is a very nice, simple piece of GUI software which makes key management relatively straightforward including key signature management and sub-key management - second only to the command line.

Another solution is as described in an earlier post and that is to agree a per-transaction PGP key for both buyer and vendor - the important part is probably the vendor key more than the buyer key.

The first solution is preferable from our point of view but places the onus on the vendor to both change their keys and ensure they are published, probably to multiple sources. Using a key-server can make this task much simpler and users would need to sync their locally held vendor keys against the key-server prior to sending a message or risk sending a message that would not be recoverable. The master key and identity could stay the same permanently in this case.

We are very conscious that making things overly complex for users could have the very negative side-effect of causing people to avoid using PGP. Something is almost certainly better than nothing.

OTR or a scheme with similar security characteristics does seem a better fit for market-place messaging and avoids the aggregation issue. However on the downside, IM perhaps isn't the best fit for placing orders.

All of this however is academic in situations where vendors decrypt and then save data (addresses etc) off-line which is probably a bigger problem that our cryptographic machinations.

=================================================
The All Market Vendor Directory - http://directory4iisquf.onion
=================================================

Nightcrawler

  • Guest
Re: A few words on the life of a PGP Key
« Reply #9 on: January 04, 2014, 09:49:41 pm »
Or you could limit the life of the data you keep. They can't decrypt what doesn't exist. Sensible data retention policies may save your ass some day. The vast majority of messages can be deleted after a few days, maybe a few weeks tops. Delete any data that you don't need.

Superb advice.

There was absolutely no reason for Ross to keep a record of every single transaction on SR1 since the first day of operation. Now he is going to be sentenced based on every single transaction that he conveniently kept a record for LE. They could have scraped the market anyway, but why do their job for them?

Is there any concrete evidence (affidavits, etc.)  that this is what Ross has done?  I had assumed that this was the case, but this is just an assumption with no hard evidence to back it up.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

Angel Eyes

  • Vendor
  • Sr. Member
  • *****
  • Posts: 333
  • Karma: +89/-24
  • Growers of Cannabis Fantasticus
    • View Profile
    • Personal Message (Offline)
Re: A few words on the life of a PGP Key
« Reply #10 on: January 04, 2014, 10:55:50 pm »
One thing that can be useful is to have the ability to store all keys in a custom location like an encrypted usb drive or encrypted file.  If all the keys a user uses, especially a user's own private keys, can be stored using a strongly encrypted method then its much harder for LE to link a user to an online vendor account via their key(s).  If they can't link you to a vendor account its much harder to prove you are doing anything wrong (other than perhaps having drugs at your location when they bust you, for example).

I know at least one GnuPG software vendor is looking into adding this feature, but I'm not sure if any have actually implemented it.
The Hub Review Thread:  http://thehubaoydxrommh.onion/index.php?topic=432.msg4232#msg4232

AE Offsite Email:  angelojos@safe-mail.net

Angel Eyes

  • Vendor
  • Sr. Member
  • *****
  • Posts: 333
  • Karma: +89/-24
  • Growers of Cannabis Fantasticus
    • View Profile
    • Personal Message (Offline)
Re: A few words on the life of a PGP Key
« Reply #11 on: January 05, 2014, 01:45:43 am »
One thing that can be useful is to have the ability to store all keys in a custom location like an encrypted usb drive or encrypted file.  If all the keys a user uses, especially a user's own private keys, can be stored using a strongly encrypted method then its much harder for LE to link a user to an online vendor account via their key(s).  If they can't link you to a vendor account its much harder to prove you are doing anything wrong (other than perhaps having drugs at your location when they bust you, for example).

I know at least one GnuPG software vendor is looking into adding this feature, but I'm not sure if any have actually implemented it.

Any sensible PGP program already symmetrically encrypts your private keys. That's why you need to enter a password to use them. Most programs including GPG use CAST5 as a default (which has 80 to 120 bit keys), but you can change the cipher suite preferences to AES-256 in gpg.conf. I recommend doing that and using a 40 char password which has roughly 256 bits of entropy. Longer passwords are harder to remember and offer no more protection because above 256 bits it's "easier" to brute force the AES key directly rather than the password.

I'm sorry if I wasn't clear.  Yes of course the keys are encrypted.  What I mean is that, for example, I use the GPGTools Keychain to store the keys of our customers and our own private key.  The Keychain program choses an open location, I believe in the ~/Library directory or something, to store the keys.  Being able to chose another location to store the keys themselves, such as a usb drive or encrypted file, would hide those keys if my computer was confiscated by LE.  They wouldn't be able to see what keys I had stored on my system or what private keys belonged to me, thereby making it much harder for them to link me to my online presence.  Think about it -- just having a private key stored on your computer is a form of proof that links you to your vendor account.  Encrypting the storage of that key makes it hard/impossible for LE to prove that link.  That's all I'm saying :).
The Hub Review Thread:  http://thehubaoydxrommh.onion/index.php?topic=432.msg4232#msg4232

AE Offsite Email:  angelojos@safe-mail.net

Nightcrawler

  • Guest
Re: A few words on the life of a PGP Key
« Reply #12 on: January 05, 2014, 01:54:00 pm »
Is there any concrete evidence (affidavits, etc.)  that this is what Ross has done?  I had assumed that this was the case, but this is just an assumption with no hard evidence to back it up.

The indictment stated that they had transaction info going back to 6 February 2011. That's more or less the very beginning of the market. There may have been a week or two unaccounted for, but considering he started posting about the market as altoid on 27 January, the 6 February date may have been the first transaction on the market. Ross's shitty data retention policies allowed them to determine that there were 145,000 paying user accounts, 3800 vendor accounts, and 900,000 transactions totaling 9 million BTC in revenue and 600,000 BTC in profit. He is going to be sentenced based on every gram of every drug that moved through the site, and LE knows the exact amounts of everything because he conveniently saved it all for them.

So, he not only cooked his own goose, but everyone else's as well. What a fucking imbecile!  And this is the guy people are holding up as a hero, and putting on a pedestal! Ha!

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

McRAD

  • Sr. Member
  • ****
  • Posts: 254
  • Karma: +16/-13
    • View Profile
    • Personal Message (Offline)
Re: A few words on the life of a PGP Key
« Reply #13 on: January 28, 2014, 02:19:53 pm »
Subed:)

Thanks team!
Much Love_Mcrad!