Silk Road forums
Discussion => Security => Topic started by: LouisCyphre on June 27, 2012, 05:09 pm
-
Over the last few days I've seen a number of keys posted, both here on the forum and on SR vendor pages, of secret keys instead of public keys.
This is very bad. The secret or private key should *never* be posted anywhere. As with the passphrase used to unlock it, it should be guarded and protected. If your secret key is available to anyone and you have set a weak passphrase on it then it is possible for the passphrase to be cracked. At that point you, along with anyone encrypting messages to you, are fucked.
So when you are exporting your key, double-check that the key looks like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: whatever
Comment: if you really need one
(keyblock)
-----END PGP PUBLIC KEY BLOCK-----
Make sure that it absolutely does NOT look like this:
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: whatever
Comment: if you really need one
(keyblock)
-----END PGP PRIVATE KEY BLOCK-----
I realise that the topic can be difficult to get your head around when starting with it, but it really is worth taking a little time out to do so.
I also highly recommend reading this if you're new to OpenPGP, though it was written for PGP (the proprietary/original software):
ftp://ftp.pgpi.org/pub/pgp/6.5/docs/english/IntroToCrypto.pdf
The PGP International (pgpi.org) site is a relic from the Crypto Wars, when PGP's source code was printed, flown to Europe, OCR scanned, compiled and released to the rest of the world because of America's munitions export laws (printed source code was classed as speech and protected by the First Amendment).
-
I have not only noticed this, but I have also observed the following:
* 1024-bit keys - as you may likely be aware 1024-bit keys were deprecated by NIST as of the end of December 2010.
Yes, I've seen that. I was thinking about a separate post to draw attention to it. I have made a 1024-bit key in the past, but it was a *long* time ago (my first key and it didn't get used much).
* 1024 bit primary keys with 512-bit encryption sub-keys. 512-bit keys have been cracked by hobbyists; a signing key used to sign software for some models of TI calculators was
factored, leading to hobbyists now being able to fool the TPM inside the hardwre, which required binaries to have a valid signature before they were allowed to be loaded/executed.
I've also seen that and I find it bizarre that people would create them. It wouldn't take long for one BTC mining rig, repurposed to crack GPG keys to rip through the 512-bit keys.
This is one of the reasons that I also wrote this guide (it's been tweaked a couple of times to make it easier to read):
http://dkn255hz262ypmii.onion/index.php?topic=28474.0
Strong cryptography is important and not just for SR. I am well and truly in the privacy advocate camp that says *all* email should be encrypted, including jokes to mates.
-
recommended key lengths are in section 7 - http://www.ecrypt.eu.org/documents/D.SPA.17.pdf
Thanks. A web search for "NIST key recommendation" will produce numerous results. Including multiple NIST PDFs and this:
http://www.keylength.com/en/4/
It includes an easy to read table with the equivalent sizes between bit strength, symmetric (AES), asymmetric (RSA), discrete logarithm, eliptic curve (ECC) and hash types. It also includes how long they should be considered valid for.