Silk Road forums

Discussion => Security => Topic started by: JackBlack on October 23, 2012, 08:33 am

Title: I got this Key but it doesn't work
Post by: JackBlack on October 23, 2012, 08:33 am
Hi there guys ... one of the vendors have this  key 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mI0EUEOmfAEEALQKib+TaJ2NtAz9tIIUmN+Mjyw+C0NvakcMw+tdjj7dLluYV04s
YmxfE2vBLHNiWhGAei1auL9cDQ1KDg31AbDc07AFhvfqrFuYHUc8fgYxgSh0MaY+
yQliOKzHnCorgGMz4pGl1GQyiYehafy5bpq23so50XZNvLCZ/pdJRak9ABEBAAG0
D2FhbmJvZC1saXZlLmNvbYicBBABAgAGBQJQQ6Z8AAoJENi4Btf1nVBQO3wD/1G4
QyfcUtQNZaFj+S9dMSvgTi4nA6sJAy2TxS5CmmgOKf6dsD4N3VlGteHpHgzVdg0J
B4PWEJCNe6eGYqLzPH3koRF7w5SJBQ1SiimIJgLk5L4M62K0yRzalK44rFvNCpzg
3ndBQ+UIAs+fkIgLPW2wJuSYQlyTUs6bejjPjIVm
=I+XG
-----END PGP PUBLIC KEY BLOCK-----


I have no idea what program to use  in order to encrypt with this key ( BCPG C# v1.6.1.0?)..
It seems there is no  e-mail attached to it  and I tried pgp4usb aswell just to try  different method ...
Anyone recognizes this type of key and would be willing to tell me what programs to use ?

Kind Regards
JB
Title: Re: I got this Key but it doesn't work
Post by: Nightcrawler on October 23, 2012, 09:12 am
Hi there guys ... one of the vendors have this  key 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mI0EUEOmfAEEALQKib+TaJ2NtAz9tIIUmN+Mjyw+C0NvakcMw+tdjj7dLluYV04s
YmxfE2vBLHNiWhGAei1auL9cDQ1KDg31AbDc07AFhvfqrFuYHUc8fgYxgSh0MaY+
yQliOKzHnCorgGMz4pGl1GQyiYehafy5bpq23so50XZNvLCZ/pdJRak9ABEBAAG0
D2FhbmJvZC1saXZlLmNvbYicBBABAgAGBQJQQ6Z8AAoJENi4Btf1nVBQO3wD/1G4
QyfcUtQNZaFj+S9dMSvgTi4nA6sJAy2TxS5CmmgOKf6dsD4N3VlGteHpHgzVdg0J
B4PWEJCNe6eGYqLzPH3koRF7w5SJBQ1SiimIJgLk5L4M62K0yRzalK44rFvNCpzg
3ndBQ+UIAs+fkIgLPW2wJuSYQlyTUs6bejjPjIVm
=I+XG
-----END PGP PUBLIC KEY BLOCK-----


I have no idea what program to use  in order to encrypt with this key ( BCPG C# v1.6.1.0?)..
It seems there is no  e-mail attached to it  and I tried pgp4usb aswell just to try  different method ...
Anyone recognizes this type of key and would be willing to tell me what programs to use ?

Kind Regards
JB

This key was generated by one of those Java-based 'PGP' programs.  There email address on it appears to be: aanbod@live.com, or at least that's the nearest I can make out.

pgpdump filename
Old: Public Key Packet(tag 6)(141 bytes)
        Ver 4 - new
        Public key creation time - Sun Sep  2 14:33:32 EDT 2012
        Pub alg - RSA Encrypt or Sign(pub 1)
        RSA n(1024 bits) - ...
        RSA e(17 bits) - ...
Old: User ID Packet(tag 13)(15 bytes)
        User ID - aanbod-live.com
Old: Signature Packet(tag 2)(156 bytes)
        Ver 4 - new
        Sig type - Generic certification of a User ID and Public Key packet(0x10).
        Pub alg - RSA Encrypt or Sign(pub 1)
        Hash alg - SHA1(hash 2)
        Hashed Sub: signature creation time(sub 2)(4 bytes)
                Time - Sun Sep  2 14:33:32 EDT 2012
        Sub: issuer key ID(sub 16)(8 bytes)
                Key ID - 0xD8B806D7F59D5050
        Hash left 2 bytes - 3b 7c
        RSA m^d mod n(1023 bits) - ...
                -> PKCS-1

The long and the short of it is this:

1) The key is too short -- 1024-bit keys are now obsolete.

2) It uses an obsolete hash algorithm --  SHA-1

3) It uses an obsolete key format --  where one key is used for both signing & encryption.

4) The person who generated this used a valid, clearnet email address, which can likely be traced back to their ISP.

5) The key owner obviously doesn't know how to use PGP or GPG; if they did, they would not be using broken software like this to generate their key.
Any recent version of PGP or GPG would not generate crap keys like this.

Is  someone this clueless (not to mention careless) the type of person you want to do business with?

p.s.: This key will actually import into GPG4USB -- just make sure you have the entire key copied.

FWIW, I wouldn't trust my information to a key this small and insecure.
Title: Re: I got this Key but it doesn't work
Post by: microRNA on October 23, 2012, 09:20 am
i have seen that before - so i went and checked, its an igolder key
Title: Re: I got this Key but it doesn't work
Post by: Nightcrawler on October 23, 2012, 09:55 am
i have seen that before - so i went and checked, its an igolder key

Sweet Jesus Christ! This vendor needs to be shot and pissed-on.

This is nothing short of absolute, complete and total incompetence, even negligence.

What literally takes, eats and shits the cake is that  this guy sells Ecstasy by the kilo. I think my head is going to explode now.

If congenital idiots like this are allowed to do business here, I might as well say, "Fuck it!" and throw in the towel -- this place is beyond redemption.



Title: Re: I got this Key but it doesn't work
Post by: JackBlack on October 23, 2012, 12:58 pm
Key is actually from user Dutchaanbod .. he sells very decent Product  but the encryption method doesn't satisfy me ... I thought of using privnote and sending it as a pm instead of encrypting email ... what u guys think .. ?
Title: Re: I got this Key but it doesn't work
Post by: microRNA on October 23, 2012, 02:49 pm
priv note is definitely not secure or recommended

what to do i am really not sure except maybe try to find another vendor. there is no "safe" way to send your address really unfortunately

or actually since he is just going to unencrypt using igolder, you could just encrypt using igolder too. just dont put anything but your address... even if igolder logs your address as long as you dont mention anything else (absolutely NOTHING about drugs) then all they will have in their system is you address, which is basically nothing incriminating compared to your address being in cleartext on SR servers.

im sure others will disagree with me... i want to make it clear i am not saying its safe though or even recommended - thats not what i am trying to say, its just an idea; trying to figure out which would be the lesser of two evils if you must use the vendor - which i dont recommend...