Silk Road forums

Discussion => Security => Topic started by: limitlessone on January 12, 2013, 10:17 pm

Title: Problems with a BCPG key
Post by: limitlessone on January 12, 2013, 10:17 pm
Came across a vendor using the BCPG implementation for his public key.  I'm having issues encrypting with it.  From decidedly brief research I understand its outdated and not secure.

Is it possible to still use?  Its a fairly large vendor so I'm surprised no one else has brought it up.  Are that many people not sending secure messages?
Title: Re: Problems with a BCPG key
Post by: Nightcrawler on January 13, 2013, 10:05 am
Came across a vendor using the BCPG implementation for his public key.  I'm having issues encrypting with it.  From decidedly brief research I understand its outdated and not secure.

Is it possible to still use?  Its a fairly large vendor so I'm surprised no one else has brought it up.  Are that many people not sending secure messages?

If the vendor is using a key with a Version: BCPG 1.x,  then I would advise you to not just walk away, but RUN!  The vendor obviously doesn't have the first fucking clue about security -- the use of keys generated by the Java BouncyCastle libraries has been discussed many times on here, and each time it was reiterated that this software was grossly unsafe.

I don't know who this vendor is, but every one that I've come across, I've written to to warn them how unsafe this is. Many of these BCPG keys feature encryption sub-keys that are only 512-bits in length -- this is laughably insecure -- 512-bit keys were being broken 20 years ago by individuals using spare hardware they had laying about. 

Do yourself a big favour, and choose a vendor who takes the security of his customers seriously.

Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
Title: Re: Problems with a BCPG key
Post by: limitlessone on January 13, 2013, 06:20 pm
Thanks, a search for "BCPG" hadn't given me many results.  Good to know about that though.

I'm still surprised, this vendor has been on for 2 months, over 300 transactions and a key that doesn't work...how are people sending them their info?  And if they can't are they sending it insecurely?!!
Title: Re: Problems with a BCPG key
Post by: g01d3n on January 13, 2013, 07:00 pm
Hey, I'm a n00by as well, and I spent literally HOURS trying to figure this out. I think I may have gotten it, but take my advice with a grain of salt.

 Assuming you use GPA,
---your vendor should have a public key attached to his profile,
--- copy and paste that into microsoft word or note pad and save it to your desktop
---In GPA, you should see an IMPORT option at the top.
--- Select the word document and it should get that key and save it to your list of public keys.
--- Now if that vendor messages you, only you can decrypt his messages.

Now if you want to send him messages, you have to personally send him your public key (much in the same fashion you did his).
Title: Re: Problems with a BCPG key
Post by: g01d3n on January 13, 2013, 07:03 pm
If I got anything wrong, please tell me. I'm learning too.

It's much better to learn as a group and help each other.

Security is much too important, especially sensitive information (address names etc.), for prying eyes to see.
Title: Re: Problems with a BCPG key
Post by: Nightcrawler on January 13, 2013, 10:46 pm
Hey, I'm a n00by as well, and I spent literally HOURS trying to figure this out. I think I may have gotten it, but take my advice with a grain of salt.

 Assuming you use GPA,
---your vendor should have a public key attached to his profile,
--- copy and paste that into microsoft word or note pad and save it to your desktop
---In GPA, you should see an IMPORT option at the top.
--- Select the word document and it should get that key and save it to your list of public keys.
--- Now if that vendor messages you, only you can decrypt his messages.

Now if you want to send him messages, you have to personally send him your public key (much in the same fashion you did his).

DO NOT use Microsoft Word as an editor -- it tends to fuck things up. Use Notepad instead or just download Notetab Light. http://www.notetab.com/notetab-light.php?js=off

Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
Title: Re: Problems with a BCPG key
Post by: limitlessone on January 13, 2013, 11:05 pm
Thanks g01d3n.  I hope I'm not misunderstanding you.  I certainly could learn more about PGP.  In this instance I'm not having any problems actually importing the key in question.  I'm currently on a mac using PGPTools and while it imports it, it won't allow me to encrypt messages with the BCPG key.

Now even if I could, from the little of what I understand and what Nightcrawler seems to be suggesting, the BCPG key implementation isn't particularly secure.

I haven't used GPA or heard about it until now but it appears to be a windows application, right?

Title: Re: Problems with a BCPG key
Post by: Nightcrawler on January 15, 2013, 03:43 pm
Thanks g01d3n.  I hope I'm not misunderstanding you.  I certainly could learn more about PGP.  In this instance I'm not having any problems actually importing the key in question.  I'm currently on a mac using PGPTools and while it imports it, it won't allow me to encrypt messages with the BCPG key.

Now even if I could, from the little of what I understand and what Nightcrawler seems to be suggesting, the BCPG key implementation isn't particularly secure.

It's not. Those keys produced by BouncyCastle Java implementations of PGP (like iGolder.com and PortablePGP) produce thoroughly broken, totally unsafe keys.

I haven't used GPA or heard about it until now but it appears to be a windows application, right?

GPA is Gnu Privacy Assistant. It can be installed as an alternative to Kleopatra when isntalling GPG4WIN. Personally, I'd just install GPG4USB and be done with it. 

Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090