Silk Road forums

Discussion => Security => Topic started by: nobodyenduser on September 30, 2013, 10:39 pm

Title: Unable to import PGP key
Post by: nobodyenduser on September 30, 2013, 10:39 pm
Never had any problems before but I am trying to import a key from someone using Version: BCPG v1.45  and I am using Kleopatra Version: GnuPG v2.0.20 (MingW32) but it doesn't recognize the key.

Any hints on what is wrong?
Title: Re: Unable to import PGP key
Post by: Nightcrawler on October 01, 2013, 12:53 am
Never had any problems before but I am trying to import a key from someone using Version: BCPG v1.45  and I am using Kleopatra Version: GnuPG v2.0.20 (MingW32) but it doesn't recognize the key.

Any hints on what is wrong?

Personally, I would be _very_ wary of using a key generated by one of the BouncyCastle Java crypto libraries. Many of these implementations are grossly unsafe, and beyond broken.
The BCPG 1.45 version string indicates to me that the person is using software based on the BouncyCastle Java crypto libraries.

Send me the key in question, so I can laugh, I mean have a look at it.  (Many keys of the typical lengths generated by this type of software were abandoned more than 20 years ago due to insecurity.)

See the following post for more details: http://dkn255hz262ypmii.onion/index.php?topic=109880.msg762238#msg762238

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090     (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07  B66B AFC8 CE71 D9AF D2F0

Title: Re: Unable to import PGP key
Post by: nobodyenduser on October 01, 2013, 01:59 am
Never had any problems before but I am trying to import a key from someone using Version: BCPG v1.45  and I am using Kleopatra Version: GnuPG v2.0.20 (MingW32) but it doesn't recognize the key.

Any hints on what is wrong?

Personally, I would be _very_ wary of using a key generated by one of the BouncyCastle Java crypto libraries. Many of these implementations are grossly unsafe, and beyond broken.
The BCPG 1.45 version string indicates to me that the person is using software based on the BouncyCastle Java crypto libraries.

Send me the key in question, so I can laugh, I mean have a look at it.  (Many keys of the typical lengths generated by this type of software were abandoned more than 20 years ago due to insecurity.)


I was able to figure it out the key was like this then I had to make changes

-----BEGIN PGP PUBLIC KEY BLOCK-----Version: BCPG v1.45

mI0EUh1CIAEEAMEIrhRgg1uhnMoqwBVEvhnWXS 7Y2eKzHknxHM8i55GstywLNKZI GJ1LMzGB7ZvqIVEWQNejUqGKgmzMn/xDYHWWe6K4VC+3UfKXSSqtswhQ6//SyGI2 6g+G76B826HLSa9OYlmEs5ft+uOjVvYlT4adeB XO+4eCwz1ThmQ+U2V/ABEBAAG0 P1NhZmV0eW9mZjEzIChTZXJ2ZXIgb2YgdGhlIG JhZGFzc2VzKSA8c2FmZXR5b2Zm MTNAaHVzaG1haWwuY29tPoicBBMBAgAGBQJSHU KXAAoJEHNRZ/fZA1UfbB8EAJRO h+FxHHZas4qnDalRF+R0vH3l2pTp8q4ld5A+Pd 0zTNFIpQPk0nFhf8NU9r2HaIYk KTx7Uri6q3F9z0fQ0jD2+mBffi6VpfgNT347cT TtzGlCZZlD9dxI+lfj5f1BWN7g gTzb5W1Fsobqq+kzCb1Op92DnNEcgt4pyqtz+K kOiLYEEwECACAFAlIdQpcCmw8G iwkIBwMCBJUCCAMElgIDAQWJDww/AAAKCRBzUWf32QNVH89sBACYFmL0ks+iN/+Q vJDZYgcRb3CgktEBBIGBBt6fArhzcVoNOlL5rH KbMp9nIupGaQwP1IOGoG1foxnc VDhNH6Z3oyK4cBSwEBhW6Ds8BalpPST3XHBLig Ho2LzASBMDLrDxXwTBlEJSa3h7 sVX4C0Knd623Gf59xBU1JNW+rEhDHQ== =ivYr -----END PGP PUBLIC KEY BLOCK-----

I had to place the cursor then hit enter so it looked like this

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.45

mI0EUh1CIAEEAMEIrhRgg1uhnMoqwBVEvhnWXS 7Y2eKzHknxHM8i55GstywLNKZI GJ1LMzGB7ZvqIVEWQNejUqGKgmzMn/xDYHWWe6K4VC+3UfKXSSqtswhQ6//SyGI2 6g+G76B826HLSa9OYlmEs5ft+uOjVvYlT4adeB XO+4eCwz1ThmQ+U2V/ABEBAAG0 P1NhZmV0eW9mZjEzIChTZXJ2ZXIgb2YgdGhlIG JhZGFzc2VzKSA8c2FmZXR5b2Zm MTNAaHVzaG1haWwuY29tPoicBBMBAgAGBQJSHU KXAAoJEHNRZ/fZA1UfbB8EAJRO h+FxHHZas4qnDalRF+R0vH3l2pTp8q4ld5A+Pd 0zTNFIpQPk0nFhf8NU9r2HaIYk KTx7Uri6q3F9z0fQ0jD2+mBffi6VpfgNT347cT TtzGlCZZlD9dxI+lfj5f1BWN7g gTzb5W1Fsobqq+kzCb1Op92DnNEcgt4pyqtz+K kOiLYEEwECACAFAlIdQpcCmw8G iwkIBwMCBJUCCAMElgIDAQWJDww/AAAKCRBzUWf32QNVH89sBACYFmL0ks+iN/+Q vJDZYgcRb3CgktEBBIGBBt6fArhzcVoNOlL5rH KbMp9nIupGaQwP1IOGoG1foxnc VDhNH6Z3oyK4cBSwEBhW6Ds8BalpPST3XHBLig Ho2LzASBMDLrDxXwTBlEJSa3h7 sVX4C0Knd623Gf59xBU1JNW+rEhDHQ== =ivYr
-----END PGP PUBLIC KEY BLOCK-----

Then I was able to import it but i will read about the link you provided

Title: Re: Unable to import PGP key
Post by: Nightcrawler on October 01, 2013, 05:16 am
Never had any problems before but I am trying to import a key from someone using Version: BCPG v1.45  and I am using Kleopatra Version: GnuPG v2.0.20 (MingW32) but it doesn't recognize the key.

Any hints on what is wrong?

Personally, I would be _very_ wary of using a key generated by one of the BouncyCastle Java crypto libraries. Many of these implementations are grossly unsafe, and beyond broken.
The BCPG 1.45 version string indicates to me that the person is using software based on the BouncyCastle Java crypto libraries.

Send me the key in question, so I can laugh, I mean have a look at it.  (Many keys of the typical lengths generated by this type of software were abandoned more than 20 years ago due to insecurity.)


I was able to figure it out the key was like this then I had to make changes

-----BEGIN PGP PUBLIC KEY BLOCK-----Version: BCPG v1.45

mI0EUh1CIAEEAMEIrhRgg1uhnMoqwBVEvhnWXS 7Y2eKzHknxHM8i55GstywLNKZI GJ1LMzGB7ZvqIVEWQNejUqGKgmzMn/xDYHWWe6K4VC+3UfKXSSqtswhQ6//SyGI2 6g+G76B826HLSa9OYlmEs5ft+uOjVvYlT4adeB XO+4eCwz1ThmQ+U2V/ABEBAAG0 P1NhZmV0eW9mZjEzIChTZXJ2ZXIgb2YgdGhlIG JhZGFzc2VzKSA8c2FmZXR5b2Zm MTNAaHVzaG1haWwuY29tPoicBBMBAgAGBQJSHU KXAAoJEHNRZ/fZA1UfbB8EAJRO h+FxHHZas4qnDalRF+R0vH3l2pTp8q4ld5A+Pd 0zTNFIpQPk0nFhf8NU9r2HaIYk KTx7Uri6q3F9z0fQ0jD2+mBffi6VpfgNT347cT TtzGlCZZlD9dxI+lfj5f1BWN7g gTzb5W1Fsobqq+kzCb1Op92DnNEcgt4pyqtz+K kOiLYEEwECACAFAlIdQpcCmw8G iwkIBwMCBJUCCAMElgIDAQWJDww/AAAKCRBzUWf32QNVH89sBACYFmL0ks+iN/+Q vJDZYgcRb3CgktEBBIGBBt6fArhzcVoNOlL5rH KbMp9nIupGaQwP1IOGoG1foxnc VDhNH6Z3oyK4cBSwEBhW6Ds8BalpPST3XHBLig Ho2LzASBMDLrDxXwTBlEJSa3h7 sVX4C0Knd623Gf59xBU1JNW+rEhDHQ== =ivYr -----END PGP PUBLIC KEY BLOCK-----

I had to place the cursor then hit enter so it looked like this

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.45

mI0EUh1CIAEEAMEIrhRgg1uhnMoqwBVEvhnWXS 7Y2eKzHknxHM8i55GstywLNKZI GJ1LMzGB7ZvqIVEWQNejUqGKgmzMn/xDYHWWe6K4VC+3UfKXSSqtswhQ6//SyGI2 6g+G76B826HLSa9OYlmEs5ft+uOjVvYlT4adeB XO+4eCwz1ThmQ+U2V/ABEBAAG0 P1NhZmV0eW9mZjEzIChTZXJ2ZXIgb2YgdGhlIG JhZGFzc2VzKSA8c2FmZXR5b2Zm MTNAaHVzaG1haWwuY29tPoicBBMBAgAGBQJSHU KXAAoJEHNRZ/fZA1UfbB8EAJRO h+FxHHZas4qnDalRF+R0vH3l2pTp8q4ld5A+Pd 0zTNFIpQPk0nFhf8NU9r2HaIYk KTx7Uri6q3F9z0fQ0jD2+mBffi6VpfgNT347cT TtzGlCZZlD9dxI+lfj5f1BWN7g gTzb5W1Fsobqq+kzCb1Op92DnNEcgt4pyqtz+K kOiLYEEwECACAFAlIdQpcCmw8G iwkIBwMCBJUCCAMElgIDAQWJDww/AAAKCRBzUWf32QNVH89sBACYFmL0ks+iN/+Q vJDZYgcRb3CgktEBBIGBBt6fArhzcVoNOlL5rH KbMp9nIupGaQwP1IOGoG1foxnc VDhNH6Z3oyK4cBSwEBhW6Ds8BalpPST3XHBLig Ho2LzASBMDLrDxXwTBlEJSa3h7 sVX4C0Knd623Gf59xBU1JNW+rEhDHQ== =ivYr
-----END PGP PUBLIC KEY BLOCK-----

Then I was able to import it but i will read about the link you provided

Here is the key, properly formatted -- it should now import properly:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.45

mI0EUh1CIAEEAMEIrhRgg1uhnMoqwBVEvhnWXS7Y2eKzHknxHM8i55GstywLNKZI
GJ1LMzGB7ZvqIVEWQNejUqGKgmzMn/xDYHWWe6K4VC+3UfKXSSqtswhQ6//SyGI2
6g+G76B826HLSa9OYlmEs5ft+uOjVvYlT4adeBXO+4eCwz1ThmQ+U2V/ABEBAAG0
P1NhZmV0eW9mZjEzIChTZXJ2ZXIgb2YgdGhlIGJhZGFzc2VzKSA8c2FmZXR5b2Zm
MTNAaHVzaG1haWwuY29tPoicBBMBAgAGBQJSHUKXAAoJEHNRZ/fZA1UfbB8EAJRO
h+FxHHZas4qnDalRF+R0vH3l2pTp8q4ld5A+Pd0zTNFIpQPk0nFhf8NU9r2HaIYk
KTx7Uri6q3F9z0fQ0jD2+mBffi6VpfgNT347cTTtzGlCZZlD9dxI+lfj5f1BWN7g
gTzb5W1Fsobqq+kzCb1Op92DnNEcgt4pyqtz+KkOiLYEEwECACAFAlIdQpcCmw8G
iwkIBwMCBJUCCAMElgIDAQWJDww/AAAKCRBzUWf32QNVH89sBACYFmL0ks+iN/+Q
vJDZYgcRb3CgktEBBIGBBt6fArhzcVoNOlL5rHKbMp9nIupGaQwP1IOGoG1foxnc
VDhNH6Z3oyK4cBSwEBhW6Ds8BalpPST3XHBLigHo2LzASBMDLrDxXwTBlEJSa3h7
sVX4C0Knd623Gf59xBU1JNW+rEhDHQ==
=ivYr
-----END PGP PUBLIC KEY BLOCK-----


gpg --list-keys safetyoff13
pub   1024R/D903551F 2013-08-28 [expires: 2021-08-28]
uid                  Safetyoff13 (Server of the badasses) <safetyoff13@hushmail.com>

gpg --edit-key 0xD903551F

pub  1024R/D903551F  created: 2013-08-28  expires: 2021-08-28  usage: SCE
[ unknown] (1). Safetyoff13 (Server of the badasses) <safetyoff13@hushmail.com>

Now, that said, I still wouldn't use it. Here's why:

First off, the guy has used a (thankfully expired) Hushmail address on it. Nobody in their right mind would ever use a Hushmail address for anything illegal, at least not since they rolled over for the DEA in August of 2007.  In case you missed it, as part of the DEA's "Operation Raw Deal" Hushmail turned over in excess of 100,000 DECRYPTED emails to the DEA.

Second, and perhaps more to the point: the PGP software used to generate this key is badly broken:

* The key is way too small. Even the National Institute on Standards and Technology (NIST), said that 1024-bit keys should not be used after 2010. They further stated that 1024-bit keys could continue to be used, with increased security risks, no later than the end of 2013, after which time they were not to be used at all, period. In case you haven't noticed, the end of 2013 is only about 3 months away.
   
* Several years back, somewhere between 2007 and 2008, a flaw was found in PGP RSA keys that were used for both signing and encryption. It was discovered that some secret key bits were being leaked, making such keys easier to break. This 1024-bit key has NO encryption sub-key; you can see from the usage: SCE that it is used for Signing, Certification and Encryption. In other words, this already too small key is one of those easier to break ones.
   
* Starting in the fall of 2009, both the PGP and Gnu Privacy Guard developers changed the default key formats from DSS/Elgamal to dual-RSA, and changed the default key size from 1024-bits to 2048-  bits. You can even see this in the keys that Hushmail generated for this user:
 
pub   2048R/EDFF5F9A 2013-08-13
uid                  "safetyoff13@hushmail.com" <safetyoff13@hushmail.com>
sub   2048R/6DCFD045 2013-08-13

You can see that the Hushmail-generated key has an encryption sub-key, and that the size is 2048-bits. Even Hushmail abandoned the older, insecure key size/format that is represented by this 1024-bit BCPG key.

The software that this guy is using is both old and broken. I'm guessing that he/she finds PGP/GPG too hard to use, and thus they latched-on to this piece of shit because it is "easy to use."

It is all too often true that ease of use often comes at the price of sacrificing security. If there were a poster-child for that principle, this would be it.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090     (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07  B66B AFC8 CE71 D9AF D2F0