Silk Road forums

Discussion => Security => Topic started by: Catnip on May 10, 2012, 04:37 pm

Title: GPG, do i need it?
Post by: Catnip on May 10, 2012, 04:37 pm
I am new here and i am only a buyer. Do i need GPG? If yes, for what and how do i use it for me?

many thanks for Answers :)
Title: Re: GPG, do i need it?
Post by: deadkndys420 on May 10, 2012, 05:41 pm
Yes PGP is necessary.


This should help.

http://p3lr4cdm3pv4plyj.onion/guides/kleotxt.html
Title: Re: GPG, do i need it?
Post by: vlad1m1r on May 10, 2012, 05:47 pm
I am new here and i am only a buyer. Do i need GPG? If yes, for what and how do i use it for me?

many thanks for Answers :)

Hi Catnip, welcome to SR!

You're not a fan of the Hunger Games by any chance? They have a character in the books nicknamed Catnip? :)

Anyway, yes I am afraid mastering GPG is essential to becoming a buyer. At the very least you are going to need this to encode your mailing address which of course the seller will need when you want to buy anything.

All the best,

V.
Title: Re: GPG, do i need it?
Post by: Ordos on May 10, 2012, 07:37 pm
If you don't like prison then GPG is required.  We have  a lot of guides, just start a thread and ask if you have any problems.  8)
If you google GnuPG and Gnu Privacy Assistant(GPA) they also have a multitude of guides and applications to help.  There is also a lot of buzz about Symantec's PGP (if you trust a corporation)

ps Don't fall for the web based encryption, always install it locally.  (a third party can be coerced to rat you out)
Title: Re: GPG, do i need it?
Post by: polysoph on May 10, 2012, 08:11 pm
But what's with just sending messages on SR, isn't it okay/secure enough? Do you really have to use GPG for every little message you want to send, like if you just want to ask a short question? I've actually seen a few vendors who wrote that you don't always ave to use GPG to communicate with them and messaging them on SR is fine.
Title: Re: GPG, do i need it?
Post by: deadfuture on May 10, 2012, 08:15 pm
But what's with just sending messages on SR, isn't it okay/secure enough? Do you really have to use GPG for every little message you want to send, like if you just want to ask a short question? I've actually seen a few vendors who wrote that you don't always ave to use GPG to communicate with them and messaging them on SR is fine.

GPG should be used for any information that could personally identify you.  Address, names, DCN's all that sensitive information should be sent using GPG.  All other garble feel free to spout anywhere.  This is an extra security measure so that not even SR can decode this information.  In case servers ever got taken, LE could have lists and lists of everyone's info. 
Title: Re: GPG, do i need it?
Post by: 46&2 on May 10, 2012, 11:35 pm
it will keep your paranoia level lower than, if you do not use it.
Title: Re: GPG, do i need it?
Post by: Catnip on May 11, 2012, 07:48 am
is it right, wehen i buy something i must encode my adress an put the encoded in the adress field? For encoding i must use the key from the vendor or my own?
Yesterday I placed an order and i have my address not encoded. Do you think this was very bad and must i have paranoia now?
thanks for help.
Title: Re: GPG, do i need it?
Post by: MiracleCure on May 11, 2012, 08:03 am
is it right, wehen i buy something i must encode my adress an put the encoded in the adress field? For encoding i must use the key from the vendor or my own?
Yesterday I placed an order and i have my address not encoded. Do you think this was very bad and i must habe paranoia now?
thanks for help.

Yes, you encrypt your address using your vendors key, so only their password can open the message. PGP is like putting your message in an envelope so only the person you send it to can read it. Except, PGP is MUCH safer than an envelope. You copy the encrypted text block into the address field and wait until your item arrives. Pretty simple, really.
Title: Re: GPG, do i need it?
Post by: Bridgehead on May 11, 2012, 08:31 am
is it right, wehen i buy something i must encode my adress an put the encoded in the adress field? For encoding i must use the key from the vendor or my own?
Yesterday I placed an order and i have my address not encoded. Do you think this was very bad and must i have paranoia now?
thanks for help.


You don't encode you encrypt it.

Quick-n-Dirty (assuming Windows OS):

1.Copy/Paste the key of the recipient into a text file.  Save the file.
2. Download and install GPG for windows (www.gpg4win.org/) Follow the instructions to create your private/public key pair (you can just skip the part that asks for certificate authority). 
3.  Open GPA
4. Click the "Import Keys" button.
5. Select the file from step 1.
6. Click ok/yes/go ahead/continue whatever
7. Click the "Clipboard" button.
8. type your message
9. Click "Encrypt"
10. Select your RECIPEINTS key, not yours (Use yours when you want to decrypt)
11.  Select all text in the window (Ctrl+A), then copy it.
12.  Paste that text into message to recipient and send.
13.  Enjoy a beer.
Title: Re: GPG, do i need it?
Post by: Bridgehead on May 11, 2012, 08:34 am
As for your other question about sending your address as plain text - don't worry too much about it, it's still encrypted over Tor*, and once your vendor gets it, it's "deleted" from SR's servers (I quote deleted because I don't know if they are over-writing deleted data or not, but I assume they are).

Using PGP is just another layer of protection, and good a good practice to follow.

*Edit:  Actually it may not be encrypted over Tor, depends if SR is using SSL, I don't know if they are.  It will be encrypted from your computer to the Tor exit relay, at a minimum.  It may have been an unencrypted transmission from the Tor exit relay to the SR server.  Someone would have to have been sniffing the data from the exit relay to the SR server to see your address.  I'm not sure if this is 100% accurate information I am giving you, as I'm no expert, but this is my understanding from what I have gleaned from some very knowledgeable people on this forum.

Bottom Line:  Don't be paranoid about your purchase, just use PGP going forward.
Title: Re: GPG, do i need it?
Post by: raveryote on May 11, 2012, 08:43 am
YES!

There are tutorials on this forum, please make use of them.

You may only be a buyer, but the DEA are wet blankets, and will bust whoever they can.

Do not give them that chance. :)
Title: Re: GPG, do i need it?
Post by: Catnip on May 11, 2012, 08:44 am
many thanks for the dummies guide :)
Title: Re: GPG, do i need it?
Post by: raveryote on May 11, 2012, 12:04 pm
As for your other question about sending your address as plain text - don't worry too much about it, it's still encrypted over Tor*, and once your vendor gets it, it's "deleted" from SR's servers (I quote deleted because I don't know if they are over-writing deleted data or not, but I assume they are).

Using PGP is just another layer of protection, and good a good practice to follow.

*Edit:  Actually it may not be encrypted over Tor, depends if SR is using SSL, I don't know if they are.  It will be encrypted from your computer to the Tor exit relay, at a minimum.  It may have been an unencrypted transmission from the Tor exit relay to the SR server.  Someone would have to have been sniffing the data from the exit relay to the SR server to see your address.  I'm not sure if this is 100% accurate information I am giving you, as I'm no expert, but this is my understanding from what I have gleaned from some very knowledgeable people on this forum.

Bottom Line:  Don't be paranoid about your purchase, just use PGP going forward.

SR is a Tor Hidden Service, SR does not need to use SSL, because Tor Hidden Services use end to end encryption using Tor ALONE.

Using a Certificate Authority to verify SSL/TLS would actually be very bad, providing an easy centralized weak point for LEOs to attack/raid.

No, SR servers are hosted WITHIN the Tor Network, not exposed to the outside web.

It is what some people term the Deep Web (as opposed to Surface Web).

The point being, Exit Nodes dont really matter with SR, since it's all strictly inside the Tor Network, only.
Title: Re: GPG, do i need it?
Post by: vlad1m1r on May 11, 2012, 12:16 pm
As for your other question about sending your address as plain text - don't worry too much about it, it's still encrypted over Tor*, and once your vendor gets it, it's "deleted" from SR's servers (I quote deleted because I don't know if they are over-writing deleted data or not, but I assume they are).

Using PGP is just another layer of protection, and good a good practice to follow.

*Edit:  Actually it may not be encrypted over Tor, depends if SR is using SSL, I don't know if they are.  It will be encrypted from your computer to the Tor exit relay, at a minimum.  It may have been an unencrypted transmission from the Tor exit relay to the SR server.  Someone would have to have been sniffing the data from the exit relay to the SR server to see your address.  I'm not sure if this is 100% accurate information I am giving you, as I'm no expert, but this is my understanding from what I have gleaned from some very knowledgeable people on this forum.

Bottom Line:  Don't be paranoid about your purchase, just use PGP going forward.

Thanks Bridgehead,

Just to clarify a couple of points:

- SR doesn't use SSL as the connection is already encrypted through Tor.
- Using SSL is necessary if accessing "clearnet" sites but is not necessary for accessing SR. As a hidden service, there is no exit relay per se as the site is located within the Tor network.

V.
Title: Re: GPG, do i need it?
Post by: 46&2 on May 12, 2012, 02:27 pm
so if the server(s) is/are seized, and "authorities" start digging through the data they will either see your mailing address, or an encrypted message that they may or may not be able to crack (depending on what agency is handling the data). so if your mailing address is not your home address and you have used a fake I.D. to open a P.O. box, or your mailing address is a "safe" address, then feel free to skip the encryption of your info.
Title: Re: GPG, do i need it?
Post by: vlad1m1r on May 12, 2012, 02:43 pm
so if the server(s) is/are seized, and "authorities" start digging through the data they will either see your mailing address, or an encrypted message that they may or may not be able to crack (depending on what agency is handling the data). so if your mailing address is not your home address and you have used a fake I.D. to open a P.O. box, or your mailing address is a "safe" address, then feel free to skip the encryption of your info.

As far as we know there's no way to crack messages encrypted by the more recent versions of GPG.

I think you're absolutely right in saying you shouldn't send to your home address (although opinion is divided on this!) but I would always recommend that you encrypt the address data using GPG. We have an excellent walk through on the forums for users new to this software and it's a very small price to pay for your peace of mind.

V.
Title: Re: GPG, do i need it?
Post by: Ordos on May 12, 2012, 04:52 pm
At the moment GPG is secure, but quantum computing is coming and they will be able to break our current level of cryptography.  It's just like WEPs implementation of the RC4 cipher was secure for a while or the ages(literally ages ago when Rome was an empire) old Cesar cipher was very secure. Start reading into GPG and learn how to beef up your key size and use better hashes that SHA1.

[cryptography like all of computer security is a cat and mouse game, you figure out how to secure something better then they figure out how to attack your new method and vice versa]
Title: Re: GPG, do i need it?
Post by: vlad1m1r on May 12, 2012, 08:53 pm
At the moment GPG is secure, but quantum computing is coming and they will be able to break our current level of cryptography.  It's just like WEPs implementation of the RC4 cipher was secure for a while or the ages(literally ages ago when Rome was an empire) old Cesar cipher was very secure. Start reading into GPG and learn how to beef up your key size and use better hashes that SHA1.

[cryptography like all of computer security is a cat and mouse game, you figure out how to secure something better then they figure out how to attack your new method and vice versa]

Barring some unforeseen breakthrough, realistically, I don't think quantum computing is going to be a real threat for at least a few decades. Even then, its use is primarily going to be restricted to intelligence agencies -- I can't see law enforcement using such technology any time soon. If and when quantum cryptography becomes a reality, then the real danger is going to be to the economic infrastructure, as all classical methods of protecting data will essentially be broken.

I don't see anything on the horizon until much closer to mid-century.

Guru

I was reading Simon Singh's "The Code Book" which incidentally is an excellent and fun read for those interested in Cryptography which he wrote in 1999. In the final chapter "A Quantum Leap into the future", he does mention these types of computers and the fact as you say it would make conventional encryption methods redundant. He even speculates the NSA are doing this already  - if so however we come down to the same issue we were discussing earlier this week the British faced when they cracked the Nazi Enigma code - acting on any information received would be to reveal their hand. The thought that they would do this for any amount of controlled drugs is a little implausible(!) Wouldn't you keep it a jealously guarded secret and only use it to spy on your country's enemies?

V.
Title: Re: GPG, do i need it?
Post by: dmtdoodeelsd on May 13, 2012, 07:49 am
we have never used PGP and have never had a problem , the only way i can see there being any problem is if SR as a whole gets taken down, then the LEO will have lists of probably 10's of SR staff/moderators, 100's of coders/operators or SR,  1000's of vendors and 100000's of recipients, who do you think they will spend their time chasing ?!?!

long term yes PGP is an extra thing you can do to hide your address from view, but no it is not integrally necessary in SR operation.

you should only be paranoid if you think SR themselves will ever be compromised, and even in that case, i THINK, the LEO will be more bothered about finding the MODERATORS of the site rather than knocking on the door of every single person who possibly ordered ANYTHING .

i think you have nothing to worry about Catnip, but if you are worried, then do the PGP thing...

(if anyone can explain an easy way to get it operating smoothly to an idiot with a mac, then please feel free to help me get it installed and running...!) hehe :-[ :-[ :-[ :-[ :-[

Title: Re: GPG, do i need it?
Post by: kmfkewm on May 13, 2012, 01:50 pm
At the moment GPG is secure, but quantum computing is coming and they will be able to break our current level of cryptography.  It's just like WEPs implementation of the RC4 cipher was secure for a while or the ages(literally ages ago when Rome was an empire) old Cesar cipher was very secure. Start reading into GPG and learn how to beef up your key size and use better hashes that SHA1.

[cryptography like all of computer security is a cat and mouse game, you figure out how to secure something better then they figure out how to attack your new method and vice versa]

Barring some unforeseen breakthrough, realistically, I don't think quantum computing is going to be a real threat for at least a few decades. Even then, its use is primarily going to be restricted to intelligence agencies -- I can't see law enforcement using such technology any time soon. If and when quantum cryptography becomes a reality, then the real danger is going to be to the economic infrastructure, as all classical methods of protecting data will essentially be broken.

I don't see anything on the horizon until much closer to mid-century.

Guru

Quantum computing is a reality today, it is just a question of how many qubits can they stabilize. They were at 128 last I checked. Once they get into the thousands they can start pwning GPG. I hear that they will likely be able to make a significant amount of progress in a relatively short amount of time, and that the rate of stabilized qubits will rapidly increase. There is a quantum resistant asymmetric encryption technique that seems to be getting a lot of attention recently called multivariate public key cryptography. Using larger key sizes increases the number os stabilized qubits required, but that wont matter when they start exponentially increasing the number of qubits they can stabilize.
Title: Re: GPG, do i need it?
Post by: kmfkewm on May 13, 2012, 01:53 pm
Quote
Certainly quantum computers are a possibility -- that is one reason what AES was designed with 256-bit keys. The idea was that Schorr's algorithm calls for a quantum computer to essentially halve the key size in bits, so that a 128-bit key becomes effectively as hard to crack as a 64-bit. Applying the same logic to a 256-bit key, yields an effective strength of 128-bits, which is still infeasible to break, at least currently.

You are confusing Shors and Grovers algorithm. Shors algorithms is for cracking vulnerable asymmetric encryption algorithms, it is able to do so extremely quickly with a sufficient amount of qubits. Grovers algorithm is for cutting symmetric algorithm key strength in half, making 128 bit encryption as strong as 64 bit, and 256 as strong as 128. Using 256 bit symmetric algorithms is considered quantum resistant, an RSA key with comparable quantum resistance would be too big to fit on most hard disks according to one paper I read on the subject.
Title: Re: GPG, do i need it?
Post by: Chuck Schumer - Democrat on May 13, 2012, 02:21 pm
Quote
Certainly quantum computers are a possibility -- that is one reason what AES was designed with 256-bit keys. The idea was that Schorr's algorithm calls for a quantum computer to essentially halve the key size in bits, so that a 128-bit key becomes effectively as hard to crack as a 64-bit. Applying the same logic to a 256-bit key, yields an effective strength of 128-bits, which is still infeasible to break, at least currently.

You are confusing Shors and Grovers algorithm. Shors algorithms is for cracking vulnerable asymmetric encryption algorithms, it is able to do so extremely quickly with a sufficient amount of qubits. Grovers algorithm is for cutting symmetric algorithm key strength in half, making 128 bit encryption as strong as 64 bit, and 256 as strong as 128. Using 256 bit symmetric algorithms is considered quantum resistant, an RSA key with comparable quantum resistance would be too big to fit on most hard disks according to one paper I read on the subject.

KM:  I always appreciate your insights, thanks for sharing.
Title: Re: GPG, do i need it?
Post by: shivashanti on May 13, 2012, 02:27 pm
A quick tip that had me baffled till I figured it out. I use Linux and had to use the armor option to get a copy and pasteable encrypted message. Then just paste it in your PM.
Title: Re: GPG, do i need it?
Post by: polysoph on May 14, 2012, 11:13 pm
When placing your order you have to type your name and address nontheless, or will the form and the including informations be deleted for all eternity from the servers right after the vendor accepted your order?
Title: Re: GPG, do i need it?
Post by: dmtdoodeelsd on May 15, 2012, 04:15 am
well SR say they don't keep your details logged whether you use PGP or not (understandably), and you would have to be a shit vendor if you kept a written log of addresses (obviously this could be dont by any vendor whether you use PGP encryption or not) - so the whole thing seems to me to be alot of bother for very little added security.

basically the only benefit to the best of my understanding is if SR are lying to us all, and they DO keep details, and IF their servers are compromised then the authorities could POSSIBLY get addresses of recipients, but as i have explained in previous post, hypothetically, the authorities will potentially contact details of have 10's of SR staff/moderators, 100's of coders/operators or SR,  1000's of vendors and 100000's of recipients, who do you think they will spend their time chasing ?!?!

use it if you have time and want a little extra piece of mind...
Title: Re: GPG, do i need it?
Post by: randomOVDB#2 on May 16, 2012, 12:19 pm
well SR say they don't keep your details logged whether you use PGP or not (understandably), and you would have to be a shit vendor if you kept a written log of addresses (obviously this could be dont by any vendor whether you use PGP encryption or not) - so the whole thing seems to me to be alot of bother for very little added security.

Yeah, we saw how trusting the board takes care of all the problems - http://dkn255hz262ypmii.onion/index.php?topic=19162.msg192761#msg192761

Encrypting a message takes less than 30 seconds. Additionally in regards to your "who will they go after", low-hanging fruit -> targets or goals which are easily achievable and which do not require a lot of effort AKA buyers.
Title: Re: GPG, do i need it?
Post by: vlad1m1r on May 16, 2012, 12:43 pm
It would seem in this case the site allowed payment to be made by Paypal and Western Union which are not anonymous.

They also relied on Hushmail, the defective brainchild of the great Phil Zimmerman, inventor of the original PGP software. In the nature of things Hushmail retained copies of users' private keys and in the face of legal action, they meekly handed them over.

Needless to say Silk Road doesn't store your Private Keys - although I did speak to a Tor Mail user the other day who keeps a copy of his private key in his inbox and uses it to decrypt messages he's been sent using an online decryption tool in the belief this was safer.

No, no, a thousand times no. Your private key never needs to leave your computer - just ask the people at the Farmer's Market if they agree :-)

V.

well SR say they don't keep your details logged whether you use PGP or not (understandably), and you would have to be a shit vendor if you kept a written log of addresses (obviously this could be dont by any vendor whether you use PGP encryption or not) - so the whole thing seems to me to be alot of bother for very little added security.

Yeah, we saw how trusting the board takes care of all the problems - http://dkn255hz262ypmii.onion/index.php?topic=19162.msg192761#msg192761

Encrypting a message takes less than 30 seconds. Additionally in regards to your "who will they go after", low-hanging fruit -> targets or goals which are easily achievable and which do not require a lot of effort AKA buyers.
Title: Re: GPG, do i need it?
Post by: dmtdoodeelsd on May 19, 2012, 05:20 am
exactly right Vlad, i agree safety 1st random, unlike the monkeys who were running the farmers site...

i don't think the remedial system they were using there, with max 3000 transactions is comparable in the slightest to SR, i mean other than both are/were market places for illicit wares - you jus can't compare such a small time operation , obv run by a bunch of friends/known associates etc... which used paypal and WU and Hushmail . i mean these guys had made some fundamental errors before they even got 'out of the blocks' so to speak...

still i'm sure the SR admin will have studied the case carefully and hopefully taken onboard any future changes that might help the security of the site/its users...

i mean if these guys were dumb enough to use paypal and Western, then yeah, they are obviously not afraid of breing caught with some proverbial blood on their hands, they prob DID keep a database of addresses...

you can see from how our site is run and the way DPR conducts themselves - different ball game completely.

also in this case from what i can see, the LE did NOT go after the 'low hanging fruit'
Title: Re: GPG, do i need it?
Post by: kmfkewm on May 19, 2012, 05:49 am
I doubt FM only had 3,000 transactions, and it was actually one of the oldest internet drug markets ever if you consider all of its previous incarnations. SR is probably one of the biggest (in member numbers) named drug networks in the history of the world, if not the biggest. But TFM was the biggest online drug market prior to it. It used to be that a forum with a few thousand members was considered enormous, before that a forum with a few hundred members was. The online drug scene is experiencing a truly exponential growth rate.