Home | Community | Message Board

MagicBag Grow Bags
This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Shop: PhytoExtractum Buy Bali Kratom Powder   Kraken Kratom Red Vein Kratom

Jump to first unread post Pages: 1
Invisibletdubz
Male User Gallery


Registered: 02/26/12
Posts: 5,586
Wave of Spoofed Encryption Keys Shows Weakness in PGP Implementation
    #23547676 - 08/16/16 05:59 PM (7 years, 5 months ago)

http://motherboard.vice.com/read/wave-of-spoofed-encryption-keys-shows-weakness-in-pgp
Quote:


Don't always trust an encryption key.

Someone has generated a host of dodgy PGP keys, and by abusing the inherent weakness in the short identifying code attached to each, has made the keys appear to belong to a series of high profile individuals in the security community.

This means that someone trying to communicate with these people, which include developers of the Tor anonymity software, may accidentally use the wrong key, leaving messages potentially open to snooping. Or, at best, recipients will simply not be able to decrypt some of the messages they receive. Many of the keys appear to relate to a 2014 research project, but their reemergence highlights a lingering security concern with PGP, which stands for “pretty good privacy”.
On Monday, a post on the unofficial Linux Kernel Mailing List claimed that encryption keys purportedly belonging to Linus Torvalds, the creator of Linux, and Greg Kroah-Hartman, a Linux kernel developer, were instead fake. The post pointed to keys stored on the MIT server, a popular repository where people upload their keys for others to more easily find.

The issue revolved around each key's “short ID,” a numerical code that is supposed to uniquely identify every key. In Torvald's case, the short ID of his real key was 00411886. But someone had created a key with exactly the same 8 digit code.
“The 32-bit short ID's of pgp are completely useless. They may be ‘convenient’, but they also entirely bypass the whole point of having a nice secure key,” Torvalds told Motherboard in an email. Kroah-Hartman also confirmed to Motherboard that one of the keys apparently belonging to him was fake.

Plenty of people list their short ID on their social media profiles, so anyone wanting to get in touch has a relatively easy way to check that whatever key they find is legitimate: If the short ID on the MIT key server is the same as the one on the person's Twitter profile, then you'd think there was a pretty good chance that they were in fact the same key. But, as this case shows, you would be wrong.
"This is not trivial to pull off, but it's exactly the scenario PGP is supposed to prevent"

Isis Lovecruft, a Tor developer, also reported on Tuesday that someone had created a fake key for her, as well as others from the Tor Project. And although it doesn’t seem to be part of this more recent wave of spoofed keys, journalist Glenn Greenwald tweeted a similar experience back in 2014.

All of this is possible because generating a key with the same 8 digit code as another is pretty simple. Using a tool called Scallion, a user can quickly cycle through different PGP keys until they create one that they're happy with.
This is not a new problem: Back in 2014, German journalist Hanno Boeck covered the issue from DEF CON 22 (Boeck also reported spotting a fake key for himself earlier today).
At least some of the reported fake keys were part of the 2014 Evil 32 project which highlighted the dangers of short IDs, explained Eric Swanson, the co-creator of that project, in a comment on Y Combinator on Tuesday. Swanson added that he has generated revocation certificates for each key, meaning they can be marked as “revoked” on the key server.

The potential issue here is that if an attacker created a fake key, people started using it, and this attacker had the potential to intercept emails or otherwise access the target’s email account, they might be able to read incoming encrypted messages. Of course, that would need to be a highly resourceful attacker.
But, as Boeck pointed out to Motherboard in an email, that is the whole point of PGP and end-to-end encryption: to stop someone who has the ability of interception from reading messages.
“So yes, this is not trivial to pull off, but it's exactly the scenario PGP is supposed to prevent,” he wrote.

However, perhaps the more likely situation is that someone will use the wrong key when trying to send a message, and the recipient won’t be able to read it.
Even if someone is pretty vigilant and closely reads the longer, 40 character key fingerprint, another issue is that some PGP programs rely on short IDs for importing keys.
“The really bad thing is that the short ID is what you end up often using even with the tools, and there have even been bugs where the tools themselves used the short ID internally despite it not being secure,” Torvalds continued.

“No security is ever ‘absolute’. PGP has some very real technical strengths, but I have to say, it has a lot of weaknesses too. The weaknesses tend to be about the UI and usage, not about core algorithms, but with security, that's a big deal,” Torvalds added.




Extras: Filter Print Post Top
Jump to top Pages: 1

Shop: PhytoExtractum Buy Bali Kratom Powder   Kraken Kratom Red Vein Kratom


Similar ThreadsPosterViewsRepliesLast post
* Encrypting IP address, to block tracking of Downloads BowlKiller 1,805 6 10/26/04 01:45 PM
by BowlKiller
* easy-to-use 128bit encryption freeware Xochitl 737 1 02/27/04 11:18 AM
by Anonymous
* Cops showed up today....
( 1 2 3 4 all )
z@z.com 9,213 70 01/20/06 04:32 PM
by nonick
* website to show government tracking? feeflanagan 1,509 7 10/09/04 04:02 PM
by shobimono
* AIM Encryption!! Must have!!
( 1 2 all )
EffedS 3,259 29 09/29/03 05:18 PM
by
* How to Purchase Securely 101
( 1 2 3 4 all )
Lana 44,766 64 05/22/13 01:31 AM
by 1ve5w4hu
* The BASICS of Securing your computer and E-mail. Cyber 2,674 12 06/09/09 03:34 PM
by Alan Rockefeller
* IP Masquerading Tutorial Lana 2,632 9 12/11/02 04:43 AM
by artemus

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Enlil, Alan Rockefeller
228 topic views. 1 members, 1 guests and 0 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.026 seconds spending 0.007 seconds on 14 queries.