GPG testing...

bscott at ntisys.com bscott at ntisys.com
Sat Dec 28 14:49:02 EST 2002


On Sat, 28 Dec 2002, at 2:08pm, jason at sigio.com wrote:
>>   It validates that the sender had access to your private key.  Presumably,
>> only you have access to your key, but even that is far from a given in
>> anonymous communications.
> 
> They'd also need your pass phrase. They'd need your private key and your
> passphrase to forge a signature.

  Your passphrase is used to protect your key.  You encrypt the key with
your passphrase and store the ciphered key in your keychain.  The ciphertext
itself is not your key.  Once you enter your passphrase, the ciphertext is
decrypted to produce your key.  If someone has access to that key, they can
sign messages with it.

  This isn't just a semantic argument.  Yes, the most obvious way to gain
access to a key is to obtain both the keychain and the passphrase.  
However, it is important to not lose sight of that fact that the ciphertext
itself is not the key, and that the ciphertext must be decrypted before the
key can be used.  That point *has* been attacked before.  For example, not
every system handles data residue properly.  This is generally not a problem
on Linux, which always zeros memory before giving a new page to a process,
and which can be told to never swap pages out to disk.  But what if someone
is using a system that doesn't handle that properly?  An attacker might find
a copy of your key in memory or in the swap file somewhere.  As you say, if
this is your home computer, that indicates a bigger problem.  But what if
you're on a corporate system?  Sure, you can make the argument that you
shouldn't use such a system to sign messages, but that's not always
practical, either.

> Something more like the way server certificates are handed out is better,
> IMHO.  At least some presumabely competent authority checks that you are
> who you claim to be, and then issues the certificate.

  Hah.  VeriSign is only interested in verifying that they have your money.  
Witness the certificate issued to the guy claiming to be Microsoft a year or
two ago.

> If someone sticks a key on a keyserver claiming to be you, there isn't
> anything you can do about it.

  A public key that has not been signed by trusted parties should not be
trusted.

  The central CA scenario is just a degenerate case of the general
keysigning technique.  The idea is, you have other trusted parties sign your
public key.  They thus assert your public key is legitimate.  In the central
CA scenario, you have a single authority everyone trusts.  That can be good
(airplane rule) or it can be bad (single point of attack).  In the
web-of-trust scenario, peers sign keys of their peers, who sign keys of
their peers, and so on.  In theory, a large web of trust provides
decentralized authentication that you can still put faith in.

  IMO, right now, for general pubic use, we really do not have any kind of
trustworthy PKI.  The peer trust web that PGP and/or GPG desire is still far
too immature for everyday use, and the de facto PKI that has formed around
SSL is run by corporations with a dubious record.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or  |
| organization.  All information is provided without warranty of any kind.  |




More information about the gnhlug-discuss mailing list