logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/

Pretty Bad Privacy.xhtml (10487B)

    

  1. <!--
  2. Copyright © 2014 Haelwenn (lanodan) Monnier
  3. SPDX-License-Identifier: LAL-1.3
  4. -->
  5. <article lang="en">
  6. <a href="/articles/Pretty%20Bad%20Privacy"><h1>Pretty Bad Privacy</h1></a>
  7. <span class="warn">This article is in early drafting process, made public so I get comments and more people can be aware</span>
  8. <dl>
  9. 	<dt>OpenPGP</dt>
  10. 	<dd>Pretty Good Privacy standard, derives from the original PGP implementation. "PGP", "Pretty Good", and "Pretty Good Privacy" are trademarks of PGP Corporation. The term "OpenPGP" refers to the protocol described in this and related documents.</dd>
  11. 	<dt>GnuPG / GPG</dt>
  12. 	<dd>Gnu Privacy Guard, main/only implementation of OpenPGP</dd>
  13. </dl>
  14. <h2>OpenPGP standard</h2>
  15. <h3>Compression</h3>
  16. <blockquote><pre>
  17.    Furthermore, compression has the added side effect that some types of
  18.    attacks can be thwarted by the fact that slightly altered, compressed
  19.    data rarely uncompresses without severe errors.  This is hardly
  20.    rigorous, but it is operationally useful.  These attacks can be
  21.    rigorously prevented by implementing and using Modification Detection
  22. </pre></blockquote>
  23. <cite><a href="https://tools.ietf.org/html/rfc4880">RFC4880</a>, November 2007</cite>
  24. <p>Not sure about this one, I’ll go check but this cause few issues in SSH and TLS, so I wouldn’t be surprised that it was also the case for OpenPGP.</p>
  25. <h3>Ciphers</h3>
  26. <p>The OpenPGP standard mandates that some ciphers must be present in the implementation, they are broken and well known to be.</p>
  27. <blockquote><pre>
  28. 9.1.  Public-Key Algorithms
  30. ID           Algorithm
  31. --           ---------
  32. 1          - RSA (Encrypt or Sign) [HAC]
  33. 2          - RSA Encrypt-Only [HAC]
  34. 3          - RSA Sign-Only [HAC]
  35. 16         - Elgamal (Encrypt-Only) [ELGAMAL] [HAC]
  36. 17         - DSA (Digital Signature Algorithm) [FIPS186] [HAC]
  37. 18         - Reserved for Elliptic Curve
  38. 19         - Reserved for ECDSA
  39. 20         - Reserved (formerly Elgamal Encrypt or Sign)
  40. 21         - Reserved for Diffie-Hellman (X9.42,
  41.              as defined for IETF-S/MIME)
  42. 100 to 110 - Private/Experimental algorithm
  44. Implementations MUST implement DSA for signatures, and Elgamal for
  45. encryption. […]
  46. 9.2.  Symmetric-Key Algorithms
  48. ID           Algorithm
  49. --           ---------
  50. 0          - Plaintext or unencrypted data
  51. 1          - IDEA [IDEA]
  52. 2          - TripleDES (DES-EDE, [SCHNEIER] [HAC] -
  53.              168 bit key derived from 192)
  54. 3          - CAST5 (128 bit key, as per [RFC2144])
  55. 4          - Blowfish (128 bit key, 16 rounds) [BLOWFISH]
  56. 5          - Reserved
  57. 6          - Reserved
  58. 7          - AES with 128-bit key [AES]
  59. 8          - AES with 192-bit key
  60. 9          - AES with 256-bit key
  61. 10         - Twofish with 256-bit key [TWOFISH]
  62. 100 to 110 - Private/Experimental algorithm
  64. Implementations MUST implement TripleDES. […]
  65. 9.4.  Hash Algorithms
  67. ID           Algorithm                             Text Name
  68. --           ---------                             ---------
  69. 1          - MD5 [HAC]                             "MD5"
  70. 2          - SHA-1 [FIPS180]                       "SHA1"
  71. 3          - RIPE-MD/160 [HAC]                     "RIPEMD160"
  72. 4          - Reserved
  73. 5          - Reserved
  74. 6          - Reserved
  75. 7          - Reserved
  76. 8          - SHA256 [FIPS180]                      "SHA256"
  77. 9          - SHA384 [FIPS180]                      "SHA384"
  78. 10         - SHA512 [FIPS180]                      "SHA512"
  79. 11         - SHA224 [FIPS180]                      "SHA224"
  80. 100 to 110 - Private/Experimental algorithm
  82. Implementations MUST implement SHA-1.  Implementations MAY implement
  83. other algorithms.  MD5 is deprecated.</pre></blockquote>
  84. <cite><a href="https://tools.ietf.org/html/rfc4880">RFC4880</a>, November 2007</cite>
  85. <p>Some additionnal ciphers got added later on, but this basically mean that you cannot be sure that a OpenPGP message you sent wasn’t done in more-or-less plaintext. DES was broken by the EFF in 199x, 3DES is basically now on about the same size (NIST: 80 bits of security) but computing power got much better, SHA1 was probably still known as okay but could be better (as SHA2 was already a thing), DSA was probably not now enough as good to be hardcoded, no idea for Elgamal.</p><!-- FIXME -->
  86. <p>I tried few years ago to build a GnuPG without support for theses broken ciphers, and I failed doing so. One can note that SSH requires 3DES-CBC, but it can be disabled or non-implemented (<a href="https://tinyssh.org/">tinyssh</a>).</p>
  87. <blockquote><pre>
  88. 13.4.  Plaintext
  90.    Algorithm 0, "plaintext", may only be used to denote secret keys that
  91.    are stored in the clear.  Implementations MUST NOT use plaintext in
  92.    Symmetrically Encrypted Data packets; they must use Literal Data
  93.    packets to encode unencrypted or literal data.
  94. </pre></blockquote>
  95. <cite><a href="https://tools.ietf.org/html/rfc4880">RFC4880</a>, November 2007</cite>
  96. <p>I guess this one is related to SigSpoof</p>
  97. <blockquote><pre>
  98. 14.  Security Considerations
  100.    * As with any technology involving cryptography, you should check the
  101.      current literature to determine if any algorithms used here have
  102.      been found to be vulnerable to attack.
  103. […]
  104.    * There is a somewhat-related potential security problem in
  105.      signatures.  If an attacker can find a message that hashes to the
  106.      same hash with a different algorithm, a bogus signature structure
  107.      can be constructed that evaluates correctly.
  109.      For example, suppose Alice DSA signs message M using hash algorithm
  110.      H.  Suppose that Mallet finds a message M' that has the same hash
  111.      value as M with H'.  Mallet can then construct a signature block
  112.      that verifies as Alice's signature of M' with H'.  However, this
  113.      would also constitute a weakness in either H or H' or both.  Should
  114.      this ever occur, a revision will have to be made to this document
  115. </pre></blockquote>
  116. <cite><a href="https://tools.ietf.org/html/rfc4880">RFC4880</a>, November 2007</cite>
  117. <pre><code>
  118. $ gpg --version
  119. gpg (GnuPG) 2.2.10
  120. libgcrypt 1.8.3
  121. Copyright (C) 2018 Free Software Foundation, Inc.
  122. License GPLv3+: GNU GPL version 3 or later &lt;https://gnu.org/licenses/gpl.html&gt;
  123. This is free software: you are free to change and redistribute it.
  124. There is NO WARRANTY, to the extent permitted by law.
  126. Home: /home/haelwenn/.gnupg
  127. Supported algorithms:
  128. Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
  129. Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
  130.         CAMELLIA128, CAMELLIA192, CAMELLIA256
  131. Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  132. Compression: Uncompressed, ZIP, ZLIB, BZIP2
  133. </code></pre>
  134. <p>“LOL”</p>
  135. <p>It leaks a pile of metadata (time, implementation name+version, …)</p><!-- FIXME: details of data present into my public key and key-change message signature -->
  136. <p>There is no deniability possible, there is quite a difference between no-authentication and deniability, to be elaborated on</p>
  137. <p>Your public key/identity <strong>will</strong> end up on the keyservers at some point, no exception.</p>
  138. <p>There is no forward secrecy</p><!-- FIXME: seems to be for online apps or similar, not email; to be verified -->
  139. <h2>OpenPGP in real life</h2>
  140. <p>Real Name policy and other stuff that should be optionnal in the Public Key Verification process (An ID card? Seriously?).</p>
  141. <p>The keyservers/Web-of-Trust is architecturaly vunerable to a DoS by spam. <a class="ref" href="#ref-keyservers.md">keyservers.md</a></p>
  142. <h2 id="keybase">Bonus: Keybase is a fuck</h2>
  143. <p>Keybase is what you get when you want crypto (just the math), but you do not care about security (they are called secrets for a reason) or privacy (social-media with a cryptographically verified graph that lives forever…).</p>
  144. <ul>
  145. 	<li>It got bought by Zoom, which is known-bad/evil for privacy. (<a href="https://en.wikipedia.org/wiki/Zoom_Video_Communications#Criticism">Zoom Video Communications - Wikipedia</a>)</li>
  146. 	<li>You are encouraged to upload your private keys to them, with <a href="https://keybase.io/triplesec">their own algorithm</a>) and it is hard to revoke (Please revoke your key and create another): <a href="https://github.com/keybase/keybase-issues/issues/160">Uploading private keys puts users at risk, keybase/keybase-issues#160</a>, <a href="https://github.com/keybase/keybase-issues/issues/731">Can't revoke the proof from web, keybase/keybase-issues#731</a> (note: even after revocation it could still be verified, revocation being advisory), <a href="https://github.com/keybase/keybase-issues/issues/1946">GPG smartcard security bypassed by delegated private key, keybase/keybase-issues#1946</a>, <a href="https://github.com/keybase/keybase-issues/issues/1912">How to export private key from keybase with API or kbpgp.js?, keybase/keybase-issues#1912</a></li>
  147. 	<li>It is centralised (and so proprietary) and harms decentralisation. For example: pleroma basically can’t have keybase integration because the instances are too small, lol, mastodon instances are way too big.</li>
  148. </ul>
  149. <p>As an alternative (and if you still want OpenPGP), I think putting your fingerprint everywhere you can and putting you minimal public key on your blog is a much better way, and it can be automatised a bit (OPENPGPKEY DNS record, IndieWeb <code>rel="openpgp"</code>, …).</p>
  150. <h2>See also</h2>
  151. <ul>
  152. 	<li><a href="https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html">Pretty Bad {Protocol,People}</a></li>
  153. 	<li><a href="https://neopg.io/">NeoPG</a>, a fork of GnuPG, found SigSpoof probably more to come</li>
  154. 	<li><a href="http://www.netpgp.com/">NetPGP</a>, an implementation of OpenPGP by NetBSD, seems quite unmaintained to me</li>
  155. 	<li><a href="https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/">What’s the matter with PGP? - A Few Thoughts on Cryptographic Engineering</a></li>
  156. 	<li><a href="https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html">[tor-talk] Why the Web of Trust Sucks</a></li>
  157. 	<li><a href="https://sweet32.info">Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN</a>, which Triple-DES and Blowfish are vulnerable to</li>
  158. </ul>
  159. <h2>References</h2>
  160. <ul>
  161. 	<li><a name="ref-keyservers.md" href="https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f">SKS Keyserver Network Under Attack</a> by <a href="https://gist.github.com/rjhansen">Robert J. Hansen</a></li>
  162. </ul>
  163. <p><a href="https://queer.hacktivis.me/notice/9gVn61L9VGPosmXRQG">Fediverse post for comments</a></p>
  164. </article>