logo

blog

My website can't be that messy, right? git clone https://hacktivis.me/git/blog.git

Pretty Bad Privacy.xhtml (10400B)

    

  1. <article lang="en">
  2. <a href="/articles/Pretty%20Bad%20Privacy"><h1>Pretty Bad Privacy</h1></a>
  3. <span class="warn">This article is in early drafting process, made public so I get comments and more people can be aware</span>
  4. <dl>
  5. 	<dt>OpenPGP</dt>
  6. 	<dd>Pretty Good Privacy standard, derives from the original PGP implementation. "PGP", "Pretty Good", and "Pretty Good Privacy" are trademarks of PGP Corporation. The term "OpenPGP" refers to the protocol described in this and related documents.</dd>
  7. 	<dt>GnuPG / GPG</dt>
  8. 	<dd>Gnu Privacy Guard, main/only implementation of OpenPGP</dd>
  9. </dl>
  10. <h2>OpenPGP standard</h2>
  11. <h3>Compression</h3>
  12. <blockquote><pre>
  13.    Furthermore, compression has the added side effect that some types of
  14.    attacks can be thwarted by the fact that slightly altered, compressed
  15.    data rarely uncompresses without severe errors.  This is hardly
  16.    rigorous, but it is operationally useful.  These attacks can be
  17.    rigorously prevented by implementing and using Modification Detection
  18. </pre></blockquote>
  19. <cite><a href="https://tools.ietf.org/html/rfc4880">RFC4880</a>, November 2007</cite>
  20. <p>Not sure about this one, I’ll go check but this cause few issues in SSH and TLS, so I wouldn’t be surprised that it was also the case for OpenPGP.</p>
  21. <h3>Ciphers</h3>
  22. <p>The OpenPGP standard mandates that some ciphers must be present in the implementation, they are broken and well known to be.</p>
  23. <blockquote><pre>
  24. 9.1.  Public-Key Algorithms
  26. ID           Algorithm
  27. --           ---------
  28. 1          - RSA (Encrypt or Sign) [HAC]
  29. 2          - RSA Encrypt-Only [HAC]
  30. 3          - RSA Sign-Only [HAC]
  31. 16         - Elgamal (Encrypt-Only) [ELGAMAL] [HAC]
  32. 17         - DSA (Digital Signature Algorithm) [FIPS186] [HAC]
  33. 18         - Reserved for Elliptic Curve
  34. 19         - Reserved for ECDSA
  35. 20         - Reserved (formerly Elgamal Encrypt or Sign)
  36. 21         - Reserved for Diffie-Hellman (X9.42,
  37.              as defined for IETF-S/MIME)
  38. 100 to 110 - Private/Experimental algorithm
  40. Implementations MUST implement DSA for signatures, and Elgamal for
  41. encryption. […]
  42. 9.2.  Symmetric-Key Algorithms
  44. ID           Algorithm
  45. --           ---------
  46. 0          - Plaintext or unencrypted data
  47. 1          - IDEA [IDEA]
  48. 2          - TripleDES (DES-EDE, [SCHNEIER] [HAC] -
  49.              168 bit key derived from 192)
  50. 3          - CAST5 (128 bit key, as per [RFC2144])
  51. 4          - Blowfish (128 bit key, 16 rounds) [BLOWFISH]
  52. 5          - Reserved
  53. 6          - Reserved
  54. 7          - AES with 128-bit key [AES]
  55. 8          - AES with 192-bit key
  56. 9          - AES with 256-bit key
  57. 10         - Twofish with 256-bit key [TWOFISH]
  58. 100 to 110 - Private/Experimental algorithm
  60. Implementations MUST implement TripleDES. […]
  61. 9.4.  Hash Algorithms
  63. ID           Algorithm                             Text Name
  64. --           ---------                             ---------
  65. 1          - MD5 [HAC]                             "MD5"
  66. 2          - SHA-1 [FIPS180]                       "SHA1"
  67. 3          - RIPE-MD/160 [HAC]                     "RIPEMD160"
  68. 4          - Reserved
  69. 5          - Reserved
  70. 6          - Reserved
  71. 7          - Reserved
  72. 8          - SHA256 [FIPS180]                      "SHA256"
  73. 9          - SHA384 [FIPS180]                      "SHA384"
  74. 10         - SHA512 [FIPS180]                      "SHA512"
  75. 11         - SHA224 [FIPS180]                      "SHA224"
  76. 100 to 110 - Private/Experimental algorithm
  78. Implementations MUST implement SHA-1.  Implementations MAY implement
  79. other algorithms.  MD5 is deprecated.</pre></blockquote>
  80. <cite><a href="https://tools.ietf.org/html/rfc4880">RFC4880</a>, November 2007</cite>
  81. <p>Some additionnal ciphers got added later on, but this basically mean that you cannot be sure that a OpenPGP message you sent wasn’t done in more-or-less plaintext. DES was broken by the EFF in 199x, 3DES is basically now on about the same size (NIST: 80 bits of security) but computing power got much better, SHA1 was probably still known as okay but could be better (as SHA2 was already a thing), DSA was probably not now enough as good to be hardcoded, no idea for Elgamal.</p><!-- FIXME -->
  82. <p>I tried few years ago to build a GnuPG without support for theses broken ciphers, and I failed doing so. One can note that SSH requires 3DES-CBC, but it can be disabled or non-implemented (<a href="https://tinyssh.org/">tinyssh</a>).</p>
  83. <blockquote><pre>
  84. 13.4.  Plaintext
  86.    Algorithm 0, "plaintext", may only be used to denote secret keys that
  87.    are stored in the clear.  Implementations MUST NOT use plaintext in
  88.    Symmetrically Encrypted Data packets; they must use Literal Data
  89.    packets to encode unencrypted or literal data.
  90. </pre></blockquote>
  91. <cite><a href="https://tools.ietf.org/html/rfc4880">RFC4880</a>, November 2007</cite>
  92. <p>I guess this one is related to SigSpoof</p>
  93. <blockquote><pre>
  94. 14.  Security Considerations
  96.    * As with any technology involving cryptography, you should check the
  97.      current literature to determine if any algorithms used here have
  98.      been found to be vulnerable to attack.
  99. […]
  100.    * There is a somewhat-related potential security problem in
  101.      signatures.  If an attacker can find a message that hashes to the
  102.      same hash with a different algorithm, a bogus signature structure
  103.      can be constructed that evaluates correctly.
  105.      For example, suppose Alice DSA signs message M using hash algorithm
  106.      H.  Suppose that Mallet finds a message M' that has the same hash
  107.      value as M with H'.  Mallet can then construct a signature block
  108.      that verifies as Alice's signature of M' with H'.  However, this
  109.      would also constitute a weakness in either H or H' or both.  Should
  110.      this ever occur, a revision will have to be made to this document
  111. </pre></blockquote>
  112. <cite><a href="https://tools.ietf.org/html/rfc4880">RFC4880</a>, November 2007</cite>
  113. <pre><code>
  114. $ gpg --version
  115. gpg (GnuPG) 2.2.10
  116. libgcrypt 1.8.3
  117. Copyright (C) 2018 Free Software Foundation, Inc.
  118. License GPLv3+: GNU GPL version 3 or later &lt;https://gnu.org/licenses/gpl.html&gt;
  119. This is free software: you are free to change and redistribute it.
  120. There is NO WARRANTY, to the extent permitted by law.
  122. Home: /home/haelwenn/.gnupg
  123. Supported algorithms:
  124. Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
  125. Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
  126.         CAMELLIA128, CAMELLIA192, CAMELLIA256
  127. Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  128. Compression: Uncompressed, ZIP, ZLIB, BZIP2
  129. </code></pre>
  130. <p>“LOL”</p>
  131. <p>It leaks a pile of metadata (time, implementation name+version, …)</p><!-- FIXME: details of data present into my public key and key-change message signature -->
  132. <p>There is no deniability possible, there is quite a difference between no-authentication and deniability, to be elaborated on</p>
  133. <p>Your public key/identity <strong>will</strong> end up on the keyservers at some point, no exception.</p>
  134. <p>There is no forward secrecy</p><!-- FIXME: seems to be for online apps or similar, not email; to be verified -->
  135. <h2>OpenPGP in real life</h2>
  136. <p>Real Name policy and other stuff that should be optionnal in the Public Key Verification process (An ID card? Seriously?).</p>
  137. <p>The keyservers/Web-of-Trust is architecturaly vunerable to a DoS by spam. <a class="ref" href="#ref-keyservers.md">keyservers.md</a></p>
  138. <h2 id="keybase">Bonus: Keybase is a fuck</h2>
  139. <p>Keybase is what you get when you want crypto (just the math), but you do not care about security (they are called secrets for a reason) or privacy (social-media with a cryptographically verified graph that lives forever…).</p>
  140. <ul>
  141. 	<li>It got bought by Zoom, which is known-bad/evil for privacy. (<a href="https://en.wikipedia.org/wiki/Zoom_Video_Communications#Criticism">Zoom Video Communications - Wikipedia</a>)</li>
  142. 	<li>You are encouraged to upload your private keys to them, with <a href="https://keybase.io/triplesec">their own algorithm</a>) and it is hard to revoke (Please revoke your key and create another): <a href="https://github.com/keybase/keybase-issues/issues/160">Uploading private keys puts users at risk, keybase/keybase-issues#160</a>, <a href="https://github.com/keybase/keybase-issues/issues/731">Can't revoke the proof from web, keybase/keybase-issues#731</a> (note: even after revocation it could still be verified, revocation being advisory), <a href="https://github.com/keybase/keybase-issues/issues/1946">GPG smartcard security bypassed by delegated private key, keybase/keybase-issues#1946</a>, <a href="https://github.com/keybase/keybase-issues/issues/1912">How to export private key from keybase with API or kbpgp.js?, keybase/keybase-issues#1912</a></li>
  143. 	<li>It is centralised (and so proprietary) and harms decentralisation. For example: pleroma basically can’t have keybase integration because the instances are too small, lol, mastodon instances are way too big.</li>
  144. </ul>
  145. <p>As an alternative (and if you still want OpenPGP), I think putting your fingerprint everywhere you can and putting you minimal public key on your blog is a much better way, and it can be automatised a bit (OPENPGPKEY DNS record, IndieWeb <code>rel="openpgp"</code>, …).</p>
  146. <h2>See also</h2>
  147. <ul>
  148. 	<li><a href="https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html">Pretty Bad {Protocol,People}</a></li>
  149. 	<li><a href="https://neopg.io/">NeoPG</a>, a fork of GnuPG, found SigSpoof probably more to come</li>
  150. 	<li><a href="http://www.netpgp.com/">NetPGP</a>, an implementation of OpenPGP by NetBSD, seems quite unmaintained to me</li>
  151. 	<li><a href="https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/">What’s the matter with PGP? - A Few Thoughts on Cryptographic Engineering</a></li>
  152. 	<li><a href="https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html">[tor-talk] Why the Web of Trust Sucks</a></li>
  153. 	<li><a href="https://sweet32.info">Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN</a>, which Triple-DES and Blowfish are vulnerable to</li>
  154. </ul>
  155. <h2>References</h2>
  156. <ul>
  157. 	<li><a name="ref-keyservers.md" href="https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f">SKS Keyserver Network Under Attack</a> by <a href="https://gist.github.com/rjhansen">Robert J. Hansen</a></li>
  158. </ul>
  159. <p><a href="https://queer.hacktivis.me/notice/9gVn61L9VGPosmXRQG">Fediverse post for comments</a></p>
  160. </article>