This Blog Is Not For Reading

Looking for green food at the back of the fridge

At the keysigning I was having a discussion with someone about key lengths. In particular, choosing 4096 bits instead of 2048. I was reading that GnuPG has a limit of 4096 bits, but that 4096 should be enough for all time to come.

I’ve read online that GnuPG does actually support larger key sizes but that there is a const in the source code limiting it to 4096. The reasons for doing so are supposedly speed, 4096 would be very slow to generate and use, and comparability with other implementations that may not support larger keys. Personally I think it’s an inevitability that this will be increased in time but we’re not there yet.

In 1996 when I started with PGP a 1024 bit key was considered adequate, by 1999 a 2048 bit key was still considered large.

Consider Moore’s Law: every 18 months computing capacity doubles and costs halve. I’m not sure if that means that over 18 months x flops increases to 2x flops at the same price, or that in 18 months the cost of x flops is half of today’s cost, or if it means that in 18 months the cost of 2x flops will be half the cost of x flops today. If the latter, then today’s x flops/$ is x/4 flops/$ in 18 months. That factor of four is an increase of two bits every 18 months, or four bits every 3 years.

So, the cost in 1996 to brute-force crack a 1024 bit key is the same as the cost in 1999 to crack a 1028 bit key. And in 2014, 18 years later, it’s the same cost as cracking a 1048 bit key (an additional 24 bits).

An increase in key size from 1024 bits to 2048 bits buys an additional 768 years of Moore’s Law. And going from 2048 bits to 4096 bits buys an additional 1536 years of Moore’s Law.

Is Moore’s Law overestimating the cost of cracking keys? Are there fundamental advances in math that have dropped the cost of cracking 1024 bit keys to near-zero? What’s the economic justification for crippling keysizes in GnuPG, anyway?

–Bob, who is not trolling but really wants to know.

Cryptoparty like it’s 31 December 1983!

For those people who already have GnuPG/PGP keys I’m also hosting a Formal Keysigning. Participants will introduce themselves, read their GnuPG key fingerprint, then anyone else is invited to vouch for that person:

Bob: “I’m Bob Jonkman, and my GnuPG fingerprint is 04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA”

Andrew: “I’ve known Bob since the early days, and that’s really him”

This is a great way to expand your Web Of Trust to include people whose keys you might not otherwise sign (because you don’t know them very well, or they only have ID issued by an authority you don’t like). With all these introductions and vouchings the chance of someone misrepresenting their identity is vanishingly small, so you can trust that the key fingerprint they read is really associated with that person.

To make this process go smoothly I’d like to have a printout of all the participants’ keyIDs, UserIDs, and key fingerprints, which I’ll distribute at the keysigning. That way you can just check off each name/keyID/fingerprint as people read them, and then sign their keys later at your leisure. But to get that printout I’ll need the public key of anyone who would like to participate in the keysigning.

If you’re using Thunderbird and Enigmail then open the Key Management window, right-click on your key and select “Send Public Keys by E-mail”, and send it to me ( bjonkman@sobac.com )

If you’re a command-line weenie then use

gpg --export 0xYOURKEYID > 0xYOURKEYID-public-key-for-YOURNAME.pgp

and send that file 0xYOURKEYID-public-key-for-YOURNAME.pgp to me (substitute your actual keyID and actual name as needed).

Of course, I’d prefer signed, encrypted e-mail, but public keys are public (so encryption isn’t necessary), and public keys should already be self-signed anyway.

Unfortunately, if you’re creating your keys for the first time at the meeting you won’t be able to send me anything now. You can still participate in the vouching process, and we’ll have an informal keysigning after the formal keysigning, where all you need to do is read your fingerprint straight from your computer and those people who already know you can sign your key.

I’m still working on the procedures for the formal keysigning; you can see the work in progress (and contribute!) on the Formal Keysigning page on the Wiki.

Thanx, and hope to see you on Monday, 2 December 2013!

–Bob, who is the Keymaster. Who will be the Gatekeeper?

The Cryptoparty keypair logo from the Cryptoparty Artwork repository on GitHub is available in the Public Domain.

Key by Quasimondo

Some ID would also be a good idea, for those who do not already know you.

No no no.

If people don’t know you, then they shouldn’t be signing your key. If you don’t know someone, then you shouldn’t be signing their key.

Using ID of any sort is assigning trust by proxy to an “authority”. You’re no longer vouching for a person based on your own knowledge, but relying on the “authority” to provide that trust. If you’re going to rely on third-party authorities you might as well revert to a hierarchical PKI and pay lots of money to a certificate authority to assign levels of trust for you.

The point of the keysigning is to associate a key value with a real person, with no opportunity for a Man in the Middle attack ^[1]. It is not to verify name, address and permission to drive in Ontario.

When I sign your key it is not because the government says that you’re allowed to drive under your name, but I sign your key because I believe that you’re the same guy who drinks Jagermeister and hacks on Blackberries and hangs out at the Syrup Festival. It is based on my personal knowledge of you, and my trust in your claim that you own the GPG key with fingerprint D2CCE5EA ^[2].

The Web of Trust extends this, so that since I trust your identity and judgment, I’m also likely to grant some level of trust to the people you trust. After a successful keysigning party then I’m going to trust many more people because they’re all trusted by people I trust. And I’ll be trusted by more people, because they trust the people who have signed my key.

So, how do you hold a keysigning party? Here’s an excerpt from the PGP FAQ:

I’ve written complete instructions for holding a Formal Keysigning.

The comp.security.pgp FAQ

Wouter Slegers

Copyright © 1996, 1997, 1998, 1999, 2000,
2001 by Arnoud Engelfriet

Copyright © 2002 by Wouter Slegers

This FAQ is copyright © 2001 by Wouter Slegers.

It may be distributed freely in online electronic form, provided the copyright notice is left intact. Since this FAQ is always available from USENET and the PGP network, there should be no problems getting access to it. However mirrors with outdated versions can confuse the users, so I request you not to mirror this FAQ elsewhere.

[…]

Q: What’s a key signing party?

A: A key signing party is a get-together with various other users of PGP for the purpose of meeting and signing keys. This helps to extend the web of trust to a great degree, making it easier for you to find one or more trusted paths to someone whose public key you didn’t have.

Kevin Herron has an example of a keysigning party announcement page ^[3].

Q: How do I organize a key signing party?

A: Though the idea is simple, actually doing it is a bit complex, because you don’t want to compromise other people’s private keys or spread viruses (which is a risk whenever floppies are swapped willy-nilly). Usually, these parties involve meeting everyone at the party, verifying their identity and getting key fingerprints from them, and signing their key at home.

Derek Atkins has recommended this method:

There are many ways to hold a key-signing session. Many viable suggestions have been given. And, just to add more signal to this newsgroup, I will suggest another one which seems to work very well and also solves the N-squared problem of distributing and signing keys. Here is the process:

1. You announce the keysigning session, and ask everyone who plans to come to send you (or some single person who will be there) their public key. The RSVP also allows for a count of the number of people for step 3.

2. You compile the public keys into a single keyring, run pgp -kvc on that keyring, and save the output to a file.

3. Print out N copies of the pgp -kvc file onto hardcopy, and bring this and the keyring on media to the meeting.

4. At the meeting, distribute the printouts, and provide a site to retrieve the keyring (an ftp site works, or you can make floppy copies, or whatever — it doesn’t matter).

5. When you are all in the room, each person stands up, and people vouch for this person (e.g., “Yes, this really is Derek Atkins — I went to school with him for 6 years, and lived with him for 2”).

6. Each person securely obtains their own fingerprint, and after being vouched for, they then read out their fingerprint out loud so everyone can verify it on the printout they have.

7. After everyone finishes this protocol, they can go home, obtain the keyring, run pgp -kvc on it themselves, and re-verify the bits, and sign the keys at their own leisure.

8. To save load on the keyservers, you can optionally send all signatures to the original person, who can collate them again into a single keyring and propagate that single keyring to the keyservers and to each individual.

I’m going to have to put my key signature where my mouth is. Hopefully there will be another key signing party soon, for which I will be more prepared.

–Bob.

^[1] Yes, it is still possible to have a meatspace MitM attack if you’re signing keys for people you don’t know and relying on ID. If you’ve never met me before then it is possible that someone mugs me in the parking lot, takes my ID and wears my goofy hat. If you don’t know me you would never be able to tell the difference, and you’d be signing a key for the wrong person.

^[2] Although that’s really my PGP key, so as not to divulge the identity of innocent and unsuspecting Key Signing Party Organizers.

^[3] Sadly, Kevin Herron makes the same mistake of requiring "Positive picture ID". Please ignore that part.

Key by Quasimondo is used under a Creative Commons by-nc license.