PGP fingerprint security and the authentication of forum identity
OP, good idea except for the Telegram, Discord, Skype and Instagram part. The research into actual ongoing usage (or the impossibility of such usage) of the various old popular IM networks is most useful. Unfortunately, I doubt that the forum will add, remove, or change the existing profile fields anytime soon. Too bad.
This thread caught my attention because I was involved in a similar thread in December of 2017when I was a Newbie actively posting for two weeks, as noted below. At the time, I suggested a PGP fingerprint field. Now, I must address something that theymos apparently said whilst nullius slept.
An important security message from Mr 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C, a.k.a. nullius #976210:
PGP fingerprints are SHA-1, which is insecure. The OpenPGP standard really needs a complete new revision...
theymos is wrong here, and he should not be FUDding the security of PGP fingerprints whilst a revised standard is slowly grinding its way through the IETF process.
SHA-1 is badly broken against collision attacks. SHA-1 MUST NOT be trusted for any purpose requiring security against a collision attack, period. (Now, where is SHA-1s trust page?)
An attacker who did a SHA-1 collision attack against PGP key fingerprints could generate two different keys that have the same fingerprint. Thats it. He could not determine in advance what the fingerprint will be; and he could not by thus means generate a key matching somebody elses already-existing fingerprint.
There are many uses of hashes where collision attack resistance is importantespecially, any scenario where an attacker can generate benign and malicious versions of a message (a contract, a CA certificate request, etc.), induce an innocent party to sign the benign version using a digital signature based on SHA-1, and then apply the same digital signature to the malicious version. Git is also vulnerable to an attacker generating benign and malicious versions of a commit, although as a practical matter, the attack seems difficult to carry off with a plaintext source code commit. Regardless, as a precaution, Bitcoin Core uses custom commit-hook script generate a SHA-512 tree hash, and also makes use of signed commits. Generally, I would be much more wary of images, PDFs, and other blobs committed to a git repository, in any scenario where a malicious committer could benefit by sneaking in a bad version.
Whereas a PGP fingerprint is not such a scenario.
A PGP fingerprint needs resistance to preimage attacks, not collision attacks. SHA-1 still provides a 160-bit security level* against a preimage attack.
(* Simplified for the sake of explanation. Please dont counterargue with some research paper shaving two or three bits off the security margin, or whatever; I would not consider SHA-1 to be broken against preimage attacks, unless someone shaved it down significantly below the approximately 2128 amount of work needed to break other some cryptographic primitives used by PGP, e.g., the best known attacks against Curve 25519.)
As specified in the current version of the OpenPGP standard, at RFC 4880 § 12.2, a v4 keys fingerprint uses SHA-1. The way that it uses SHA-1, an attacker would need to carry off a full* preimage attack to make himself a key matching someone elses PGP fingerprint. That is infeasible.
(* Full, in contradistinction to the partial preimage attack that Bitcoin mining uses for proof of work. Similarly, it is trivial to make a key matching a 32-bit PGP short keyid, and not-infeasible to do the same attack against a 64-bit long keyid. That is why I have always listed my full PGP fingerprint in my forum signature.)
The RFC4880bis draft revision of the OpenPGP standard prospectively adds v5 keys, with fingerprints using SHA-256. Those will provide a 256-bit security level against preimage attacks on the fingerprint.
My root-of-trust PGP identity key fingerprint is based on an Ed25519 key. A Pollards rho attack could solve the DLP for my key with about 2126 work (← note: 126)to say nothing of a hypothetical future attacker with a large, efficient quantum computer.
(I dont think thats a significant practical concern to Bitcoin now; but an identity key should be able to last a lifetime, at least.)
I am certainly interested in better options for my identity key*. But whilst those are yet unavailable, it seems pointless for me to quibble over the security level of a v4 fingerprint with its 160 bits of preimage attack resistance.
(* Linked post is by nullc, who is not me. Oops.)
Now, observe that most of my focus here is on authentication of an identity, and not simply on providing a means of contact. A comparison of the communications security of PGP to that of ICQ, AIM, and MSN Messenger would be laughable. Placing a PGP fingerprint in ones profile is a statement of cryptographically strong identifying information, not merely a bit of contact info. That, indeed, is why I have kludged my PGP key fingerprint into my profile and displayed it in my forum signature, ever since I started actively posting. I am 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C; 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C is me; and if you want to authenticate my identity, I explicitly request that you verify digital signatures rooted in 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C.
Merited by nullius (10)
Control of a forum account is not cryptographic evidence of identity. Control of an e-mail address is also not cryptographic evidence of identity. With my large boldface supplied:
Topic: satoshin@gmx.com is compromised
https://3g2upl4pq6kufc4m.onion/html?q=DE4EFCA3E1AB9E41CE96CECB18C09E865EC948A1
Whereas in the context of what is really a discussion of forum identity, theymos deprecation of PGP fingerprints is not seeing the forest for the trees. As its primary means of authenticating identity, the forum relies on plain-old password authentication! (And it has been hacked in the past.) Even a totally obsolete v3 PGP fingerprint using MD5 would be incomparably more secure than the forums login system for the purpose of securing user identities!
https://www.schneier.com/crypto-gram/archives/2001/0315.html#6
(I seem to also remember a Schneier quote about attackers climbing in through the window, after you secure your door with an unbreakable lock. I cant find it now. It may have been in AC2; I lost my copy of AC2whilst fleeing the CIA due to undisclosed personal difficulties adventures circa 2011. Help?)
My Newbie suggestion
Yes, but you missed an earlier suggestion on a thread whereby I myself replied, when I was a Newbie. Well, from your above quote, it looks like Mr Nasty was a fan of my Newbie posts. ;-)
For chat: Jabber (for OTR), Ricochet, Tox.
Simply for use of the fields: Straight-up PGP key fingerprints! Please. If possible, with means to time-lock them instead of pasting ad hoc messages into the stake your address thread. That could solve so many problems.
Keybase users could also post their PGP key fingerprints, of course. But that way, the fields would not be Keybase-specific.
[...]
Besides having suggested profile PGP fingerprints when I had been posting for but a fortnight, I believe that I was the first person to ever suggest time-locking a commitment of a PGP fingerprint in a forum profile.
It is actually not the best solution. A much better idea would be to give pseudonymous cypherpunk users the option to irrevocably commit an account to be bound to PGP fingerprints, TOFU as for the first committed key, with a strict key-rollover rule requiring bidirectional cross-certification between the old key and the new key. That idea has some subtleties, obvious failure modes, and nonobvious edge cases that I dont think I should discuss at length here, when the chance of it being implemented Any Time Soon on the forum is effectually nil.
P.S., please never tie anything into Keybase! The stupidly misdesigned verification procedure in their web app makes it impractical to keep a profile updated without installing their software, and entrusting ones keys to their software on a network-connected computeror else blindly copypasting their shell scripts into a network-connected machine that has both gpg and curl (!). This is unacceptable to me. I have a warning posted on my long-disused Keybase account; and I may perhaps delete the account entirely, due to the impracticality of keeping my key updated there.
This thread caught my attention because I was involved in a similar thread in December of 2017when I was a Newbie actively posting for two weeks, as noted below. At the time, I suggested a PGP fingerprint field. Now, I must address something that theymos apparently said whilst nullius slept.
An important security message from Mr 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C, a.k.a. nullius #976210:
Ive long thought there should be a spot for PGP fingerprint.
PGP fingerprints are SHA-1, which is insecure. The OpenPGP standard really needs a complete new revision...
theymos is wrong here, and he should not be FUDding the security of PGP fingerprints whilst a revised standard is slowly grinding its way through the IETF process.
SHA-1 is badly broken against collision attacks. SHA-1 MUST NOT be trusted for any purpose requiring security against a collision attack, period. (Now, where is SHA-1s trust page?)
An attacker who did a SHA-1 collision attack against PGP key fingerprints could generate two different keys that have the same fingerprint. Thats it. He could not determine in advance what the fingerprint will be; and he could not by thus means generate a key matching somebody elses already-existing fingerprint.
There are many uses of hashes where collision attack resistance is importantespecially, any scenario where an attacker can generate benign and malicious versions of a message (a contract, a CA certificate request, etc.), induce an innocent party to sign the benign version using a digital signature based on SHA-1, and then apply the same digital signature to the malicious version. Git is also vulnerable to an attacker generating benign and malicious versions of a commit, although as a practical matter, the attack seems difficult to carry off with a plaintext source code commit. Regardless, as a precaution, Bitcoin Core uses custom commit-hook script generate a SHA-512 tree hash, and also makes use of signed commits. Generally, I would be much more wary of images, PDFs, and other blobs committed to a git repository, in any scenario where a malicious committer could benefit by sneaking in a bad version.
Whereas a PGP fingerprint is not such a scenario.
A PGP fingerprint needs resistance to preimage attacks, not collision attacks. SHA-1 still provides a 160-bit security level* against a preimage attack.
(* Simplified for the sake of explanation. Please dont counterargue with some research paper shaving two or three bits off the security margin, or whatever; I would not consider SHA-1 to be broken against preimage attacks, unless someone shaved it down significantly below the approximately 2128 amount of work needed to break other some cryptographic primitives used by PGP, e.g., the best known attacks against Curve 25519.)
As specified in the current version of the OpenPGP standard, at RFC 4880 § 12.2, a v4 keys fingerprint uses SHA-1. The way that it uses SHA-1, an attacker would need to carry off a full* preimage attack to make himself a key matching someone elses PGP fingerprint. That is infeasible.
(* Full, in contradistinction to the partial preimage attack that Bitcoin mining uses for proof of work. Similarly, it is trivial to make a key matching a 32-bit PGP short keyid, and not-infeasible to do the same attack against a 64-bit long keyid. That is why I have always listed my full PGP fingerprint in my forum signature.)
The RFC4880bis draft revision of the OpenPGP standard prospectively adds v5 keys, with fingerprints using SHA-256. Those will provide a 256-bit security level against preimage attacks on the fingerprint.
My root-of-trust PGP identity key fingerprint is based on an Ed25519 key. A Pollards rho attack could solve the DLP for my key with about 2126 work (← note: 126)to say nothing of a hypothetical future attacker with a large, efficient quantum computer.
(I dont think thats a significant practical concern to Bitcoin now; but an identity key should be able to last a lifetime, at least.)
I am certainly interested in better options for my identity key*. But whilst those are yet unavailable, it seems pointless for me to quibble over the security level of a v4 fingerprint with its 160 bits of preimage attack resistance.
(* Linked post is by nullc, who is not me. Oops.)
Now, observe that most of my focus here is on authentication of an identity, and not simply on providing a means of contact. A comparison of the communications security of PGP to that of ICQ, AIM, and MSN Messenger would be laughable. Placing a PGP fingerprint in ones profile is a statement of cryptographically strong identifying information, not merely a bit of contact info. That, indeed, is why I have kludged my PGP key fingerprint into my profile and displayed it in my forum signature, ever since I started actively posting. I am 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C; 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C is me; and if you want to authenticate my identity, I explicitly request that you verify digital signatures rooted in 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C.
Merited by nullius (10)
Kek, only one interesting thing: i can't find any pgp signature or bitcoin signature from nullius after his return (since 2nd January).
His pgp keys is well known - https://bitcointalk.org/index.php?topic=3107429.0
Are you sure this is real nullius?
His pgp keys is well known - https://bitcointalk.org/index.php?topic=3107429.0
Are you sure this is real nullius?
Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
PSA: *Always* verify digital signatures.
If somebody claims to be me, and he refuses produce
a fresh signed statement signed with a key certified by
0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C (whether as a subkey,
or through proper rollover(s) to a new master key), then you must
conclusively presume that he is an imposter and an *identity thief*.
Signed,
nullius (2020-02-14)
In homage to Grand Duchess Anastasia and Satoshi Nakamoto:
https://bitcointalk.org/index.php?topic=5215128.0
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSNOMR84IlYpr/EF5vEJ5MVn575SQUCXkbeaQAKCRDEJ5MVn575
SYTHAQD3Qu3qQSrTgO4PTuHtyUnevNEvy6EELXz6I+iGEV8sxAD/UG+ulc0Jrd7j
LjL18mAodvlGIaPppfCGldxHwseNJwg=
=4VkN
-----END PGP SIGNATURE-----
Hash: SHA512
PSA: *Always* verify digital signatures.
If somebody claims to be me, and he refuses produce
a fresh signed statement signed with a key certified by
0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C (whether as a subkey,
or through proper rollover(s) to a new master key), then you must
conclusively presume that he is an imposter and an *identity thief*.
Signed,
nullius (2020-02-14)
In homage to Grand Duchess Anastasia and Satoshi Nakamoto:
https://bitcointalk.org/index.php?topic=5215128.0
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSNOMR84IlYpr/EF5vEJ5MVn575SQUCXkbeaQAKCRDEJ5MVn575
SYTHAQD3Qu3qQSrTgO4PTuHtyUnevNEvy6EELXz6I+iGEV8sxAD/UG+ulc0Jrd7j
LjL18mAodvlGIaPppfCGldxHwseNJwg=
=4VkN
-----END PGP SIGNATURE-----
Control of a forum account is not cryptographic evidence of identity. Control of an e-mail address is also not cryptographic evidence of identity. With my large boldface supplied:
Topic: satoshin@gmx.com is compromised
Today I received an email from satoshin@gmx.com (Satoshi's old email address), the contents of which make me almost certain that the email account is compromised. The email was not spoofed in any way. It seems very likely that either Satoshi's email account in particular or gmx.com in general was compromised, and the email account is now under the control of someone else. Perhaps satoshin@gmx.com expired and then someone else registered it.
Don't trust any email sent from satoshin@gmx.com unless it is signed by Satoshi. (Everyone should have done this even without my warning, of course.)
I wonder when the email was compromised, and whether it could have been used to make the post on p2pfoundation.ning.com. (Edit: I was referring here to the Dorian Nakamoto post. After I posted this, there was another p2pfoundation.ning.com post.)
Don't trust any email sent from satoshin@gmx.com unless it is signed by Satoshi. (Everyone should have done this even without my warning, of course.)
I wonder when the email was compromised, and whether it could have been used to make the post on p2pfoundation.ning.com. (Edit: I was referring here to the Dorian Nakamoto post. After I posted this, there was another p2pfoundation.ning.com post.)
* nullius asks, But what is Satoshis PGP key fingerprint? If I download that key from your link, how do I know it is the same key that Satoshi used before?
The email said:
Not exactly Satoshi's normal style.
Quote from: satoshin@gmx.com
Michael, send me some coins before I hitman you.
Not exactly Satoshi's normal style.
* nullius asks, The key that I just downloaded from your link lacks any Web of Trust signatures. Anyway, suppose that I dont already have verified keys from anyone who knew Satoshi. What then? Does this look right to you?
Code:
$ gpg Satoshi_Nakamoto.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub dsa1024 2008-10-30 [SC]
DE4EFCA3E1AB9E41CE96CECB18C09E865EC948A1
uid Satoshi Nakamoto
sub elg2048 2008-10-30 [E]
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub dsa1024 2008-10-30 [SC]
DE4EFCA3E1AB9E41CE96CECB18C09E865EC948A1
uid Satoshi Nakamoto
sub elg2048 2008-10-30 [E]
https://3g2upl4pq6kufc4m.onion/html?q=DE4EFCA3E1AB9E41CE96CECB18C09E865EC948A1
Whereas in the context of what is really a discussion of forum identity, theymos deprecation of PGP fingerprints is not seeing the forest for the trees. As its primary means of authenticating identity, the forum relies on plain-old password authentication! (And it has been hacked in the past.) Even a totally obsolete v3 PGP fingerprint using MD5 would be incomparably more secure than the forums login system for the purpose of securing user identities!
https://www.schneier.com/crypto-gram/archives/2001/0315.html#6
Quote from: Bruce Schneier (2001)
Remember, strong encryption is not our problem; we have secure algorithms. In fact, it's the one security problem we have solved; solving it better just doesn't matter. I often liken this to putting a huge stake in the ground and hoping the enemy runs right into it. You can argue about whether the stake should be a mile tall or two miles tall, but a smart attack is just going to dodge the stake.
- PGP v4 fingerprints, SHA-1 preimage attack resistance: A stake one mile tall.
- Future PGP v5 fingerprints, SHA-256 preimage attack resistance: A stake 1.6 miles tall (256/160).
- Forum login: LOL, 0 bits of cryptographic security. It is a centrally controlled identity which can be trivially impersonated by anybody who can in any way gain administrative-level access to the forums SMF installation, and by Cloudflare, who can see all login passwords and logged-in cookies in-transit. My very first Newbie post in my post history:I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, [ ]
The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.
Thank you, theymos, for honestly disclosing and discussing the facts about Cloudflare.
(I seem to also remember a Schneier quote about attackers climbing in through the window, after you secure your door with an unbreakable lock. I cant find it now. It may have been in AC2; I lost my copy of AC2
My Newbie suggestion
Lets google first to see if things have been suggested before. 
Yes, but you missed an earlier suggestion on a thread whereby I myself replied, when I was a Newbie. Well, from your above quote, it looks like Mr Nasty was a fan of my Newbie posts. ;-)
Or what's most secure that we would want to advocate people use?
I might say Keybase, as long as people use their own PGP keys & not the ones Keybase generates.
I might say Keybase, as long as people use their own PGP keys & not the ones Keybase generates.
For chat: Jabber (for OTR), Ricochet, Tox.
Simply for use of the fields: Straight-up PGP key fingerprints! Please. If possible, with means to time-lock them instead of pasting ad hoc messages into the stake your address thread. That could solve so many problems.
Keybase users could also post their PGP key fingerprints, of course. But that way, the fields would not be Keybase-specific.
[...]
Besides having suggested profile PGP fingerprints when I had been posting for but a fortnight, I believe that I was the first person to ever suggest time-locking a commitment of a PGP fingerprint in a forum profile.
It is actually not the best solution. A much better idea would be to give pseudonymous cypherpunk users the option to irrevocably commit an account to be bound to PGP fingerprints, TOFU as for the first committed key, with a strict key-rollover rule requiring bidirectional cross-certification between the old key and the new key. That idea has some subtleties, obvious failure modes, and nonobvious edge cases that I dont think I should discuss at length here, when the chance of it being implemented Any Time Soon on the forum is effectually nil.
P.S., please never tie anything into Keybase! The stupidly misdesigned verification procedure in their web app makes it impractical to keep a profile updated without installing their software, and entrusting ones keys to their software on a network-connected computeror else blindly copypasting their shell scripts into a network-connected machine that has both gpg and curl (!). This is unacceptable to me. I have a warning posted on my long-disused Keybase account; and I may perhaps delete the account entirely, due to the impracticality of keeping my key updated there.