Fake PGP Keys For Crypto Developers Found

IamTheRealMike (537420) writes "In recent months fake PGP keys have been found for at least two developers on well known crypto projects: Erinn Clark, a Tor developer and Gavin Andresen, the maintainer of Bitcoin. In both cases, these PGP keys are used to sign the downloads for popular pieces of crypto software. PGP keys are supposed to be verified through the web of trust, but in practice it's very hard to find a trust path between two strangers on the internet: one reply to Erinn's mail stated that despite there being 30 signatures [attached to] her key, [the respondent] couldn't find any trust paths to her. It's also very unclear whether anyone would notice a key substitution attack like this. This leaves three questions: who is doing this, why, and what can be done about it? An obvious candidate would be intelligence agencies, who may be trying to serve certain people with backdoored binaries via their QUANTUMTHEORY man-in-the-middle system. As to what can be done about it, switching from PGP to X.509 code signing would be an obvious candidate. Both Mac and Windows support it, obtaining a forged certificate is much harder than simply uploading a fake PGP key, and whilst X.509 certs can be issued in secret until Google's Certificate Transparency system is fully deployed, finding one would be strong evidence that an issuing CA had been compromised: something that seems plausible but for which we currently lack any evidence. Additionally, bad certificates can be revoked when found whereas beyond making blog posts, not much can be done about the fake PGP keys."

Re:The chain of trust is broken.

[Wonko+the+Sane]

The chain of trust is broken because cryptographers, a class of developers with a long track record of being utterly incapable of building software that's usable for regular humans, has been left in charge of building iit.

When the problem is taken up by other, more UX knowledgable, developers we'll get a solution to the problem.

x.509 WTF?

[maswan]

The CA model for X.509 certificates has been shown to be utterly broken for protection against intellengence agencies, they clearly have both access to some of the private keys of "trusted" CAs as well as the leverage to have "trusted" CAs issue arbitrary certificates in their home jurisdiction. There is no way in which this would get better by switching to X.509 compared to PGP.

We have already have plenty of malware with valid signatures backed by trusted CAs using stolen keys etc, check stuxnet/duqu for instance.

Now, I know it can be hard to bootstrap a PGP web of trust, and there is certainly plenty of work to be done there to make it easier and user friendlier. But chucking out the one piece of actually working low-level technology for real security in favour of one that is utterly broken, and has been shown to be broken for years, is just plain stupid.

Re: x.509 WTF?

[maswan]

Of course attacking SSL on the protocol level is by far more useful, since you can just silently sit there and eat all the "secret" data, instead of having to actively MITM particular connections.

But do you really think there is a single US CA out there that would say no to a national security letter requiring them to issue a torproject.org certificate if they actually needed it? Especially given how Joseph Nacchio was treated for resisting voluntary assistance to the NSA? Or that the Chinese ones wouldn't issue whatever was asked if the Ministry of Public Security turned up and wanted some certificates?

Stuxnet actually proves another part of why the CA system is utterly broken. Because they just had to break in *somewhere* in order to get a key signed by *any* CA in order to sign their stuff. To impersonate Tor developers, they'd have to steal the Tor developers keys, or make up new ones that looks plausable enough. Unlike the X.509 CA system where any attacker might just as well steal the keys of any random project and they'd be just as acceptable since they are signed by a CA.

But you're right, that it isn't a CA-level compromise, unlike DigiNotar who shows that particular line of attack. And were only found out by widespread intercerption of Iranian connections to Gmail.

Transitivity of trust

[tepples]

Just because you trust somebody doesn't mean you trust him or her to trust others.

The dilemma is the very design of a certificate

[assemblerex]

If you have any cert authority in the U.S. they already been compromised and can be muted with a security letter. Unless you run whatever future certt out of a military type environment, you will be infiltrated with keyboard bugs, monitor bugs, cable taps, etc.

Why do you think the Russians went back to typewriters? Anything electronic can be snooped, the level of compromise so great that it is nearly impossible to protect against attacks.

So what can you do? Set up multiple checks across the globe, out of control. If there is discrepancy, then consider yourself compromised or a target.

The fact that the PGP fakes have shown up means that there have been man in the middle attacks.

Your personal router has a back door? Probably if it is commercially sold.

Your internet provider has been backdoored? Most likely, or is easily done with a device brought in the front door with a security letter.

Your local internet backbone has an intercept? Definitely

You can be served faked certs and ip addresses, fake windows updates? Proven

Commercial routers have back door? Proven, the very fabric of the internet is polluted.

You have to containerize your internet now via VPN, and those keys can be secured in the U.S. with a security letter. With quantum computing, it can be broken.