Fake PGP Keys For Crypto Developers Found

IamTheRealMike (537420) writes "In recent months fake PGP keys have been found for at least two developers on well known crypto projects: Erinn Clark, a Tor developer and Gavin Andresen, the maintainer of Bitcoin. In both cases, these PGP keys are used to sign the downloads for popular pieces of crypto software. PGP keys are supposed to be verified through the web of trust, but in practice it's very hard to find a trust path between two strangers on the internet: one reply to Erinn's mail stated that despite there being 30 signatures [attached to] her key, [the respondent] couldn't find any trust paths to her. It's also very unclear whether anyone would notice a key substitution attack like this. This leaves three questions: who is doing this, why, and what can be done about it? An obvious candidate would be intelligence agencies, who may be trying to serve certain people with backdoored binaries via their QUANTUMTHEORY man-in-the-middle system. As to what can be done about it, switching from PGP to X.509 code signing would be an obvious candidate. Both Mac and Windows support it, obtaining a forged certificate is much harder than simply uploading a fake PGP key, and whilst X.509 certs can be issued in secret until Google's Certificate Transparency system is fully deployed, finding one would be strong evidence that an issuing CA had been compromised: something that seems plausible but for which we currently lack any evidence. Additionally, bad certificates can be revoked when found whereas beyond making blog posts, not much can be done about the fake PGP keys."

Re:The chain of trust is broken.

[sanvila]

No "chain" here. This is not SSL, this is GPG, and the term used here is "web of trust". To consider the web of trust broken you would need to find that one of those fake GPG keys is signed by someone you trust.

Re:The chain of trust is broken.

[Wonko+the+Sane]

The chain of trust is broken because cryptographers, a class of developers with a long track record of being utterly incapable of building software that's usable for regular humans, has been left in charge of building iit.

When the problem is taken up by other, more UX knowledgable, developers we'll get a solution to the problem.

x.509 WTF?

[maswan]

The CA model for X.509 certificates has been shown to be utterly broken for protection against intellengence agencies, they clearly have both access to some of the private keys of "trusted" CAs as well as the leverage to have "trusted" CAs issue arbitrary certificates in their home jurisdiction. There is no way in which this would get better by switching to X.509 compared to PGP.

We have already have plenty of malware with valid signatures backed by trusted CAs using stolen keys etc, check stuxnet/duqu for instance.

Now, I know it can be hard to bootstrap a PGP web of trust, and there is certainly plenty of work to be done there to make it easier and user friendlier. But chucking out the one piece of actually working low-level technology for real security in favour of one that is utterly broken, and has been shown to be broken for years, is just plain stupid.

Re: x.509 WTF?

[IamTheRealMike]

The thing is, you're wrong and your own post shows that.

Firstly, we have no evidence of any CA being compromised by intelligence agencies despite the obvious appeal to them of doing so. This is remarkable. Despite the huge number of Snowden documents so far none of them have even hinted at compromise of the CA infrastructure. What we have seen a lot of discussion of is ways of circumventing it by stealing private keys directly from end users, and doing MITM on non-SSLd connections of which there are plenty.

Nobody can rule out that some CA is in fact minting false certificates for intelligence agencies. But so far nobody has presented any evidence of it.

Your Stuxnet example proves my point and disproves yours. They didn't use a false certificate there - they hacked the end user (a hardware manufacturer) to obtain their private key. Well guess what, you can steal PGP keys in the same way, nothing magical about that.

Re:x.509 WTF?

[retep]

Never mind that we don't need to switch to X.509, we can add X.509 certs to OpenPGP.

When you think about it, in the web-of-trust model centralized certificate authorities are just entities that a lot of people happen to trust; there's absolutely nothing stopping us from taking X.509 certs and adding them to OpenPGP keys as just another type of signature and the X.509 certificate providers have no (technical) means of stopping people from doing that.

I've argued before to the Bitcoin community that what we really want is a "best of both worlds" solution where we support centralized certificate authorities via X.509 and OpenPGP for applications with low security needs while maintaining the ability to use the WoT for those applications with higher needs. It's totally OK if average user just uses software that automatically checks the X.509 cert or OpenPGP signature issued by a certificate authority when they download some wallet software or make a payment to someone. Meanwhile advanced users, and particularly developers, can check all the signatures, WoT, certificate authority, whatever, to be sure they have the right software when they're downloading "clean" copies for their Bitcoin exchange, or making high-value payments.

What really amazes me is how people seem to think this is a binary decision, centralized PKI or WoT. It's not at all! Heck lots of organizations already apply the central certificate authority model with OpenPGP - just looks at all the Linux distributions that have master OpenPGP keys to sign packages. That's a certificate authority, but with OpenPGP technology.

Mike Hearn has been lately going on a bit of a war-path trying to push Bitcoin into a model of blind reliance on singular centralized PKI authorities and frankly it's just nuts. He's even gone as far as to strongly advocate that we don't even support multiple X.509 certs for applications, which would at least require an attacker to compromise more than one certificate authority. This is particularly crazy when at the same time he has advocated that websites, e.g. bitcointalk, reddit, slashdot, etc. sign cryptographic certificates linking usernames to identities. The idea here is if I want to pay "IamTheRealMike" my wallet software could have, say, slashdot's certificate pre-loaded and trusted, and then I'd tell it to give the funds to that username. But why would I do that? I want to pay Mike Hearn. I happen to know he's "IamTheRealMike" on slashdot.org, and "Mike Hearn" on bitcointalk, so obviously if it's a non-trivial sum of money I'd want to be able to check that both sites have stated that they're the same person, and maybe I'll check WoT too, and, say, his countries passport office. It just makes so much sense to give people options like that, but we're rather mysteriously seeing resistance. If anything, I think it's kinda insulting to the professionals in this space, both developers and finance people, to tell them "We're all too stupid to learn about anything more complex than trusting the magic green checkbox". If I was running a big Bitcoin-related business I sure as hell would want more assurance than that; when I'm writing software used by others I sure as hell want more assurance than that.

Anyway, in the OpenPGP world I'm really excited to see KeyBase pop up. It's not perfect - the functionality probably should have been just an add-on to OpenPGP rather than a website - but it's a great step in the right direction of giving flexibility and user-friendlyness to the WoT. It also works great as a local application, so if you choose to you aren't relying on their website/service for the guarantees it provides.

Re: x.509 WTF?

[IamTheRealMike]

But do you really think there is a single US CA out there that would say no to a national security letter requiring them to issue a torproject.org certificate if they actually needed it?

NSL's request data. You're probably thinking of a court order. And of course the answer is no, they'd follow the order. But what makes you think a person taking part in the WoT would refuse a court order where a CA would roll over? Jail time sucks the same for both. The idea that CA's are uniquely vulnerable doesn't really make sense, given that the WoT lets you see who trusts who and serve a court order on anyone in the chain.

Stuxnet actually proves another part of why the CA system is utterly broken. Because they just had to break in *somewhere* in order to get a key signed by *any* CA in order to sign their stuff.

I think you are confused. Yes, Windows will load any driver signed by a member of the Windows hardware program. How else do you think it's supposed to work? Once code is loaded into the kernel it can do anything it likes and theres not much technical way to stop it with current-gen kernels, so there's no way to issue a certificate for one kind of driver but not another kind, it would be meaningless. Regardless, even if there was, the decision about how much power a signing key has for Windows is entirely Microsoft's decision, it has nothing to do with CAs.

I suspect you are thinking of the "any CA can sign for any domain name" issue in SSL. It has both weaknesses and strengths. The weakness is if any CA is compromised, they have full power. The strength is there's lots of competition which helps keeps prices down and makes revocation actually a realistic threat, because the customers of a CA that's about to be revoked DigiNotar style can go to any other CA to get fresh certs. You're never in a situation where the CA you want to revoke is the last man standing for some class of names.

Re:The chain of trust is broken.

Well; interestingly enough, the summary is proposing moving to X.509 which would rely on the chain of trust and which would be vulnerable. Exactly the problem of simple chains of trust is what meant that the Stuxnet virus had device drivers that only required a single signature from a company authorized by Microsoft in order to be automatically loaded by Windows.

This is probably a false-flag operation trying to trick software developers into moving over to X.509 where a false certificate attack like this might never be detected.

Transitivity of trust

[tepples]

Just because you trust somebody doesn't mean you trust him or her to trust others.

Re:Transitivity of trust

[__aajfby9338]

Just because you trust somebody doesn't mean you trust him or her to trust others.

Very true! If I meet a person face-to-face, they hand me their PGP/GPG public key, and they show me plausible-looking picture ID that matches the identity that their key claims to represent, then I can mark their key in my keychain as one that I'm confident is not a forgery. If they are otherwise a stranger to me with no well-known reputation, then I can register in my keychain that their signature on somebody else's key doesn't count for much. Or if they are a well-known person with a reputation of being very careful about whose keys they sign, I may register in my keychain that I tend to trust keys that they have signed. The web of trust system is pretty well configurable.

I may also sign their key with mine to let other people know that "I, NF6X, consider this key to belong to the individual it claims to belong to". You may or may not consider that to be of value, depending on how well you know me and what you think of me.

This seems to be a reasonable model to me, and I think it's better than the "one CA to rule them all" model used for things like SSL certificates. It's difficult to scale the model well, though. I don't know of any other PGP/GPG users near me and I began using these systems long after I graduated from college where I might have had many more opportunities to sign others' keys and have mine signed. So, I'm not part of the web of trust, and I'm unlikely to become one unless I go out of my way to travel to a key-signing party to meet some well-known and reputable people. The few people with whom I exchange PGP/GPG-encrypted traffic are strangers to me, and I have no way of being strongly confident that they are who they say they are.

The dilemma is the very design of a certificate

[assemblerex]

If you have any cert authority in the U.S. they already been compromised and can be muted with a security letter. Unless you run whatever future certt out of a military type environment, you will be infiltrated with keyboard bugs, monitor bugs, cable taps, etc.

Why do you think the Russians went back to typewriters? Anything electronic can be snooped, the level of compromise so great that it is nearly impossible to protect against attacks.

So what can you do? Set up multiple checks across the globe, out of control. If there is discrepancy, then consider yourself compromised or a target.

The fact that the PGP fakes have shown up means that there have been man in the middle attacks.

Your personal router has a back door? Probably if it is commercially sold.

Your internet provider has been backdoored? Most likely, or is easily done with a device brought in the front door with a security letter.

Your local internet backbone has an intercept? Definitely

You can be served faked certs and ip addresses, fake windows updates? Proven

Commercial routers have back door? Proven, the very fabric of the internet is polluted.

You have to containerize your internet now via VPN, and those keys can be secured in the U.S. with a security letter. With quantum computing, it can be broken.

Not broken, just fud-ed

[formfeed]

What if the intention isn't on cracking it but just on spreading FUD?

People are pissed off right now. That Snowden thing just isn't going away and people are looking into encrypted email options. Even people who never thought of using pgp (or regarded it as something for paranoid conspiracy theory nuts) would use it now, if it just came as an easy clickable option.

If you're some government agency, that doesn't look desirable. To make things worse, it's a web of trust, one of these pesky decentralized models. Unlike with a central certification authority, trusting one signature doesn't translate into trusting others. But on the other hand, there is no single CA that can be compromised. If you are a government agency in the business of undermining privacy, you would have to attack it one user at a time. Quite frustrating.

What to do about it?
Create some headlines like:

Fake PGP Keys For Crypto Developers Found

Hmm- looks that isn't safe either. Not worth the effort trying it out I guess.

doh?

[Tom]

obtaining a forged certificate is much harder than simply uploading a fake PGP key,

Not for an intelligence agency.

would be strong evidence that an issuing CA had been compromised: something that seems plausible but for which we currently lack any evidence.

Uh, no? Short memory? We already had CAs compromised. Was it last year or the one before, I'm not sure.

Re:"intelligence agencies" = JEWS...

[formfeed]

What's with all the Jew talk today?

The topic brings out the conspiracy nuts.
Crypto.
Crypt
Freemasons
Jews

Re:The chain of trust is broken.

[Tom]

The problem is that trust diminishes. If I trust you 80%, and you trust Joe 75%, and Joe trusts Jennifer 90% and Jennifer trusts Josh 80% and Josh signs that key, then my total trust in that signature is only 43% - worse than flipping a coin.

The web needs to be a lot thicker than it is so that I have multiple paths towards the key in question that add up. If the web is as thin as it still is, despite decades of keysigning parties and such, then it is utterly useless.

It's a good theoretical concept, but we should admit that it didn't work out in real life and start figuring out something better.

Re:The chain of trust is broken.

[retep]

Agreed!

Personally I'm actually kind of excited to see the security requirements for Bitcoin usage and Bitcoin-related development push more developers and users to learn about and understand OpenPGP and the web-of-trust. It's been a real backwater for years now, but there's so much that can be done to improve UI's for understanding how the web-of-trust works and using it. That no-one has made even a simple "mass-and-springs" visualization tool for WoT signatures is sad, yet even something as simple as that would go a long way to helping developers use PGP properly.

Secondly, we have to remember our goal doesn't need to be "get grandma using PGP" - just "get developers using PGP" and "get professionals moving large amounts of money using PGP" is by itself a worthy and very attainable goal. It's totally OK if for low-security-applications like small value Bitcoin payments just outsource trust to centralized certificate authorities. What matters is that for the applications with high security requirements, like large Bitcoin payments and Bitcoin-related software development, have the tools to do the job right without blind single-point-of-failure reliance on any one authority.