Discussion forum for PGP and GnuPG users, especially friendly for beginners :-)

Anthony G. Atkielski | 1 Sep 2005 12:29

Re: thoughts on sha-1

Stuart Tares writes:

> You are saying that Robert is changing SHA-1 because of an esoteric
> attack but is also willing to PGP 9 which is a million lines of code and
> may contain bugs or backdoors.  PGP allows full source code review (yes
> I know there are constraints but the chance is there).

But nobody has actually reviewed the code.  And you're not allowed to
compile the source code and use that as your copy of PGP; you must use
only the pre-compiled executable.  Hmm.

> Also GnuPG implements the same algorithm as it is part of the OpenPGP
> standard.  GnuPG is open source and fully available for peer review.

And I suspect nobody has reviewed GnuPG, either, although I'd trust it
more than PGP.

> I know that having access to source code does not mean that there are no
> hidden back doors, but access to it can help.

Only if someone actually takes the time to review the code, which
nobody has done.  Just having source doesn't make it safe; you have to
look at the code.

> There is a proven attack against SHA-1 which is likely only to get
> better over time.  It may be esoteric at the moment but if you know of
> an attack vector, you are better in dealing with it.

I have no doubt that it is much easier to compromise both GnuPG and
PGP in other ways.  The algorithm is the last thing you'd attack.

(Continue reading)

Stuart Tares | 1 Sep 2005 21:48

Re: thoughts on sha-1


Anthony G. Atkielski said the following on 01/09/2005 11:29:

> 
> But nobody has actually reviewed the code.  

How can you say that no-one has reviewed it ?  Do you have a direct
contact with PGP Corp that will tell you who has access to the source
code or who has signed a mutual non disclosure ?  I guess not, therefore
you cannot make that statement.

> And you're not allowed to compile the source code and use that as
> your copy of PGP; you must use only the pre-compiled executable.
> Hmm.

As I said, there are constraints.  Also, you are trusting any computer
program manufacturer when you use a pre-compiled binary.  Do you trust
Microsoft, Apple etc not to put back doors in ?

> And I suspect nobody has reviewed GnuPG, either, although I'd trust it
> more than PGP.

I personally know of three people who have gone through the source code
of GnuPG 1.40 and checked it out.  So again, this is an invalid
statement.  If you think that no-one has reviewed it, why do you trust
it more (and do you take a pre-compiled binary or compile your own ?)

> Only if someone actually takes the time to review the code, which
> nobody has done.  Just having source doesn't make it safe; you have to
> look at the code.

(Continue reading)

Anthony G. Atkielski | 2 Sep 2005 13:50

Re: thoughts on sha-1

Stuart Tares writes:

> How can you say that no-one has reviewed it?

I'd be happy to hear of anyone who _has_ reviewed it.

> Do you have a direct contact with PGP Corp that will tell you who
> has access to the source code or who has signed a mutual non
> disclosure?

You're saying that PGP no longer even publishes the source code?  I
guess the situation is worse than I thought.

> As I said, there are constraints.

That's an unacceptable constraint.

> Also, you are trusting any computer program manufacturer
> when you use a pre-compiled binary.  Do you trust
> Microsoft, Apple etc not to put back doors in ?

I have higher standards for software that is designed specifically to
enforce security, because the people publishing it have a stronger
motivation to put backdoors into it.  I don't think my text editor has
any backdoors installed.

> I personally know of three people who have gone through the source
> code of GnuPG 1.40 and checked it out.

Who are they, and where have they published their evaluations?

(Continue reading)

Stuart Tares | 2 Sep 2005 16:41

Re: thoughts on sha-1


Anthony G. Atkielski said the following on 02/09/2005 12:50:

>>Do you have a direct contact with PGP Corp that will tell you who
>>has access to the source code or who has signed a mutual non
>>disclosure?
> 
> 
> You're saying that PGP no longer even publishes the source code?  I
> guess the situation is worse than I thought.

I am not saying that they do not publish the source code
(http://www.pgp.com/downloads/sourcecode/).  I was saying that how do
*YOU* know who has had access to the source code and who has reviewed it ?

> Who are they, and where have they published their evaluations?

I am not at liberty to say who they are because of the job positions
that they are in.  However, even if they came forward and published
their evaluations, would you trust them ?  Please refer to Ken
Thompson's article again - even if you have the source and someone has
reviewed it, it does not mean that it is safe.

> The people who wrote it probably have fewer motivations to put
> backdoors into it, and the source is probably more widely circulated
> and examined.

You are arguing against yourself here. First you say "And I suspect
nobody has reviewed GnuPG, either, although I'd trust it
more than PGP." and now you are saying that it is more widely examined.

(Continue reading)

Edward Langenback | 3 Sep 2005 03:44

Re[2]: thoughts on sha-1


On Friday, September 2, 2005 at 9:41:10 AM
in Message 43186486.7060509 <at> tares.net, Stuart wrote:

> Anthony G. Atkielski said the following on 02/09/2005 12:50:

>>>Do you have a direct contact with PGP Corp that will tell you who
>>>has access to the source code or who has signed a mutual non
>>>disclosure?
>>
>>
>> You're saying that PGP no longer even publishes the source code?  I
>> guess the situation is worse than I thought.

Let me get this straight.  They make the source code available for
review, but require a mutual non-disclosure agreement?  That just
plain smells out loud, I'm not a lawyer but I don't like the sound of
it one bit.

> I am not saying that they do not publish the source code
> (http://www.pgp.com/downloads/sourcecode/).  I was saying that how do
> *YOU* know who has had access to the source code and who has reviewed it ?

>> Who are they, and where have they published their evaluations?

> I am not at liberty to say who they are because of the job positions
> that they are in.  However, even if they came forward and published
> their evaluations, would you trust them ?  Please refer to Ken

I doubt that I would.

(Continue reading)

Anthony G. Atkielski | 2 Sep 2005 18:05

Re: thoughts on sha-1

Stuart Tares writes:

> I am not saying that they do not publish the source code
> (http://www.pgp.com/downloads/sourcecode/). I was saying that how do
> *YOU* know who has had access to the source code and who has
> reviewed it ?

I don't, unless they publish the results of their reviews.  If they
don't publish their reviews, then the result is the same as if nobody
reviewed the code.

> I am not at liberty to say who they are because of the job positions
> that they are in.

In other words, the code has not been reviewed.  An unpublished review
is the same as no review.

> However, even if they came forward and published their evaluations,
> would you trust them?

It depends on who they are.

> Please refer to Ken Thompson's article again - even if you have the
> source and someone has reviewed it, it does not mean that it is
> safe.

Obviously.

> You are arguing against yourself here. First you say "And I suspect
> nobody has reviewed GnuPG, either, although I'd trust it more than

(Continue reading)

Stuart Tares | 2 Sep 2005 18:51

Re: thoughts on sha-1


Anthony G. Atkielski said the following on 02/09/2005 17:05:

> I don't, unless they publish the results of their reviews.  If they
> don't publish their reviews, then the result is the same as if nobody
> reviewed the code.

There are internal reviews that proprietary and company confidential.
People may have reviewed it and published but you just don't have access
to it.

> In other words, the code has not been reviewed.  An unpublished review
> is the same as no review.

Just because I am unable to state names, does not mean that the code has
not been reviewed.  There may not be any published reviews that you have
access to but that does not mean that they do not exist.

> It depends on who they are.

Werner Koch, PRZ, Robert H, Michael D, me, a government certified
security expert working in highly restricted environments ? You really
don't know any of them, therefore you would have to trust their word.
If you do not, then *YOU* have to review the source code and make a
judgment.

> Why not?  Someone can examine code without reviewing it.  I've
> examined code in PGP in the past, but I certainly did not review it.

Semantics.  If someone is examining the code for back doors, then may

(Continue reading)

Edward Langenback | 3 Sep 2005 03:58

Re[2]: thoughts on sha-1

On Friday, September 2, 2005 at 11:51:07 AM
in Message 431882FB.4050406 <at> tares.net, Stuart wrote:

> Anthony G. Atkielski said the following on 02/09/2005 17:05:

>> I don't, unless they publish the results of their reviews.  If they
>> don't publish their reviews, then the result is the same as if nobody
>> reviewed the code.

> There are internal reviews that proprietary and company confidential.
> People may have reviewed it and published but you just don't have access
> to it.

If they are beyond access, then they are without value, just as if
they did not exist in the first place.  To have value, they must be
available for people who would place value in reading them.

>> In other words, the code has not been reviewed.  An unpublished review
>> is the same as no review.

> Just because I am unable to state names, does not mean that the code has
> not been reviewed.  There may not be any published reviews that you have
> access to but that does not mean that they do not exist.

There are secret documents stored on NSA, CIA and FBI computers that
I do not have access to.  Their existence affects many, but I do not
trust them because I have no access to them.  For me, they do not
exist.

(Continue reading)

Anthony G. Atkielski | 2 Sep 2005 21:02

Re: thoughts on sha-1

Stuart Tares writes:

> There are internal reviews that proprietary and company confidential.

Those reviews are useless to me, and as far as I'm concerned, they
don't exist.

> People may have reviewed it and published but you just don't have access
> to it.

Nobody has reviewed it.

> Just because I am unable to state names, does not mean that the code has
> not been reviewed.

The code has not been reviewed until I see the published reviews.

> There may not be any published reviews that you have
> access to but that does not mean that they do not exist.

They don't exist unless they are published.

> Werner Koch, PRZ, Robert H, Michael D, me, a government certified
> security expert working in highly restricted environments?

The only one I recognize is PRZ.

> You really don't know any of them, therefore you would have to trust
> their word.

(Continue reading)

Michael Daigle | 2 Sep 2005 05:01

Picon

Re: thoughts on sha-1


In reply to Stuart Tares's message sent 2005-09-01 15:48:

> The algorithm may be the last thing that you attack but it is a known
>  attack.  You know that burglars break into houses and cars and you
> defend against this (or I would hope that you do), so why would you
> not defend against this known attack (which will get better).
> Remember that a digital signature is supposed to provide
> non-repudiation.  The SHA-1 attack allows the possibility that this
> is removed.

Isn't a successful "attack" merely finding a random collision? That's a
far cry from generating a message that makes enough sense to impersonate
the original message and compute to the same digest. Even if you can
complete that fantastic task in the victim's lifetime, you're still
unable to affect non-repudiation because you don't have the document
owner's private key to sign the digest. For us PGP folk, we need a
signer to issue a signature. We use the signer's public key to decrypt
the digest. A digest by itself means nothing to us. I wouldn't even know
what to do with such a message, and I don't think my GnuPG or my PGP
would, either.

The "SHA-1 attack" doesn't apply to OpenPGP and many other crypto
systems. (...yet)

Perhaps I completely misunderstand.

--
List Moderator, PGP Encryption Help Team

(Continue reading)

Robert J. Hansen | 2 Sep 2005 06:31

Re: thoughts on sha-1

Michael Daigle wrote:
> Isn't a successful "attack" merely finding a random collision? That's a
> far cry from generating a message that makes enough sense to impersonate
> the original message and compute to the same digest.

There's a potentially dangerous pair of implicit assumptions here:

1: that you have to be able to create a comprehensible message in order
to have an attack, and

2: that once you have a random message, constructing a real message (and
real collision) from it is infeasible.

Neither one is necessarily correct.

The first assumption is dangerous because it's an appeal to material
outside the OpenPGP specification.

Let's say, for sake of argument, that I'm a researcher working on
IP-over-Avian-Carrier and I discover an effective Denial of Service
attack.  The rest of the world says "oh, but you're only doing IP by
carrier pigeon--the rest of us are using IP over bongo drums, so it
doesn't affect us".  This could be potentially dangerous, because you're
depending on an implementation detail (bongo drums versus carrier
pigeon) to protect you from a flaw in the underlying protocol (IP).
Even if the implementation detail protects you from the attack, what
happens when you switch to IP over smoke signal?  Will that also protect
you from a flaw in the protocol, or will you be at risk?

(Continue reading)

Michael Daigle | 2 Sep 2005 16:32

Picon

Re: thoughts on sha-1


In reply to Robert J. Hansen's message sent 2005-09-02 00:31:

> OpenPGP does not provide nonrepudiation.  Never has.  Never will.
> There's a really trivial way to repudiate pretty much any OpenPGP
> signature, something that's sometimes called the 'Bali Attack'.

I'll assume that you mean all PKCS do not provide nonrepudiation, not
just OpenPGP.

If that's the case, then "yes" and "no" - and I think your message
infers agreement to that. Yes, nonrepudiation agreements can be arranged
between parties, but no, they may not stick if you have a good lawyer
and/or have devised an incredible or otherwise well-planned scheme.

--
List Moderator, PGP Encryption Help Team

Mike Daigle                                   http://www.mikedaigle.ca
My PGP Key                                 mailto:pgpkey <at> mikedaigle.ca
Gossamer Spider Web of Trust                      http://www.gswot.org

Robert J. Hansen | 2 Sep 2005 18:22

Re: thoughts on sha-1

Michael Daigle wrote:
> I'll assume that you mean all PKCS do not provide nonrepudiation, not
> just OpenPGP.

Assuming that you meant "no purely cryptographic PKCS provides
nonrepudiation", then yes, I completely agree.

PKCSes which incorporates legal protocols as well as cryptographic
protocols do provide nonrepudiability, but then we're no longer talking
about systems like OpenPGP and we're now talking about PKCSes like DoD
contractors use, where there's a lot of legal baggage that make it hard
to repudiate.

> infers agreement to that. Yes, nonrepudiation agreements can be arranged
> between parties, but no, they may not stick if you have a good lawyer
> and/or have devised an incredible or otherwise well-planned scheme.

The entire point of nonrepudiability is that you can _make_ it stick.
Claiming a system is nonrepudiable even though a very modest attack can
repudiate it is like claiming a 128-bit keyspace is safe even though
only 40 bits of it are used.

______________________________________________________________
Archives:         http://groups.yahoo.com/group/PGP-Basics/messages
OT List:          http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe:     mailto:PGP-Basics-OT-subscribe <at> yahoogroups.com

Anthony G. Atkielski | 2 Sep 2005 13:53

Re: thoughts on sha-1

Robert J. Hansen writes:

> Let's say, for sake of argument, that I'm a researcher working on
> IP-over-Avian-Carrier and I discover an effective Denial of Service
> attack.  The rest of the world says "oh, but you're only doing IP by
> carrier pigeon--the rest of us are using IP over bongo drums, so it
> doesn't affect us".  This could be potentially dangerous, because you're
> depending on an implementation detail (bongo drums versus carrier
> pigeon) to protect you from a flaw in the underlying protocol (IP).

That's no worse than depending on a strong hash algorithm to protect
you from flaws in the final implementation.

> Starting from a random collision (i.e., a nonsense
> message), he was able to construct a meaningful message (e.g., a Web
> page).

How many Web pages in the world are digitally signed?

______________________________________________________________
Archives:         http://groups.yahoo.com/group/PGP-Basics/messages
OT List:          http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe:     mailto:PGP-Basics-OT-subscribe <at> yahoogroups.com

Andrew Cranwell | 2 Sep 2005 12:01

Picon

Picon

Re: thoughts on sha-1


Robert J. Hansen wrote:
> Michael Daigle wrote:
> 
<snip>
>>>complete that fantastic task in the victim's lifetime, you're still
>>>unable to affect non-repudiation because you don't have the document
> 
> 
> OpenPGP does not provide nonrepudiation.  Never has.  Never will.
> There's a really trivial way to repudiate pretty much any OpenPGP
> signature, something that's sometimes called the 'Bali Attack'.
> 

Eh? What's that? Googling it didn't help much...

--
Andrew Cranwell StudIEAust  |   /"\
Encrypted Email Preferred   |   \ /     ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |    X   Against HTML email & vCards
http://tinyurl.com/cc9up    |   / \

Robert J. Hansen | 2 Sep 2005 12:14

Re: thoughts on sha-1

Andrew Cranwell wrote:
> Eh? What's that? Googling it didn't help much...

It's the canonical way to repudiate a digital signature.

Let's say you're a stockbroker, and I want to buy some stock from you on
a short deal.  This means I'm borrowing stock from you, with a promise
to give you the stock back later.  If I sell it and the price goes down,
I can buy the stock back and give it to you, keeping the profits.  If I
sell it and the price goes up, I'm going to lose my shirt.  I want to
make sure that I can get a profitable trade, but I want a way to back
out of an unprofitable trade.

You and I exchange keys and establish enough of a record for you to have
some confidence in me.  Then, I go off to Bali (or insert your own South
Pacific island).  While I'm off in Bali, a confederate--to whom I've
given my key--sends you a signed email saying, "I want to short 5,000
shares of the SCO Group's stock".  You have no reason to think I'm
lying, and after all, it's a signed document, so it's legally
enforceable.  You credit my account with the stock.  My confederate uses
my key to sell the stock and converts it into cash.

When I get back from Bali, I see what's happened to the SCO Group's
stock.  If it's gone down, then great: I get the money from my
confederate, buy back the stock, and give you back your original
investment.  But if it's gone up, I go to court and say "Your Honor, I
_couldn't_ have signed that agreement; I was in Bali!  Somebody must've
cracked my box.  I'm the victim of identity theft!"

... At that point, you're out of luck.  OpenPGP provides you with

(Continue reading)

Andrew Cranwell | 2 Sep 2005 12:43

Picon

Picon

Re: thoughts on sha-1


Robert J. Hansen wrote:
> Andrew Cranwell wrote:
> 
>>Eh? What's that? Googling it didn't help much...
> 
> 
> It's the canonical way to repudiate a digital signature.
> 
> Let's say you're a stockbroker, and I want to buy some stock from you on
> a short deal.  This means I'm borrowing stock from you, with a promise
> to give you the stock back later.  If I sell it and the price goes down,
> I can buy the stock back and give it to you, keeping the profits.  If I
> sell it and the price goes up, I'm going to lose my shirt.  I want to
> make sure that I can get a profitable trade, but I want a way to back
> out of an unprofitable trade.
> 
> You and I exchange keys and establish enough of a record for you to have
> some confidence in me.  Then, I go off to Bali (or insert your own South
> Pacific island).  While I'm off in Bali, a confederate--to whom I've
> given my key--sends you a signed email saying, "I want to short 5,000
> shares of the SCO Group's stock".  You have no reason to think I'm
> lying, and after all, it's a signed document, so it's legally
> enforceable.  You credit my account with the stock.  My confederate uses
> my key to sell the stock and converts it into cash.
> 
> When I get back from Bali, I see what's happened to the SCO Group's
> stock.  If it's gone down, then great: I get the money from my
> confederate, buy back the stock, and give you back your original
> investment.  But if it's gone up, I go to court and say "Your Honor, I

(Continue reading)

Robert J. Hansen | 2 Sep 2005 12:55

Re: thoughts on sha-1

Andrew Cranwell wrote:
> Oh, and Bali isn't in the Pacific, it's almost in the Indian Ocean (that
> or the Timor Sea)... definately not Pacific, Papua New Guinea is in the
> way to start with  :)

http://www.cia.gov/cia/publications/factbook/geos/zn.html

The Pacific Ocean includes the Bali Sea, so I reckon it's fair to say
Bali is in the Pacific.  :)

--

-- 
"Most people are never thought about after they're gone.  'I wonder
where Rob got the plutonium?' is better than most get." - Phil Munson

______________________________________________________________
Archives:         http://groups.yahoo.com/group/PGP-Basics/messages
OT List:          http://groups.yahoo.com/group/PGP-Basics-OT
OT Subscribe:     mailto:PGP-Basics-OT-subscribe <at> yahoogroups.com

Andrew Cranwell | 2 Sep 2005 15:25

Picon

Picon

Re: thoughts on sha-1


(cross posted to OT - please continue it there)

Robert J. Hansen wrote:
> Andrew Cranwell wrote:
> 
>>Oh, and Bali isn't in the Pacific, it's almost in the Indian Ocean (that
>>or the Timor Sea)... definately not Pacific, Papua New Guinea is in the
>>way to start with  :)
> 
> 
> http://www.cia.gov/cia/publications/factbook/geos/zn.html
> 
> The Pacific Ocean includes the Bali Sea, so I reckon it's fair to say
> Bali is in the Pacific.  :)
> 
> 

http://www.cia.gov/cia/publications/factbook/geos/id.html

I dispute their claim of the Bali Sea being part of the Pacific. The
main (only?) city on Bali is Denpasar. There's a good deal of other
islands and minor seas between the Pacific and Bali - it's far closer to
the Indian Ocean.

--
Andrew Cranwell StudIEAust  |   /"\
Encrypted Email Preferred   |   \ /     ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |    X   Against HTML email & vCards
http://tinyurl.com/cc9up    |   / \

(Continue reading)

Return

Return to gmane.comp.security.pgp-basics.

Project Web Page

Discussion forum for PGP and GnuPG users, especially friendly for beginners :-)

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane