 One of the founders of PGP Incorporated, the principal crypto consultant at Network Associates, the director of technology at Deloitte Crypto Research and Development, he's the executive director of the Crypto Rights Foundation, I don't believe, and the chief security officer at Meconomy, and he's here to talk to you today about what PGP and crypto are, how to use them, and how not to use them. Hey everybody, so thanks for being patient, appreciate that. Okay, so this is the newbie track, right, which I think is kind of silly because in fact all the stuff that I'm going to tell you is stuff that so-called experts are completely fucking clueless about. Okay, this is like the really dumb shit that everybody gets wrong regardless of whether they think they're an expert or not. So, totally do not think you're in a newbie thing right now. Think of yourselves as beginning on the road if you are, or like learning how to do things right if you've already been using PGP a little bit. My introducer was very kind in introducing me with all these past things that I've done right now and the chief security officer at Meconomy Incorporated. We're hurrying! See you later. Okay, so really quickly, except for the two guys in the back who were shoulder surfing you while I was doing this about 10 minutes ago, the rest of you don't know what the worst assumption is that you can make when you're using a communication system. So except for those two guys back there, does anybody want to hazard a guess? You were all shoulder surfing, okay. Exactly. Oh, it's on autopilot, no wonder. See, okay. This is perfect, okay. I don't really hate PowerPoint. This is why, okay. All right, so let me go backwards a little bit here. So yeah, assume you're in Chicago. Beautiful, I love this. This is great. Okay, hilariously funny. Please take that seriously because it is absolutely the worst thing you can possibly do. I've seen this mistake made literally thousands of times in every kind of expert and non-expertly. Stop! Okay, somehow the stupid thing is on autopilot. Okay, I hate this program, I really do. What a fuck. All right, somebody has a clue telling me where the autopilot thing is. Slide show. Slide show. All right. It's still going to be on autopilot. Okay, really fucking good. Yeah, I'll just talk really fast. Yeah, okay, that's a good idea. That's a good solution. Hey, format habits. What's the assumption? Key mismanagement, bad medic, advanced screw ups. First thing, you all know this one already. Don't worry about it. It's like, you're going to make this mistake anyway, so, you know, huh. All right, the second thing is... Yeah, no, for real, for real. No, seriously, I'll take that criticism. I am so proud that I don't know how to use Microsoft PowerPoint. In every environment that I've ever been in, in every environment I've ever been in, I've always told people, do not fuck with me with your 125 slide PowerPoint presentations, because I don't want to see it. I like ASCII text, put it out, e-mail to me, whatever, you know, I don't care. So all the fancy crap, you know, it's like useless. All right, so these are the key mismanagement mistakes that everybody will make. And you'll excuse me, but I'm just going to use this, like, simplified viewer here, because I'm too fucking stupid to use the actual program. So the first thing is... Now, this seems really obvious, doesn't it? Don't forget your passphrase. All right, now, truth time here, ready? How many people in this room use PGP? Okay, everybody who's never forgotten their passphrase, lower your hand. Yeah, right, my ass. You guys are lying. Okay, well, let me just put it to you this way. Passphrase selection is the most important thing you'll ever do, because your entire interface with PGP and probably every other crypto or security system you use will be through your passphrase. And if it's too complicated, you'll do what 98% of people do, which is forgetting in the first two hours. Seriously, I've trained certain, you know, marketing executives who are really cool for the first five minutes, and then, like, 10 minutes later, they come back and they go, I can't remember my passphrase. And this has happened many times. Even at PGP Incorporated, we had a VP of marketing who should remain nameless, who was just... could never ever use the program. I mean, the entire time she was there. The second thing about forgetting your passphrase is it's great to make it complicated. It's, you know, it's really cool if it's 25 characters a month. It's great if it's multiple words. It's nice it has punctuation. Excellent if it's case-sensitive. Numbers, we love it. It's all good. But if you can't remember it, all that stuff is really wasted on the NSA. So, and it certainly doesn't do anybody else any good. So I'll get into why it's bad to forget your passphrase later on, but let's just say that you lose all the functionality of the application if you do that. So it's kind of, you know, don't bother with that. The next most common thing that people do is to lose their keys. Now, I know you're all saying they're going, Dave, this is so obvious. Well, I'm sorry to have to stand here in front of really intelligent people and say really obvious things. But six years ago, when I co-founded with a bunch of other people, the PGP Help Team, we do freeware help for people. You can find it at cryptorights.org slash pgp-help-team slash hello.html, because we're really friendly. When we started this six years ago, you know, we thought, well, we're going to be dealing with people who have really hard-core questions. But in fact, it's been about six years of, I lost my key. I forgot my passphrase. All right, to the point where, you know, we put that pretty high up in the fact, you know, about how we can't help you in this case. You know, we're sorry if you stub your toe, but don't walk there. So losing your key pair, there were some really easy things that you can do to prevent this from being a problem. Now, of course, it won't do you any good at all if you can't remember the passphrase to the keys that you've backed up. But there's a really useful thing that you can do. And I will tell you right now, a lot of really expert PGP users, including members of the PGP development team, who I will not name right now, have fallen prey to the second mistake of losing their keys. And here's the easy way to deal with it. Anybody here have a floppy disk? Hello? Use it. Just back up your key pairs on the floppy disk. Now, if you want to be paranoid, you know, like me, you first save your key pairs into a directory, and then you zip or tar or stuff that directory, whatever makes you, you know, happy. And then you take that directory and you encrypt it. Here's the tricky part. You can't encrypt that directory to your public key, right? Anybody want to tell me why? Really? Seriously? Somebody raise your hand and tell me why. Come on. You can tell me. Okay. Well, for those of you who can't guess, it's because if you lose the keys, you then can't decrypt that archive. So you encrypt it to a conventional passphrase. PGP does both types of encryption, right? You can encrypt something just as a blob with a symmetrical passphrase to it. Or you can do the public key thing, which is really intended for sending it to other people. But for yourself, you can encrypt it to a symmetric passphrase. And of course, that should not be the same one that you use for anything else. Because if you can't remember those passphrases, you won't be able to remember this one. So make it a special one, okay? Whatever it takes. Your mom's maiden name, your birthday, your dog's name, I don't care. As long as you can remember it, you know? I don't advocate doing stupid things like that using those particular types of passphrases. But, you know, if that's what it takes, then do it. The end result is you'll end up with this blob on a floppy or removable or, you know, an M.I. or a zip cartridge or CD or whatever. It doesn't really matter to me, you know? CDR is great. I love them. CDRWs are even better. And someday when you do lose your keys, which you will do, then you'll be able to recover it. Now, the last thing that I wanted to mention is when you do this whole backup procedure, which I refer to as self-escro, and don't give me a hassle about the name because this is a good form of escrow. Anybody guess what I'm going to say next? Sorry? Well, yeah. Okay. I'll take that one. That's like 4B, okay. Tell me what number five is? No. Test your backup. It really makes no difference if you've got this super slick backup the NSA can't get into if you can't get into it, right? So, this is all obvious, you know? I'm giving you the obvious stuff here, but believe me, this is like common mistakes everybody makes, and that's why this is called how not to use PGP. The other thing you can do, and this is a really cool thing to learn how to do, is you can generate what we call a KRC or a key revocation certificate, which is the next item down here on key revocations, which means that if you should need to revoke this key pair, which means you sort of terminate use of the secret key. You can still use the secret key for decryption and signing for decryption, but your public key is sort of tagged as being don't use this anymore to anybody else in the public. This is a very good thing to do, okay? If you suspect the key's been compromised, or if you lose the passphrase, you have a key revocation certificate, which you can then put out into the public domain, which will mean that for the rest of eternity, because I know a lot of people don't put expiry dates on their keys, people won't be able to encrypt things to this key, which will be kind of frustrating, because you'll get all these encrypted messages and you'll have to send back this embarrassed message. Sorry, I've been like a PGP expert for 10 years, but I can't decrypt these messages, so I'm going to lose the key and go right. I don't think I'm going to hire Dave for that job, right? You had a question? No. Well, it does the first time when you make it, but if you store it just as a file, then it doesn't require a passphrase to throw it up on a key server somewhere. Good question. That was actually a good question. Okay. Another thing that people very commonly do, now this is, I've got to say, Phil Zimmerman, a buddy of mine, great guy, has actually not made these mistakes. As far as I know, Phil, myself, John Callis, and maybe four other individuals in my entire life have not made any of these mistakes. I've never lost a key. I've never forgotten a passphrase. I'll tell you why I never forget a passphrase, because it's a promise I'd get back to that, right? Something like that. Almost everybody else that I know, and that amounts to literally thousands of people who represent thousands of keys on my keyrings, and yes, my keyring is a very large one, wheel dean is a real problem, and yes, I'm a great beta test case, have made these mistakes. So I've ended up literally doing key management for other people on my keyring for them, and that's really kind of sad, especially when they're like, you know, in charge of working groups in the ITF and stuff. These are lovely trust connections. Let me summarize here by saying if you have an old key and for whatever reason, you don't want to use it anymore, maybe you change email addresses and you're too dumb to know that you can add a second user ID, you know, and like not use the first one, which is another thing that people don't figure out, but I didn't even put it on here because that was just like too easy. If that ever happens and you don't want to use that key anymore and you want to generate a new key, which is a perfectly acceptable thing to do, you've accumulated signatures on the first key, presumably. Anybody here familiar with the web of trust? Raise your hands please. Okay, I'm going to go into a little web of trust discussion for a minute for people who are not familiar with it because that's an important part of why PGP is so cool. But the point that I'm making here is that you can easily lose these web of trust connections which are really vital to the presence of your key in the worldwide PGP community and meaningful to you, useful to you, and to other people who use your key because it establishes the validity of your key. If you lose those connections, it's sort of a stupid user trick, you know, it's like really not a good thing to do. So the way to get around that is you take the old key, this is good key hygiene, you take the old key, you sign the new key with the old key. So it says, remember that old key that all of you trusted that has like your signatures on it? That key signed this key and asserts that I am now the new Dave Doltzberto or whoever. And then you can accumulate new web of trust on the new key and people who sign the old one can easily go and say, oh yeah, Dave signed this new one. I don't need to call them up at four in the morning to check his fingerprint. I'll just sign the new one, you know, for a limited amount of time and then next time I see him at an ITF meeting, I'll say, hey Dave, is that really your key? And I'll say, yeah, and they'll go, cool. Really easy. If you do that, it really smooths things over. You would be surprised how few people do this. They just generate a new key and then they start from a square zero after like five years of PGP use, which is really dumb. It's like ripping a hole in the web of trust. Now, let me explain the web of trust briefly because it's kind of important. There are two concepts that people generally don't understand about PGP, including expert users. You're about to leapfrog right over their heads because I'm going to explain it. Validity, trust. Two different things. Validity is a really simple thing. It's very objective. Do you believe that that cryptographic object, that key, that public key, actually belongs to the individual who claims to own it? If you do, the key is valid and you express that belief by signing it with your key and asserting the validity of that key belonging to that person. Is anybody here not clear on what I've just said because if you're not, please raise your hand. You're not dumb for asking a question about this. This is like really arcane for some reason. Okay? Okay. Validity of a key is the belief that the key material, the key material is bound to the real live person. The reason that this is so important, the whole world of digital signatures which are about to become like legal, you know, artifacts is based on whether you believe the cryptographic key material really belongs to the human being who asserts that they signed that digital document. If there's no validity, the signature is worthless. Right? Everybody here heard of Jim Bell? Cypher Pong got thrown in jail, bomb threats, federal court building, blah, blah, blah, member Mamble. Okay? Federal prosecutor calls me up. He says, federal investigator just called me. He said, Dave, you do that training course at the federal law enforcement training center, right? Yeah. So, will you come and testify in court about this guy, Jim Bell, and how he sent these threatening emails and posted them in news groups and on mailing lists and stuff? And I said, no. He said, why? He said, is it because of your cypher punk and you think all federal agents are assholes or something? I said, no, absolutely not. I teach them. They're just people like us. Well, that's what I said anyway. So, anyway, he goes a little, why won't you testify? And I said, well, because the private key was posted to, like, mailing lists and using it and stuff, you know, months beforehand. So, in fact, I could have made the signatures on those threatening documents. And so, he sucks in when he goes, oh. And then, of course, he goes in and he does it in court. Anyway, he's sorting this thing, right? Which is completely bogus. So, you live, you learn. Anyway, that's validity. You believe that the key material is bound to the human being. Question. Excellent question. How do you know that? Oh, God, you guys are good, okay. You know that because you check it with them. Right? Ideally what you do, if you're, like, really careful like me. And by the way, the reason that you'll see trust and introduce your signatures on my keys is because people know that I'm really in a retentive asshole, you know, paranoid fucker about making sure that people really are who they say they are before I sign their key. You will not see my signature on a key of somebody else unless I've checked at least two forms of ID, photo ID. I know them for a certain amount of time, depending on the gravity of the signature being requested. And most importantly, I have a reason to sign their key. Like, we're working our project together or we're working the same company or something like that. Or it's like a really old close friend of mine or we're writing an ITF draft together or something, you know. There's some reason. I don't just sign a key for the hell of it. It's not a popularity contest. You're making an assertion in cypher space which will someday become a very important legal assertion. Okay? You have to try carefully here. Do not lightly assert validity. It's not a simple thing. It's objective, but that doesn't make it unimportant. I see a question. For what purpose do you sign this key from somebody else's key? Okay, that's a interesting question. Everybody hear that question? The question is why would I sign some of these key? What would it profit me or what would it profit them for me to do that? Um... It's so simple. It would literally profit me because I might work for that person or that person might work for me. I simply won't send them anything sensitive unless I trust the key that I'm encrypting to is bound to the person that I want to be able to read that message or get that file. It's that basic. It really is. If you don't have validity on a key you have no business encrypting anything to that key. It could just as well be to a Fed or Sally NSA agent or whoever. Not that they're bad. But it's not the person that you think you're encrypting to. Anybody can make a key the user ID of which is Dave Del Torto, DDT at CryptoRights or DDT at LSD.com Anybody can do that. The thing that they can't do is they can't make a key that has the identical key space or fingerprint space or it's the same unique fingerprint on the key which is part of one of the artifacts of the key properties has the same user ID key size, that's kind of important the size of the encryption sub-component or the encryption sub-key. So they can't duplicate something that has the same key ID key size and fingerprint and most importantly they can't get every single one of the people that I work with who signed my key like to collude as a huge group and sign that key asserting that their key which says Dave Del Torto on it is actually my key it's just, you know, it's out of the realm of probability it becomes unbelievable it's not computationally infeasible it's like human interaction socially infeasible that's your protection and that's what the web of trust is by the way and by the way let me just say here really quickly the web of trust is a horrible name for this thing because it's actually a web of validity there's sort of validity on keys it's not trust. Okay now wait, one one thing the other thing I wanted to define really quickly is trust because that's a completely different thing from validity that's subjective, right? And may I say that, you know, aside from the simple key management or key mismanagement of things that people commonly make, not understanding validity and trust and how they work and how the web of trust is built is like, you know, common mistake four through ten it's just like, cumulatively if you have weaknesses in the web of trust it's because people don't check things like fingerprints and make signatures carefully and don't understand about expiry and stuff like that but I'm not going to get into a lengthy discussion of key hygiene here, I just wanted to cover the basic topics where we can go into a Q&A at the end and you can ask me anything later on in school or email me or go to the P2P Help team thing okay, you have a question? No, it makes a difference whether you receive someone's public key through the email encrypted or not encrypted the fact that it arrives securely encrypted to your key is completely orthogonal to whether or not that key material is in fact bound to that human being okay, I got this so the question is, what's wrong with man in the middle of attacks, okay? The man in the middle of attack is not an issue with PGP because of the web of trust the only reason that a man in the middle of attack would be a problem is if you're stupid and you don't check the validity of the key with the person and make sure that the key that you have locally on your key ring is in fact the key that they sent you by checking the fingerprint over the phone or in person getting the photo ID by the way, there's like levels of assurance on checking this stuff there's only one type of validity you've either signed the key or not there are shadings of values in versions 5 and above different signature types and you know there are supportable signatures that never leave your key ring so you're not asserting something to the public but only to yourself in other words, you're deceiving yourself but not everybody else in the world right if you screw up and sign the wrong key that's only a minor problem there's a trusted introducer signature which is not only that I believe that this is in fact the individual who signed or who produced this key and sent it to me but I also in fact trust that person and that goes to the next thing which is trust, I suppose the validity of the information type signature there's a plain old exportable signature which is just like yeah, I checked this ID this is Bill So-and-So or this is Joe Blow or whatever and I believe it until this date and then my signature expires and then there's like this fully arcane type of signature called a meta-introducer signature which is like I believe that key is God and anything with that key signs is like a trusted introducer to me and that's really only used in large enterprise environments where complicated little PKI is like cryptorights.org for example we do security work for human rights groups and human rights workers we go out in the field and deal with really dangerous situations in those cases if they sign a key as a meta-introducer it has a profound impact on the entire PKI the public key infrastructure involved in their work and theoretically could result in somebody getting killed you know if they trust the wrong key so use that carefully but basically the only kind of key signatures that you're gonna make are either non-exportable which is very sort of preliminary kind of thing I use it a lot actually in that gray area between where you've checked the key with the person but you need to send them a message you haven't done the checkers but you need to send a message first of all the content of that message should not be you know my bank account number is this and you know my blood type is such and here's my DNA data and stuff like that it should be some real simple like we meet me you know for a face-to-face meeting to check your t-next Tuesday at 12 at such and such burrito place now granted that's the perfect man in the middle attack you know they like make somebody up like you know Mr. Phelps and send him in and say you know hi I'm Dave Dottordo and then later he peels his face off and walks away but you know let's face it we're not assuming we're secure here right right let's say we're not assuming we're secure you've got to think for yourselves have I seen life or brand okay so you're all supposed to say we've got to think for ourselves you know like in unison okay let me really quickly before we go too far into this let me also say that trust is an entirely subjective thing nobody can make you trust somebody else even PGP there's no reason for you to trust somebody just because they have a PGP key in fact just because they have a PGP key and just because they sent it to you just because you checked it and it's valid and it's really that person doesn't need to trust them all it means is the key is valid then you have to make a subjective you know decision in your own mind am I going to send this guy like really sensitive stuff just because I know it's him who's reading this stuff it's an entirely separate thing finally and I'll just sort of leap into the last one really this seems kind of obvious as well but too many keys those of you who have PGP have probably in the past gone to the key server and looked up JoeBob at AAAA.com and you've discovered that JoeBob has like 57 keys not a damn one of them has been revoked you can't tell whether they've been used or not you don't really know where they belong to him because you're sure it's not going to check 57 different keys with Joe and you have no idea which one to use and therefore Joe has essentially committed a denial of service on himself classic mistake so the way not to do that is make a few keys use them carefully if you have a training key at first and I'll get to that that's a good thing to do but don't flood the world with lots and lots of keys because then it begins to reach a point of diminishing returns and now nobody wants to send you any secure stuff because they have no idea which to use and believe me expert PGP users make this mistake all the time I mean like I'm not exaggerating here I'm a key management fanatic okay you can probably tell by now every day I exchange email I'm not exaggerating every day I exchange email with somebody who should know better who has like four keys on the server and hasn't bothered to revoke the first three and let everybody know you have to begin to develop ESP and look at expiration dates and creation dates on keys and say well this one was created the most recently I'll try that one first and then you have to work your way back and then of course there's all the problems that they have of not keeping the right user IDs on that key so you've got to encrypt it manually you can't use your plugins for email or whatever and we're really not sure if it's the right one of course your first message is key ID such and such is this the right key for you? can you read this? you know that old ad c-n-u-r-d-c-h-s can you read this? that's really annoying every day and that happens so next any questions at this point? I don't have a question David good, let's move on remember that anal retina thing the anal retina thing we can fix this old timing problem in under 10 seconds oh, from there, yeah, beautiful yeah slight layout, I don't think so all right let's do it, man, don't worry about it this is powerpoint, let's not have a cow all right so forgetting your passphrase keep an encrypted passphrase file I went through this, this is important keep it unique, keep it simple I love ASCII there's all these little passphrase management things out there, utilities and stuff okay I just want to laugh when I think about it because most people that I know who use those things and just, you know, I'm generalizing here but a lot of people they download the software they let it with like their 10 most used passphrases and then they don't manage to use it to maintain their passphrases anymore they just sort of keep those there and they forget about it and it just becomes this sort of dead limb that hangs off the back of their elbow and that's not the intent keep it really simple ASCII text files they work great really, really must really, really simple yes, is there a question over there I saw a hand waving all right losing your key, the second most common oh, this is price of stuff my hurt is crashed, so you didn't have a backup of any kind my favorite mistake my favorite excuse was my laptop fell over the side of the platform anybody here want to tell me who that was how did you know how did you know okay CTO of Haven Cove anybody who's curious where are you Ryan where's your laptop okay, so I went through the whole stuff escrow thing escrow itself is not a bad thing it can be used properly the whole point is you don't want a nice federal agent to come in and escrow things for you and the reason that you're not going to have that happen is because you're smart enough to do it for yourself escrow means reserving a backup of something or preserving it in a place where an intermediary can store it for you if you have a properly self escrow blob that's been tarred and encrypted you could store it on the net somewhere in the clear because the passphrase is like 50 characters long and there's no way in hell that anybody's going to get into that unless the quantum computing guy was right and we're all dead meat anyway so, by the way let me mention here that the user ID syncing problem is a really big problem if you have a new email address MPGP is your preferred method for receiving envelopes in the mail in order for other people to be able to easily send you envelopes in the mail you have to make sure that your address is attached to that key material ok, so if you put your key out in the yellow pages key server directory of the world it really does people know good if there's no correlation between the address that they have for you and this key it might have your name on it but how many guys are out there named Reverend Jim Jones, there's quite a few right so synchronize it's also important that you keep the key rings synchronized on your local machine if your private key ring knows about a private key but your public key ring does not have the corresponding public key complement you do not own that key pair you cannot do anything useful with it you cannot sign anything with it because PGP likes to know that you have both complements both those big prime numbers there's like this prime number and this prime number is that big and you're multiplying together and then there's a modular so all that fancy stuff happens ok, you've got to have both pieces as everybody here heard the like two key padlock you know fire the missiles two guys across the room each with a key metaphor ok, you need both those keys so automation and if you can make this statement honestly every email address to which I expect people to encrypt respond, use your name or use your ID on my current unexpired key pair you all set? you're halfway there ok key medication you know if I'd had more time I would have added a lot to this slide but the really big problem here is that people leave dead keys all over the place it's like you just walk along and you just take keys and just toss them behind you and you forget about them and that's really dumb this goes to the problem of having way too many keys as well but really looking for other people more than it's a problem for you so it's really nice it's good key etiquette if you don't do it or good cryptic it losing what we trust too many keys ok so bad cryptic it yes I invented this word yes I was stoned at the time offering others a secure channel this is something that people don't normally think about when they think about public key cryptography the act of placing a public key in a public domain is an announcement to other people that you respect their right to privacy just let that sink in for a minute this guy in the blue shirt here you know if he wants to send me a message yeah you if you want to send me a message right and you've got something really important to tell me something worth shaking to you and I have not provided you with a valid unexpired key with a proper user idea on it I am not respecting your right to privacy I don't even know you and I'm being an asshole to you already and I'm not an asshole another thing we're plying to somebody in the clear you're just an asshole if you do this I'm sorry if I send you an encrypted message it's got all this important stuff some human rights workers are coming in from China and we're going to meet at such and such a place and would you like to come and hang with us and meet them so we can exchange keys and talk about the fact that they're in their friends are being shot to death and to bad or something and you reply to the message and you quote back my entire message and you do so in the clear what have you just done well you may have killed some people in Tibet but more importantly you've demonstrated your absolute incompetence using the crypto system because you don't understand the most fundamental aspect of it which is when you start putting an envelope around something you keep it in that envelope this is such a simple concept but so many people commit this violation it's not funny it's a serious thing we do work at crypto rights literally where somebody does that we just lock them out of our PKI sorry, you know like once if it's not too serious maybe we'll let you slide twice you're out of there we cannot trust you we don't care if your key is valid you cannot be trusted and really what this is about is trusting people but really it's necessary shouldn't be encrypting to somebody if you don't believe their key is theirs trust however is what this is really about handling other people's keys I could write a book on this one let me make it really simple my public key my property not yours I provide it to everybody and you provide all yours to everybody else it's a courtesy to them it's kind of like your personal information when you go surfing if you want to be like double click and grab people's information and spread it out to places where they don't have any control over it and they don't know what's being done with it and stuff like that and do traffic analysis on who they know and all that kind of neat stuff you can do fine but that's the kind of person you are your karma will come back and bite you in the ass when you handle other people's keys do so in a totally encrypting environment now so you asked a question I believe a little while ago about what is it important to send somebody a key when it's encrypted if it's important to you to provide that key to them such that nobody else can look at it while it's in transit between you and their key rings encrypt it if you put it on a key server it's been made public okay a little shading there what time is it I want to make sure I got more time for a question because there's lots of stuff to talk about here so I'll kind of blow a little quicker so if you handle other people's keys like for example let's say that you know I'm working on a project together you and me and I send you a key and it's encrypted and you reply encrypted the way you should and you sign my key you do not turn around and then post my key to a public key server with your signature on it it's not a popularity contest you're establishing validity for purposes of secure communication the important thing is for me to have more signature on my key and for you to have your signature on my key so my key is valid on your key ring it's not important for anybody else to see that and it's definitely not cool for you to then turn around and fire that key after a public key server and say I signed David's key I really don't care when we release PGP 5.0 when we release our first GUI version we really screwed up because it was possible we sent out this default key ring with all of our keys on it like every copy of the freeware PGP that we got off of MIT he downloaded and it had like a whole it was preloaded with a bunch of public keys the nice thing about GUIs is that they're easy to use the downside is that they're really easy to use because people would go select all sign send to server right so like suddenly we started noticing oh shit it's like taking 5 minutes to download my key over a T1 line because it's got like 500 signatures on it and you know what I don't know any of those people they've never called me to check my key they signed it because it was part of a default key ring in a public release of freeware hello alright enough said huh okay so you're offering a secure channel this is a really cool thing, it's a courtesy replying in the clear, lame excuses okay my classic lame excuses I send a message out to a whole bunch of people one of them replies in the clear everybody else is really cool they all encrypt the reply one of them replies in the clear and you know what the excuse is I don't have keys for all those other people and you should have replied to me alone and copied everybody else with ciphertext that they couldn't open and everybody with a clue will say oh you know he didn't have my key and they will send you their public key so the next time everybody will be in on a little group communication it's a beautiful thing about PGP you can encrypt to thousands of people and it only increases the size of the message by a few bits you know 120 bits per encrypted session key literally you can encrypt like a 5 megabyte file to thousands of people and it only be like you know 5 megabytes and a couple of K at the most it's a great thing don't abuse it okay handling other people's keys don't post them sign or return them okay so let me talk a little bit about some advanced screw ups because this is like fun stuff that supposedly really expert people do first thing they go away from home and they either don't take their crypto with them you know or they like break it or lose the key while they're on the road and they can't use it hotmail people you know it's cool to have a yahoo or a hotmail for emergencies like you're on the road you got to check your mail through a browser and Google a brush but bring your keys with you download a copy of the freeware install on whatever machine you're on it's getting crypto around it's good NIM keys I mean I could talk a lot about that one but we don't have much time so I'm going to cut it a little short NIM keys if you make a key for your pseudonym do not sign it with your real name key hello it's like duh and likewise you know and by the way don't go out and ask all your friends who signed your real key to sign the NIM key because it's really me that's not the point of a NIM and it's not the point of a NIM having a key and if you're a friend of yours you should be careful with this they make it a little bit easier but you still have to be careful with these kinds of things the reason that you do this is probably because it's really stupid why you don't do it but also because you're sensitive to what I call encrypted session key traffic analysis anybody know what an encrypted session key is? it's made in every AGP message simple version I'm standing in the middle between two large boxes there's a big one, this screen over here and this screen over here this screen contains all the literal data packet it's like the encrypted blob it's all encrypted with a session key I'm now holding the session key in my hands this is a visual aid this is the session key ok? I encrypt the session key and I encrypt it to the public keys of all my recipients it's 128 bits of data 128 bit keys, 128 bit crypto you've heard about it, it's very famous 128 bits, really powerful cool everybody gets a copy of that encrypted session key over here oh, there's the key ID for my key on the encrypted session key packet and they decrypt that and they get the session key and then they reconstitute the literal data that's how PGP works, it's really elegant so we're smart it also means that every single PGP message that you send out has encrypted session keys that are tagged for all the recipients even if you encrypt it to a NIM key separate address the person who's smart at the federal law enforcement agency worried about, or whatever a business competitor can simply look at that PGP message if they can do traffic analysis if they can watch your message traffic stream they can do this all they have to do is look at where are the encrypted session keys to whose keys were this message encrypted was this message encrypted it's really basic, right? and you can't fake it by just sending it to NIMs and saying well, let's actually chose suging it and nobody will know because it's right there in the PGP packets all you have to do is run PGP Dumparn and you know, you're good okay so all right there is a way to stealth PGP but that's for next year actually there's some really obscure versions of PGP on the Mac that did it there's also stuff you can still download it off of the MIT servers or you can get it off of what used to be replaying is now zedz.net or zedz.nl it's out there if anybody wants to know where it is let me know and I'll send it to you once of course you're a foreign citizen in which case I'll send it to you and I'll tell the BXA question nonsense it's not a proper way to accept a nonsense that PGP 262i or 263i or whatever is the only safe version of PGP is not true PGP 26x uses well reviewed and carefully scrutinized algorithms PGP 5.x 6.x and now 7.x all use the same similar well-reviewed algorithms I've opened out there for years the new Diffie-Hulman key form type 4 keys I should say the new Diffie-Hulman keys are currently the only type 4 keys available are much more and more secure than the older RSA keys for one thing the fingerprint on the newer keys is calculated over all the key material and all the properties whereas the fingerprint on the older RSA keys is only calculated over several specific properties so the fingerprint alone that alone makes it better secondly there's a really nice advanced feature in versions 5 and above version 6 and above makes it easily accessible in the EUI and there's an issue here that I'll get to with GPG but here's the important information in the new type 4 keys there are sub keys there's signing sub keys which is your master key which collects all your web of trust and there are N to N plus N sub keys for encryption you can have multiple encryption sub keys all of them will be used and therein lies the problem of interoperability interoperability between NAISPGP and GPG or GDPGP or OPENPGP in that GDPGP currently is not able to recognize the right key to decrypt with or to encrypt with when it sees multiple encryption sub keys therefore if you are a user of PGP6 and above then you have wisely chosen to have multiple encryption sub keys for example I have something like 5 or 6 sub keys on my main Diffie-Helman key only one of them should be active at any one time and in fact the one I created a really long time ago like 4 or 5 years ago that I didn't want to use anymore I revoked it, you can revoke individual encryption sub keys and I put that out on the net so if you go download my canonical key or whatever say 5 sub keys for encryption only one of which should be active at this time and that's the one you should use however GPG still has trouble seeing it because of all the other expired or revoked ones so what I do is I keep a web page if anybody wants to go there it's deltor.to yes I have a domain in Tonga deltor.to slash keys with an S slash DDT if you go there you will see what I think is the way to put your keys in the public control the manifestation of your keys the HTML of your page is signed so nobody can fake that and it's on your website so if your website is reasonably secure it's even harder for somebody to break in and then spoof your signature on the HTML and put in the wrong key material multiple levels of protection it also means you can strip off all those nasty revoke or expired sub keys and therefore GPG users won't have a problem with your key so the type 4 keys are very good the old RSA keys still okay however if it's a 768 bit RSA key you may want to think twice about encrypting to it if the message is sensitive and the person works somewhere for the federal governor or something like that because that may in fact be attackable we have evidence to suggest well certainly Adi Shamir has recently used hardware to break 512 bit RSA encryption so we now assume that 768 is well within the range of a well funded adversary and we also assume that 1024 is well within the theoretical grasp of somebody with a really advanced super computing parallel super computing environment so not a safe thing to do if you really really are worried about the contents of the message if it's just casual, hey Bob do you want to meet me in the front of the NIST headquarters and go to Langley and go to the sub shop and get a sub for lunch and not a big deal any other questions yes, silly I said it's not okay to sign someone's key and then post it generally yes it's a valid question is it okay for me to post someone else's signature on my key if they've put their signature on my key with the intent and we have an understanding that they want that to be public the important thing is it's up to me because it's my key however I extend that to also show respect to the person who's done the signing so if they've told me I signed your key but please don't circulate it then I respect that so what I do is essentially I take that key back onto my key ring I see that they've signed it, I store a copy of it and I strip the signature off the key on my key ring because I don't need a tablet there, it's not important for me it's only important for them locally to have my key be valid for them and in fact it's good because it sort of it streamlines your key ring if you have as many keys as I do on your key and I have some like 1700 and something keys on my key ring right now which is way too many it's a very good idea to go through at least once every quarter and strip off all the extraneous and like keys you don't need and people you have no idea how I got there in the first place you know it's like in some key block that you stuck in from somebody else and haven't had this extra key for somebody you know you don't even know good question though there's another question over here yes what version of PGP should unit seizures be using? the question is what version of PGP should unit seizures be using? version 1.01 of GPT is excellent there's also now a command line version of 6.5 that comes and you can download it from the Norway site which I recommend which is www.pgpi.org I think it is that's there are unique versions right there so those are the best the GPG 1.01 is probably the best it has little finicky problems but it's getting better all the time and if anybody is not aware it's really the main open PGP implementation at this point there are some other really nice ones like mud and new and some other Japanese versions and stuff like that they're all good but GPG is generally considered to be a good benchmark standard for unit seizures and you can recompile your own version and you can add features I don't necessarily recommend tinkering with the innards of PGP too much because you can break things but I don't recommend tinkering has GPG been reviewed by people yes absolutely there's an ongoing discussion about it on PGP users which is a list that we maintain at crypto rights which is I don't know it's got some thousands of people on it it's been going for years and years and years and it moved over from the old site at Rivertown.net but it's now at crypto rights you can go there by going to crypto rights.org slash pgp-users and you'll see all the URLs that open a lot there's an ongoing review on alt.security.pgp there are various lists cryptography at c2.net quarterpunks at toe.com cypherpunks at cypherpass.net lots of people on there are talking about PGP and if anybody's going to notice a problem it'll probably come out first on alt.security.pgp or on quarterpunks one of those places and there are problems from time to time and they do get introduced into bug reports and they do get fixed pretty quickly so for example when NAI, I was actually there at the time NAI released a version of PGP 602 and it had this horrendous bug in PGP disk which is a commercial product it was so bad that we released the next version of PGP we made it freeware temporarily and we included PGP disk just so everybody would definitely get an upgrade of the copy because it was generating non-random keys it was really a bad bug and it was a really dumb mistake on the part of the engineer who made it and he apologized and all the way things were done so everybody should have that fixed version but I mean if there's a problem with PGP it's much more likely to be found and made public than with almost any other type of communication security so for any other questions do you have time for one more question? it's 603 now by my clock I'll answer the rest of this one yeah your next speaker that's a good question are you the next speaker? yes I am the next speaker come on up thanks very much for listening my email address is not on the first floor you can reach me at ddt at cryptolife.org you can also reach me at ddt at economy.com that's economy with an M in front and an S in front of me or you can send mail to ddt at lsc.com I have a fun thing to announce the RSA patent is expiring on September 20th of this year yay this means that a particular company which never should have gotten a patent on this particular algorithm and the first place is now going to have to give it up one of the fun things that we're doing is we're going to have a big RSA patent exit party to which we invited Jim Bidzos to come and be roasted and we think he might even come and it will be really fun and we're going to have it from probably 9 o'clock in the evening until 12.01 am on the 20th of September which I believe is a Tuesday and it's going to be somewhere in the area and if you want to find out more info on this send email to rsa at lsd.com and we will put you on a list and we'll email thousands of people with the info on where to go well in advance since September 20th just sort of remember that day because it's really significant thanks, it's been cool good questions by the way you definitely don't ask newbie questions I appreciate it