Which type of key should I choose and why?

Paul L. Allen pla@softflare.net
Mon, 16 Oct 2000 14:50:33 +0100

[Please Cc me replies as I don't subscribe to the list]

On Mon, Oct 16, 2000 at 12:00:59PM +0100, David Pick wrote:

> > > > They'll still suspect
> > > > that you have an encryption key (possibly signed by your sign-only key)
> > > > hidden elsewhere.
> > >
> > > Sure. Which is why I suggest actually using a pair of keys (well, of
> > > course, in a public-key system a pair of key-pairs) so that if you
> > > *do* (eventually!) reveal the encryption key you don't compromise the
> > > signature key.
> >
> > That makes sense. To a degree. I'm uncertain about the practicability
> > of wiping out the signing key before they manage to kick the door in.
> But I don't think you have to. Provided it *is* a signing-only key they
> can't compell you to reveal it.
Provided they take your word for it that it is a signing-only key. Maybe you fiddled with the packet data somehow to make it appear to be a signing-only key. Maybe you're using a hacked version of GPG that can put a wrapper around a cryptographic hash to turn it into an encryption algorithm (it may be crude, and possibly weaker than a "real" encryption algorithm, but it works). By the time they've taken your encryption key away and found they can't decode all your traffic, you've destroyed the "signing" key. That puts you in a situation where you can't turn over one of your encryption keys. For most people that would put them in deeper trouble from the perpetual imprisonment problem; for the types of people the gov't are really going after that might be preferable. If you're a traitor then destroying your encryption key protects the rest of the network and means it's no good them trying to rubber-hose the password out of you. You end up in prison for life but all the other moles are protected. Ditto for hardened criminals - life imprisonment with your dependents being cared for by your cronies is better than what your cronies would do to you if you grassed them up by revealing your encryption key. They're going to want the keyring on the spot. No messing about or extracting the key you say is your only encryption key. They'll take your computer then insist on the pass phrase. We know from previous cases not involving encryption that they take the computer away anyway as the first thing they do in case there's any incriminating stuff on it. That won't stop just because they can now insist you hand over your encryption key so they can read your e-mail they've recorded. They'll want everything on your computer and they'll want to ensure you can't delete anything. The only way of doing that is to impound your computer. In any case, they also have the legal power to sneakily break in and bug your computer. If you're under serious suspicion they'll do that in order to ensure they get your pass-phrase. That or park a van near your house for a while so they can monitor your keyboard emissions. Too expensive in resources for lightweight criminals but those are the sort of people who will give in to the threat of perpetual imprisonment.
> > > Oh, I know. I'm just trying to point out why signature-only keys can
> > > help protect your signatures if nothing else. BTW the notices *can* be
> > > challenged, but the onus is on you to justify the refusal.
> >
> > In theory, there's no difference between theory and practise; in
> > practise there is. Theoretically you can challenge, but actually
> > succeeding with a challenge is unlikely.
> The intent is to get a plain-text copy of the encrypted data for the
> investigators. If you are willing to decrypt the data for them and
> *supply* the plain text that should be enough.
If you can decrypt all the messages they want decrypted on the spot that ought to be enough. I doubt it will be. RIP is basically fishing- expedition stuff. They want everything on your computer *plus* the contents of any encrypted e-mail and any encrypted filesytems *plus* (in some cases) opening up your hard disk and trying to pick up deleted stuff from residual magnetic fields. They already do that sort of thing in cases where they have "reasonable grounds" to suspect the computer contains incriminating evidence ("reasonable grounds" appears to mean that they suspect you of something and you have a computer).
> If they don't trust
> you to do so completely and want to do it themselves *then* they can
> force you to give up the key. A counter-proposal from you that keeps
> the key away from them but also gives them the plain text should be
> enough. That's why I suspect the TTPs may become popular...
Don't forget they'll have your computer. They could give that to the TTP, but I doubt it will happen. Anyone you nominate they'll suspect of having a pre-arrangement with you to hide certain text. Anyone they nominate will be suspected by you of having an arrangement with the gov't to hand over secret keys. TTPs in this scenario are every bit as flawed as TTPs for key escrow. They're really Untrusted Third Parties. If they happen the only ones the gov't will ever use are the ones who are their puppets - you'll not be able to reject their choice unless you pick another of their puppets. The police might not go along with this deliberately, but you can bet they'll be supplied a list of "approved" TTPs. The police may not get your future traffic but the spooks will. So your only sensible option after using a TTP is to revoke your encryption key and generate a new one. Which means that there's no point in using a TTP in the first place. You can't even rig a thermite charge around your hard disk and set it off at the first signs of trouble. You'll claim you're not refusing to hand over your key but that it no longer exists so you cannot. They'll claim you have another copy hidden away somewhere (which you probably do if you're serious enough to rig up a thermite charge) and you're refusing to hand over that one...
> <snip>
> > While it would be nice for those of us who are not criminals but do
> > wish to keep our privacy, I don't see the gov't allowing it. They don't
> > just want your past traffic, they want anything that might come your way
> > in the future.
> So you revoke your encryption key and publish a new one; you don't have
> to revoke your signature key and can use it to sign the revocation and
> new encryption key.
That won't stop messages coming in using the old key until you manage to get the revocation published. Which is hard to do when you're in a police cell while they read through all the plaintext you've just supplied them (and "follow up leads found in the plaintext"). And then they'll want those new messages decrypted and the leads followed up, by which time some more will have come in... The only way to escape that trap if you get a lot of encrypted mail is to hand over the pass-phrase at the start. Eventually, the mail will dry up in most cases, but it could take a long time for some people. Subscribing to a mailing list that encrypts mail sent to recipients would be a bad idea... [...]
> > Getting your encryption key also gives them traffic analysis.
> The phrase "traffic analysis" in these circles normally refers to
> an analysis of the patters of messages between communicating parties
> without reference to the content. For example, sudden changes in the
> volume of battlefield radio traffic from the enemy usually warns of
> *sonething* nasty about to happen...
> I suspect you mean they get the content of past messages they've
> tapped and recorded.
Nope, I mean that they find out who you've been communicating with if you were using an anonymous remailer. Even if the content to and from one particular person was always innocuous, they'll still be suspicious of that person. Similarly, if that person is also under suspicion or has known past history, that will throw further suspicion upon you no matter what the content of the mail (can you say "known associate"? - if you chat to somebody in the pub every so often and you have no idea he's really a criminal, you can still end up under investigation as a known associate). And if you've been corresponding with that nice young Bulgarian lady (or gent, if you're that way inclined) you met on holiday... Technically, finding out who you've been corresponding with via an anonymous remailer involves reading the decrypted content, but it is actually also traffic analysis - it tells them who you've been corresponding with and how often. Even if the content looks innocuous you could have been using a code underneath the cipher, so the traffic analysis aspect is important.
> <snip - and *I* didn't take it as a rant ;->
> > Rant over...
Not really appropriate here, though. Except to the extent that the only way we're going to be relatively safe is if more people use GPG so that they don't have the resources to go after everyone. It's ironic. The US finally allows export of strong encryption; France drops its ban on the use of strong encryption; the UK enacts legislation that kills privacy on the net and civil liberties and exceeds anything the US has tried to put into place in the past.
> <snip again>
> > Trouble is, one of the reasons I'm looking at GPG is for use with
> > automated verification systems used by various domain registrars.
> > They use PGP but don't say what version.
> And I'd bet the registries don't agree between themselves!
Possibly not. But there's slightly more chance of a different version of PGP operating with what they're using, it looks like. What with your mention of version 3 and 4 packets, and GPG's mention of some packet field incompatibilities it's starting to look like I'll have to go for PGP to be on the safe side. If the registrars had thought of checking or ensuring GPG interoperability they'd tell us to use PGP or GPG. The only way of being sure it to try it and it's probably not worth the extra time and effort involved if it doesn't work.
> > > There's also module implementing the AES selection, Rijndael,
> > > already...
> >
> > So I noticed, although I hadn't realized that was the AES selection. To
> > be honest, if they're happy with it, I'm not, given the political
> > constraints they probably operated under...
> Given how public NIST were, I'm fairly happy. It'll certainly get more
> intensive cryptanalysis for the next few years.
Yep, but I reckon the NSA must believe it's within their capabilities (even if only just and only for a very small number of messages per week) to crack or it wouldn't have been allowed to be chosen. No matter how public NIST were, you cannot know what out-of-band communications were taking place between them and the NSA (but you can guess). Certainly the NSA would have been consulted about the strengths of the algorithms in case they knew of serious flaws. It would be easy for them to say they knew of a flaw but they couldn't reveal what it was for security reasons (like it would alert the Russians to the fact that their favourite cipher had the same flaw). A few fiddles like that could knock out a couple of good candidates (with NIST inventing plausible excuses for dropping them) and leave one the NSA prefer in its place. I don't say it happened, just that you can't be sure it didn't. -- Paul -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org