New crypto idea implemented in gpg

vedaal@hush.com vedaal@hush.com
Sun Mar 9 19:14:01 2003




>Message: 1
>Date: Fri, 7 Mar 2003 13:05:42 -0500 (EST)
>From: "Brent R. Waters" <bwaters@CS.Princeton.EDU>

>> Subject: Re: New crypto idea implemented in gpg
>> From: vedaal@hush.com

>I put up a page with a couple of keys at
>http://www.cs.princeton.edu/~bwaters/research/incomparable_extra/index.html
>You can also generate you own with the code. If you can find any 
>leakage
>of the key's source I would be interested to hear about it.
>
>If all of the Incomparable Public Keys that were equivalent were 
>signed
>with one private key this could be a problem. For this reason the 
>scheme
>implemented only has an encryption part and no signatures. This 
>goes a
>little against the grain of gpg, which normally expects keys to 
>be signed.
>
>Let me know if you come up with anything.


there seems to be a major problem with the keys as you have designed them:

who can you get to use them?

here are the error messages when trying to import the keys you posted, to gnupg {Nullify 1.2.1 // win 98}

Alice incomparable 1

gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: :public key packet:
	version 4, algo 39, created 1047056173, expires 0
	unknown algorithm 39
gpg: can't handle public key algorithm 39
:user ID packet: "Incomparable <inc@nowhere>"
gpg: pub     0?/B22A3560 2003-03-07   gpg: key B22A3560: skipped user ID 'gpg: key B22A3560: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

Time: 3/9/03 12:15:59 PM (5:15:59 PM UTC)

PGPdump Results

Old: Public Key Packet(tag 6)(396 bytes)
       Ver 4 - new
       Public key creation time - Fri Mar  7 16:56:13 UTC 2003
       Pub alg - unknown(pub 39)
       Unknown public key(pub 39)
Old: User ID Packet(tag 13)(26 bytes)
       User ID - Incomparable 


Alice incomparable 2

gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: :public key packet:
	version 4, algo 39, created 1047056173, expires 0
	unknown algorithm 39
gpg: can't handle public key algorithm 39
:user ID packet: "Incomparable <inc@nowhere>"
gpg: pub     0?/B22A3560 2003-03-07   gpg: key B22A3560: skipped user ID 'gpg: key B22A3560: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

Time: 3/9/03 12:21:29 PM (5:21:29 PM UTC)


PGPdump Results

Old: Public Key Packet(tag 6)(396 bytes)
       Ver 4 - new
       Public key creation time - Fri Mar  7 16:56:13 UTC 2003
       Pub alg - unknown(pub 39)
       Unknown public key(pub 39)
Old: User ID Packet(tag 13)(26 bytes)
       User ID - Incomparable 

private key:

gpg: armor: BEGIN PGP PRIVATE KEY BLOCK
gpg: armor header: :secret key packet:
	version 4, algo 39, created 1047056173, expires 0
	unknown algorithm 39
gpg: can't handle public key algorithm 39
:user ID packet: "Incomparable <inc@nowhere>"
gpg: sec     0?/B22A3560 2003-03-07   gpg: key B22A3560: secret key imported
gpg: Total number processed: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

- Secret keyring updated. -

Time: 3/9/03 12:47:38 PM (5:47:38 PM UTC)


even if you could get gnupg to ignore the missing self signature, and use the key anyway,
who would trust such a key for encrypted correspondence?

also, the fact that pgpdump does not recognize the key,
and both gnupg and pgpdump report the exact same errors for all the 'incomparable' keys, 
{a rather unusual error message, not encountered when ordinarily importing a public key} 
this *links* the keys to the same source


the concept you propose is interesting, and has usefulness,
but not in its present form

try re-doing it in a way that the keys can be imported and used without any special alerts, {the public keys anyway,}
and then re-posting it

my gut suspicion is that a packet link will be found when analyzing each public key thoroughly, and comparing them,

but, you never know... ;-)

good luck,

vedaal



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427