paperkey // ? feature request

Robert J. Hansen rjh at sixdemonbag.org
Tue Feb 10 22:44:01 CET 2009 

vedaal at hush.com wrote:
> the situation i was describing is something like this:

Right.  This is a use case for symmetric crypto.

> [1] 'very-important-secret' encrypted in ascii armored form to 
> unpublished public key using throw-keyid option 

So only someone with the private key can decrypt it.  Okay.  How do you
communicate the private key with your intended recipients?  And how is
communicating the private key with your intended recipients different
from the key distribution problem when using symmetric crypto?

> [2] above mentioned message posted anonymously to newsgroup like 
> comp.security.pgp.test 
> from internet cafe, 
> (pre-paid in cash, using new usb drive with nothing else on it)

USB tokens have GUIDs, Globally Unique Identifiers.  Computers keep
track of what GUIDs they've seen.  If the secret police get access to
the PC, then they know "ah, someone used GnuPG on a USB token, with a
GUID of...", etc.  That USB token can now be connected to you.

Okay, so the obvious tactic is to dispose of it.  But how?  Losing
and/or destroying things reliably is pretty hard.[1]  If you lose track
of your car keys for thirty seconds you'll spend a week finding them; if
you flush a USB token down the toilet a plumber will be called out five
minutes later to find out what's causing the clog.  Call it the spy's
version of Murphy's Law.

Digital forensics is the field which concerns itself with pulling
information you didn't believe existed out of places you didn't believe
it could be found.  Digital forensicists run the gamut from rank
amateurs to hardcore professionals who can recover a CD-R that's been
put through a crosscut shredder.[2]

DF is interesting stuff.  If you're serious about wanting to come up
with effective spy-versus-spy techniques, then I'd strongly recommend
reading up on DF.  The more you know about the capabilities of the
people who are trying to recover your secrets, the more you'll know
about how to make life difficult on them.






[1] I was recently told of a case where a mobster swallowed a micro-SD
card.  The mobster thought the stomach acids would destroy it.  The
authorities held onto him a few days, extracted the evidence when it
made its appearance, and discovered it worked just fine.

[2] I had sushi with a colleague of the guy who recovered the crosscut
CD-R.  They gave that task to him person specifically because of his
severe OCD.  The guy later said it was the happiest month he'd ever
worked: he was allowed to indulge his OCD for 16 hours a day and
everybody left him alone.

More information about the Gnupg-users mailing list