some beginner questions

[Doug Barton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2017-04-02 16:18, Will Senn wrote:
> On 4/2/17 1:20 PM, Doug Barton wrote:
>> Some answers below, and you've already received some good answers, but
>> I have some more fundamental questions. :)
>> 
>> First, and an important question for security-related stuff generally,
>> what is your threat model? In other words, what dangers are you
>> guarding against by using PGP? You mention evangelizing your key, and
>> asking how to get more people to use PGP with you. Those are
>> reasonable questions, but the first is the most important.
>> 
> Doug, interesting term "threat model". I've seen it a few times and
> wasn't sure what it meant. Thanks for the simplified explanation. It's a
> piece of technical jargon that is part of the difficulty I saw with
> learning the OpenPGP terrain. While security folks probably dig the
> lingo, for the lay person, it's, well, interesting... I perceive my
> threat model as being 1) a risk that someone other than my intended
> recipient will gain access to information that I am sending to my
> intended recipient

Ok, for that scenario you probably don't want PGP. You probably want an
application like Signal. When PGP was invented there was nothing else
like it available. Nowadays that's not true. If you are interested
strictly in one-to-one communication, or one-to-many, Signal is a better
choice in the sense that it's much easier to use, much harder to get
wrong, and easier to get friends to opt into.

>  2) a risk that someone other than me will gain
> access to information that I want only to be accessible to me.

For that you DO want PGP, and a key can be useful, but is not necessary.
Symmetric encryption will work just as well for this use case, and is
simpler.

> I envision the solution, based on my understanding of available
> (affordable) technologies as being 1) secure method of transmitting
> information asynchronously over public media and 2) a method of
> encrypting information on local storage media.

Yep, that's about right.

> As you can see above, my threat model is neither comprehensive, nor is
> it fully informed. But, it's pretty much the same story for a lot of
> folks. I have learned over the past several weeks, that key management
> is potentially a vulnerable point... I kind of suspected this, but after
> hanging out in irc for a bit and tor, I'm kinda freaked out that it's a
> more widespread problem than most folks realize - trojans are everywhere
> :).

Yes. Key management takes dedication, and knowledge. It's easy to get
wrong, and not easy to get right. Using a purpose-built app like Signal
avoids that problem.

>> On 04/01/2017 07:10 AM, Will Senn wrote:
>> 
>>> 3. I've read
>>> https://superuser.com/questions/466396/how-to-manage-gpg-keys-across-multiple-systems
>>> 
>>> and other such pieces proclaiming the value of having the master key in
>>> a safe place and having subkeys on your actual devices.
>> 
>> What do you think a master key is, and why do you think it's important
>> to protect it? What kind of devices do you want to put signing subkeys
>> on? Why do you think that your use of PGP will be more secure if you
>> have a signing subkey on a device, instead of your "main key?"
>> 
> Neal pretty much spelled out a reasonable answer to these questions,

He didn't, actually. He parroted some text about them, which is more or
less correct. Also, you didn't answer my questions. :)  But I'll play
along for fun ...

> but
> I'm not having much luck signing with subkeys, so I'm not convinced this
> is worth the headache and increased complexity of key management.

It's not really that hard to do, what kind of problems are you having?
The instructions at https://wiki.debian.org/Subkeys are better, as is
the explanation. It would also be helpful to know what version of GnuPG
you're using.

I followed the instructions there and was able to successfully load the
exported key into roundcube (which I'm sending this message from to
verify that it works for others besides me) and K-9 Mail for Android
(through OpenKeychain).  I also tried moving my gnupg directory aside
and importing the exported signing-only subkey with the expected
results.

However, that still doesn't address the "issues" with this approach. It
only works for signing, if you want to be able to decrypt messages sent
to you on your devices then you need to keep a copy of your encryption
subkey on them as well. Personally, I would argue that is a much bigger
risk in terms of compromise, as people being able to send messages
signed by my key would be an annoyance, sure. But people being able to
decrypt things that I wanted to keep secret could be potentially
devastating.

That said, as long as you have a suitable passphrase your risk of key
compromise is really, really minimal, even if they did get total control
over your device. Barring coercion, the chances of someone guessing your
passphrase is near zero. And currently that's the only way to gain
access to a secret key, even if you have it in your possession.

But let's say that the worst happens, and your device is compromised by
the bad folks, and they gain control of your key as well. Let's even use
a signing-only subkey for this scenario. Now, your attackers have access
to your full list of contacts, and your e-mail (so that they can get a
solid idea of how you write). Then they send the following message to
everyone in your contact list (assume for the sake of argument that the
following is written in something close enough to your personal style to
pass with your friends and family, etc.):

Woah, dude, major bummer! My phone got stolen! Totally bogus! Not only
that, but my PGP key was on it, and now they have that too! Sucks, man! 
So here is my new key fingerprint. Please download it ASAP, revoke your
signatures on my old key, and mark it as bogus! And definitely, if you
get another message from me signed by this key, DON'T TRUST IT! That'll
be the hackers, man!

Of course, the new key that they send the fingerprint for will be one
that they have created, with all the same UID information, etc. Now this
won't fool everyone of course, there will be some of your correspondents
who will want to verify with you, some who won't act because they don't
know what you're talking about, etc. But the usual stated goal of using
a separate signing-only key is to protect the reputation of your
certification key, and to avoid having to create a whole new key in
response to a compromise. My argument is that in the unlikely event that
the bad folks get control of your secret key (of any flavor) there is
more than enough damage that they can do with it, even if they don't get
your certification key.

Now beyond THAT, you stated that your goal is to be able to ENCRYPT your
communications on your devices, and presumably that means to decrypt as
well. You can ENcrypt using just the recipient's public key of course.
But you can't DEcrypt unless you have your own encryption subkey on the
device. See above for why that's a much more significant risk (IMO). In
light of that requirement, a sign-only subkey doesn't get you much, and
given that with a good passphrase it's essentially impossible for them
to compromise your key, even if they do get it, you're adding complexity
for little, if any, benefit.

I could go on, but I'll let you respond first in case I've already said
enough. :)

hope this helps,

Doug
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJY4erMAAoJEBkT4LHp40of9CYH/1/p+3yZsH59ZJ6QvoNLrPLl
R/Xl29d+2zXjBM+EyBaYg+Gp2Hst3Wa46jBr3U0zkHYxXvZon/dRSr1VOP//xCk3
ke4E/FeUd9SSC//c380QQPpw5hKBjyg7UX7fP44wl8NgEEalaeY+R44ii4c0h6Kz
eYo4R7RS3piy6J79p4BdQihld/ZggT7JGZ2Z3+pk6X8MZ3pRSQ9ZKbYvHI8IgX8B
pGEYpKQqHb/QOzhLZkqGlhtN0ozSuGySH4aO7giH3b/s8cl3jSSnJqSiTV2lIViy
BrZ5YoI3ADVZr9mXXH3R+Ukzkp6gtcXExDnE1BSSSA4L74x2TxIZyJtoShU6ElI=
=mXI9
-----END PGP SIGNATURE-----