Copyright 1997 Pearl Publishing
Discoveries of any great moment in mathematics and other disciplines, once they are discovered, are seen to be extremely simple and obvious, and make everybody, including their discoverer, appear foolish for not having discovered them before. It is all too often forgotten that the ancient symbol for prenascence of the world is a fool, and that foolishness, being a divine state, is not a condition to be either proud or ashamed of.
Unfortunately, we find systems of education today that have departed so far from the plain truth that they now teach us to be proud of what we know and ashamed of ignorance. This is doubly corrupt. It is corrupt not only because pride in knowledge is to put an effective barrier against any advance upon what is already known, since it makes one ashamed to look beyond the bounds imposed by one's ignorance.
To any person prepared to enter with respect into the realm of his great and universal ignorance, the secrets of being will eventually unfold, and they will do so in a measure according to his freedom from natural and indoctrinated shame in his respect of their revelation.
In the face of the strong, and indeed violent, social pressures against it, few people have been prepared to take this simple and satisfying course toward sanity. And in a society where a prominent psychiatrist can advertise that, given the chance, he would have treated Newton to electric shock therapy, who can blame any person for being afraid to do so?
To arrive at the simplest truth, as Newton knew and practiced, requires years of contemplation. Not an activity. Not reasoning. Not calculating. Not busy behavior of any kind. Not reading. Not talking. Not making an effort. Not thinking. Simply bearing in mind what it is one needs to know. And yet those with the courage to tread this path to real discovery are not only offered practically no guidance on how to do so, they are actively discouraged and have to set about it in secret, pretending meanwhile to be diligently engaged in the frantic diversions and to conform with the deadening personal opinions that are being continually thrust upon them.
In these circumstances, the discoveries that any person is able to undertake represent the places where, in the face of induced psychosis, he has, by his own faltering and unaided efforts, returned to sanity. Painfully, and even dangerously, maybe. But nonetheless returned, however furtively.-G. Spencer Brown.*
* The Laws of Form, London: Geo. Allen & Unwin, 1969.
How to Protect Public Keys from Tampering
In a public key cryptosystem, you don't have to protect public keys from exposure. In fact, it's better if they are widely disseminated. But it is important to protect public keys from tampering, to make sure that a public key really belongs to whom it appears to belong to. This may be the most important vulnerability of a public-key cryptosystem.
This whole business of protecting public keys from tampering is the single most difficult problem in practical public key applications. It is the Achilles' heel of public key cryptography, and a lot of software complexity is tied up in solving this one problem.
You should use a public key only after you are sure that it is a good public key that has not been tampered with, and actually belongs to the person it claims to. You can be sure of this if you got this public key certificate directly from its owner, or if it bears the signature of someone else that you trust, from whom you already have a good public key. Also, the user ID should have the full name of the key's owner, not just her first name.
No matter how tempted you are-- and you will be tempted-- never, NEVER give in to expediency and trust a public key you downloaded from a bulletin board, unless it is signed by someone you trust. That uncertified public key could have been tampered with by anyone, maybe even by the system administrator of the bulletin board.
SECONDS: What is the hysteria to protect children from so-called obscene stuff?
GINSBERG: It's a demagogic political issue that can be used to divert attention from deeper corruption's like the S&L scandal or the rape of the planet by the post-industrial nations. Although we conquered literary censorship in books between the years '58 and '62 when, through a series of trials, Henry Miller , Lady Chatterley's Lover by D.H. Lawrence, Naked Lunch and Howl were all cleared and declared to be protected by the Constitution. That same kind of censorship which was used on literature and film now only applies to the main marketplace of ideas, electronic broadcasting.
SECONDS: Why do they want to censor things? Why don't they want
people to become
sexually excited?
GINSBERG: As Plato pointed out, "When the mode of music changes,
the walls of the city shake." So when you have modern free
speech in idiomatic language that people can understand and are
interested in, immediately it becomes a political issue. Demagogues
want to hush it up because people get to know too much. If you
can get people by the balls you control their most deep-seated
emotions, which are erotic. Once you control that you control
all the other emotions.
You take emotional control, blank out the Eros, and substitute
a lot of violence.
No data security system is impenetrable. PGP can be circumvented in a variety of ways. In any data security system, you have to ask yourself if the information you are trying to protect is more valuable to your attacker than the cost of the attack. This should lead you to protecting yourself from the cheapest attacks, while not worrying about the more expensive attacks.
Some of the discussion that follows may seem unduly paranoid,
but such an attitude is appropriate for a reasonable discussion
of vulnerability issues.
Compromised Pass Phrase and Secret Key
Probably the simplest attack is if you leave your pass phrase for your secret key written down somewhere. If someone gets it and also gets your secret key file, they can read your messages and make signatures in your name.
Don't use obvious passwords that can be easily guessed, such as the names of your kids or spouse. If you make your pass phrase a single word, it can be easily guessed by having a computer try all the words in the dictionary until it finds your password. That's why a pass phrase is so much better than a password. A more sophisticated attacker may have his computer scan a book of famous quotations to find your pass phrase. An easy to remember but hard to guess pass phrase can be easily constructed by some creatively nonsensical sayings or very obscure literary quotes.
For further details, see the section "How to Protect Secret
Keys from Disclosure" in the Essential Topics volume
of the PGP User's Guide.
Public Key Tampering
A major vulnerability exists if public keys are tampered with. This may be the most crucially important vulnerability of a public key cryptosystem, in part because most novices don't immediately recognize it. The importance of this vulnerability, and appropriate hygienic countermeasures, are detailed in the section "How to Protect Public Keys from Tampering" in the Essential Topics volume.
To summarize: When you use someone's public key, make certain
it has not been tampered with. A new public key from someone
else should be trusted only if you got it directly from its
owner, or if it has been signed by someone you trust. Make
sure no one else can tamper with your own public key ring.
Maintain physical control of both your public key ring and
your secret key ring, preferably on your own personal computer
rather than on a remote timesharing system. Keep a backup
copy of both key rings.
"Not Quite Deleted" Files
Another potential security problem is caused by how most operating systems delete files. When you encrypt a file and then delete the original plaintext file, the operating system doesn't actually physically erase the data. It merely marks those disk blocks as deleted, allowing the space to be reused later. It's sort of like discarding sensitive paper documents in the paper recycling bin instead of the paper shredder. The disk blocks still contain the original sensitive data you wanted to erase, and will probably eventually be overwritten by new data at some point in the future. If an attacker reads these deleted disk blocks soon after they have been deallocated, he could recover your plaintext.
In fact this could even happen accidentally, if for some reason something went wrong with the disk and some files were accidentally deleted or corrupted. A disk recovery program may be run to recover the damaged files, but this often means some previously deleted files are resurrected along with everything else. Your confidential files that you thought were gone forever could then reappear and be inspected by whomever is attempting to recover your damaged disk. Even while you are creating the original message with a word processor or text editor, the editor may be creating multiple temporary copies of your text on the disk, just because of its internal workings. These temporary copies of your text are deleted by the word processor when it's done, but these sensitive fragments are still on your disk somewhere.
Let me tell you a true horror story. I had a friend, married with young children, who once had a brief and not very serious affair. She wrote a letter to her lover on her word processor, and deleted the letter after she sent it. Later, after the affair was over, the floppy disk got damaged somehow and she had to recover it because it contained other important documents. She asked her husband to salvage the disk, which seemed perfectly safe because she knew she had deleted the incriminating letter. Her husband ran a commercial disk recovery software package to salvage the files. It recovered the files all right, including the deleted letter. He read it, which set off a tragic chain of events.
The only way to prevent the plaintext from reappearing is to somehow cause the deleted plaintext files to be overwritten. Unless you know for sure that all the deleted disk blocks will soon be reused, you must take positive steps to overwrite the plaintext file, and also any fragments of it on the disk left by your word processor. You can overwrite the original plaintext file after encryption by using the PGP -w (wipe) option. You can take care of any fragments of the plaintext left on the disk by using any of the disk utilities available that can overwrite all of the unused blocks on a disk. For example, the Norton Utilities for MSDOS can do this.
Even if you overwrite the plaintext data on the disk, it may still
be possible for a resourceful and determined attacker to
recover the data. Faint magnetic traces of the original data
remain on the disk after it has been overwritten. Special
sophisticated disk recovery hardware can sometimes be used
to recover the data.
Viruses and Trojan Horses
Another attack could involve a specially-tailored hostile computer virus or worm that might infect PGP or your operating system. This hypothetical virus could be designed to capture your pass phrase or secret key or deciphered messages, and covertly write the captured information to a file or send it through a network to the virus's owner. Or it might alter PGP's behavior so that signatures are not properly checked. This attack is cheaper than cryptanalytic attacks.
Defending against this falls under the category of defending against viral infection generally. There are some moderately capable anti-viral products commercially available, and there are hygienic procedures to follow that can greatly reduce the chances of viral infection. A complete treatment of anti-viral and anti-worm countermeasures is beyond the scope of this document. PGP has no defenses against viruses, and assumes your own personal computer is a trustworthy execution environment. If such a virus or worm actually appeared, hopefully word would soon get around warning everyone.
Another similar attack involves someone creating a clever imitation of PGP that behaves like PGP in most respects, but doesn't work the way it's supposed to. For example, it might be deliberately crippled to not check signatures properly, allowing bogus key certificates to be accepted. This "Trojan horse" version of PGP is not hard for an attacker to create, because PGP source code is widely available, so anyone could modify the source code and produce a lobotomized zombie imitation PGP that looks real but does the bidding of its diabolical master. This Trojan horse version of PGP could then be widely circulated, claiming to be from me. How insidious.
You should make an effort to get your copy of PGP from a reliable source, whatever that means. Or perhaps from more than one independent source, and compare them with a file comparison utility.
There are other ways to check PGP for tampering, using digital signatures. If someone you trust signs the executable version of PGP, vouching for the fact that it has not been infected or tampered with, you can be reasonably sure that you have a good copy. You could use an earlier trusted version of PGP to check the signature on a later suspect version of PGP. But this will not help at all if your operating system is infected, nor will it detect if your original copy of PGP.EXE has been maliciously altered in such a way as to compromise its own ability to check signatures. This test also assumes that you have a good trusted copy of the public key that you use to check the signature on the PGP executable.
I recommend you not trust your copy of PGP unless it was originally
distributed by MIT or ViaCrypt, or unless it comes with
a digitally signed endorsement from me. Every new version
comes with one or more digital signatures in the distribution
package, signed by the originator of that release package.
This is usually someone representing MIT or ViaCrypt, or
whoever released that version. Check the signatures on the
version that you get. I have actually seen several bogus
versions of PGP distribution packages, even from apparently
reliable freeware distribution channels such as CD-ROM distributors
and CompuServe. Always check the signature when you get a
new version.
Physical Security Breach
A physical security breach may allow someone to physically acquire your plaintext files or printed messages. A determined opponent might accomplish this through burglary, trash-picking, unreasonable search and seizure, or bribery, blackmail or infiltration of your staff. Some of these attacks may be especially feasible against grassroots political organizations that depend on a largely volunteer staff. It has been widely reported in the press that the FBI's COINTELPRO program used burglary, infiltration, and illegal bugging against antiwar and civil rights groups. And look what happened at the Watergate Hotel.
Don't be lulled into a false sense of security just because you have a cryptographic tool. Cryptographic techniques protect data only while it's encrypted-- direct physical security violations can still compromise plaintext data or written or spoken information.
This kind of attack is cheaper than cryptanalytic attacks on PGP.
Tempest Attacks
Another kind of attack that has been used by well-equipped opponents
involves the remote detection of the electromagnetic signals
from your computer. This expensive and somewhat labor-intensive
attack is probably still cheaper than direct cryptanalytic
attacks. An appropriately instrumented van can park near
your office and remotely pick up all of your keystrokes
and messages displayed on your computer video screen. This
would compromise all of your passwords, messages, etc. This
attack can be thwarted by properly shielding all of your
computer equipment and network cabling so that it does not emit
these signals. This shielding technology is known as "Tempest",
and is used by some Government agencies and defense contractors.
There are hardware vendors who supply Tempest shielding
commercially, although it may be subject to some kind of
Government licensing. Now why do you suppose the Government
would restrict access to Tempest shielding?
Exposure on Multi-user Systems
PGP was originally designed for a single-user MSDOS machine
under your direct physical control. I run PGP at home on
my own PC, and unless someone breaks into my house or monitors
my electromagnetic emissions, they probably can't see my
plaintext files or secret keys.
But now PGP also runs on multi-user systems such as UNIX and VAX/VMS. On multi-user systems, there are much greater risks of your plaintext or keys or passwords being exposed. The Unix system administrator or a clever intruder can read your plaintext files, or perhaps even use special software to covertly monitor your keystrokes or read what's on your screen. On a Unix system, any other user can read your environment information remotely by simply using the Unix "ps" command. Similar problems exist for MSDOS machines connected on a local area network. The actual security risk is dependent on your particular situation. Some multi-user systems may be safe because all the users are trusted, or because they have system security measures that are safe enough to withstand the attacks available to the intruders, or because there just aren't any sufficiently interested intruders. Some Unix systems are safe because they are only used by one user-- there are even some notebook computers running Unix. It would be unreasonable to simply exclude PGP from running on all Unix systems.
PGP is not designed to protect your data while it is in plaintext
form on a compromised system. Nor can it prevent an intruder
from using sophisticated measures to read your secret key
while it is being used. You will just have to recognize these
risks on multi-user systems, and adjust your expectations
and behavior accordingly. Perhaps your situation is such
that you should consider running PGP only on an isolated
single-user system under your direct physical control. That's
what I do, and that's what I recommend.
Traffic Analysis
Even if the attacker cannot read the contents of your encrypted
messages, he may be able to infer at least some useful information
by observing where the messages come from and where they
are going, the size of the messages, and the time of day
the messages are sent. This is analogous to the attacker
looking at your long distance phone bill to see who you called
and when and for how long, even though the actual content
of your calls is unknown to the attacker. This is called
traffic analysis. PGP alone does not protect against traffic analysis.
Solving this problem would require specialized communication
protocols designed to reduce exposure to traffic analysis
in your communication environment, possibly with some cryptographic
assistance.
Protecting Against Bogus Timestamps
A somewhat obscure vulnerability of PGP involves dishonest
users creating bogus timestamps on their own public key
certificates and signatures. You can skip over this section
if you are a casual user and aren't deeply into obscure public
key protocols.
There's nothing to stop a dishonest user from altering the date and time setting of his own system's clock, and generating his own public key certificates and signatures that appear to have been created at a different time. He can make it appear that he signed something earlier or later than he actually did, or that his public/secret key pair was created earlier or later. This may have some legal or financial benefit to him, for example by creating some kind of loophole that might allow him to repudiate a signature.
I think this problem of falsified timestamps in digital signatures is no worse than it is already in handwritten signatures. Anyone may write a date next to their handwritten signature on a contract with any date they choose, yet no one seems to be alarmed over this state of affairs. In some cases, an "incorrect" date on a handwritten signature might not be associated with actual fraud. The timestamp might be when the signator asserts that he signed a document, or maybe when he wants the signature to go into effect.
In situations where it is critical that a signature be trusted to have the actual correct date, people can simply use notaries to witness and date a handwritten signature. The analog to this in digital signatures is to get a trusted third party to sign a signature certificate, applying a trusted timestamp. No exotic or overly formal protocols are needed for this. Witnessed signatures have long been recognized as a legitimate way of determining when a document was signed.
A trustworthy Certifying Authority or notary could create notarized signatures with a trustworthy timestamp. This would not necessarily require a centralized authority. Perhaps any trusted introducer or disinterested party could serve this function, the same way real notary publics do now. When a notary signs other people's signatures, it creates a signature certificate of a signature certificate. This would serve as a witness to the signature the same way real notaries now witness handwritten signatures. The notary could enter the detached signature certificate (without the actual whole document that was signed) into a special log controlled by the notary. Anyone can read this log. The notary's signature would have a trusted timestamp, which might have greater credibility or more legal significance than the timestamp in the original signature.
There is a good treatment of this topic in Denning's 1983 article
in IEEE Computer (see references). Future enhancements to
PGP might have features to easily manage notarized signatures
of signatures, with trusted timestamps.
Cryptanalysis
An expensive and formidable cryptanalytic attack could possibly be mounted by someone with vast supercomputer resources, such as a Government intelligence agency. They might crack your RSA key by using some new secret factoring breakthrough. Perhaps so, but it is noteworthy that the US Government trusts the RSA algorithm enough in some cases to use it to protect its own nuclear weapons, according to Ron Rivest. And civilian academia has been intensively attacking it without success since 1978.
Perhaps the Government has some classified methods of cracking the IDEA(TM) conventional encryption algorithm used in PGP. This is every cryptographer's worst nightmare. There can be no absolute security guarantees in practical cryptographic implementations.
Still, some optimism seems justified. The IDEA algorithm's designers are among the best cryptographers in Europe. It has had extensive security analysis and peer review from some of the best cryptanalysts in the unclassified world. It appears to have some design advantages over the DES in withstanding differential and linear cryptanalysis, which have both been used to crack the DES.
Besides, even if this algorithm has some subtle unknown weaknesses, PGP compresses the plaintext before encryption, which should greatly reduce those weaknesses. The computational workload to crack it is likely to be much more expensive than the value of the message.
If your situation justifies worrying about very formidable attacks of this caliber, then perhaps you should contact a data security consultant for some customized data security approaches tailored to your special needs. Boulder Software Engineering, whose address and phone are given at the end of this document, can provide such services.
In summary, without good cryptographic protection of your data communications, it may have been practically effortless and perhaps even routine for an opponent to intercept your messages, especially those sent through a modem or E-mail system. If you use PGP and follow reasonable precautions, the attacker will have to expend far more effort and expense to violate your privacy.
If you protect yourself against the simplest attacks, and you feel confident that your privacy is not going to be violated by a determined and highly resourceful attacker, then you'll probably be safe using PGP. PGP gives you Pretty Good Privacy.
Copyright Anonymous <[email protected]>
Son, if you think it appropriate, you might tell your mom: The Aztecs were extremely clean. The Spanish conquistadors were extremely dirty. The Spaniards won.