1993-01-05 - Re: RE: Acceptance of Keys

Header Data

From: Matt Willis <ASTMWILL%STETSON.bitnet@CUNYVM.CUNY.EDU>
To: cypherpunks@toad.com
Message Hash: 9e6b249774cd479463f16224985d762f43ba447ea048d4ef419d1bb6db317f84
Message ID: <01GT5PQFUPTG000224@stetson.bitnet>
Reply To: N/A
UTC Datetime: 1993-01-05 16:44:58 UTC
Raw Date: Tue, 5 Jan 93 08:44:58 PST

Raw message

From: Matt Willis <ASTMWILL%STETSON.bitnet@CUNYVM.CUNY.EDU>
Date: Tue, 5 Jan 93 08:44:58 PST
To: cypherpunks@toad.com
Subject: Re: RE: Acceptance of Keys
Message-ID: <01GT5PQFUPTG000224@stetson.bitnet>
MIME-Version: 1.0
Content-Type: text/plain


From: "Karl L. Barrus" <barrus@tree.egr.uh.edu> writes:
>       You posted some very good questions.  The reason why it is
>"unacceptable" to accept keys electronically is that you may be
>vulnerable to spoofing.  Okay, in reality, you have to realize that
>attacking cryptographic protocols is a paranoid view of things, and
>that you may not be attacked, but... if you send your public key to
>somebody, it could be possible for someone to eavesdrop, grab your
>key, substitute their own, and send that one along.  Then when someone
>responds to "you", the eavesdropper could read the message, re-encrypt
>it with the public key they stole, and send it along to you.  Then,
>you don't even know you are the victim of eavesdropping.

But we both call the same system (at least the people I x-change keys with)
usually mindvox or a private system with a respected name... and in the case of
Minvox, we do a DCC on IRC... straight person-to-person...  to be
eavesdropping... one, they'd have to tap my line, heavy equipment needed to tap
a 16.8k HST v.42bis connection, seeing as I pretty much max out a phone line
and HST's are really picky... or two, they'd intercept a DCC on the IRC at
berkeley... but that's a 57.6k connection... however, that does seem
possible... does anyone have any suggestions on how to make e-transfers of keys
more secure, because, besides snail-mail (which would please the feds a lot) I
have no other way of getting my key to them...

>       Anyway, it all boils down to validating the keys you receive.
>Which makes it tough unless you can meet people face to face.
>However, the latest version of pgp contains an option which computes
>the md5 hash of your public key - which allows you to call someone,
>and read each others hashes, thus completing the verification over the
>phone.  Of course, now you have to worry about receiving their correct
>phone number... :-)

geez, I didn't know it was this complicated... if someone screws with the key,
it just doesn't decode, correct?  nowadays, with MNP and ARQ-retries and all of
our little .bis buddies, not to mention the CRC's in transfer protos, wouldn't
that make an error in transfer EXTREMELY remote... so the only other way'd be
tampering and even then it just wouldn't decode, so what... you get the key
again... but I oversimplify the situation, I guess...

Oh, and I know this is going to make me sound like a complete idiot in front of
my peers, but I've always did straight tranfers of keys...  how do you put
ascii keys into your keyring?  I can't seem to make MacPGP do it... sniffle...
and if ihe reason I can't decode the key is due to an error in transmission,
forget this entire message...

+-------Matt-Willis--------------------------------+
|       Matt Willis       ASTMWILL@STETSON.BITNET  |        elsewhere:
|       Matt Willis       Head of the Underground  | mwill@mindvox.phantom.com
|       Matt Willis          Robotech PBM List     |
+-------Matt-Willis--------------------------------+
"Absolutely alone in awareness of the mechanism." -Agrippa by WG





Thread