From: “Philip R. Zimmermann” <prz@acm.org>
To: cypherpunks@toad.com
Message Hash: 0d0885a4d7930927733e0212e863da533aa4f9f9d04407b8abd5e3f5970157f4
Message ID: <345306C3.3014@acm.org>
Reply To: N/A
UTC Datetime: 1997-10-26 09:18:59 UTC
Raw Date: Sun, 26 Oct 1997 17:18:59 +0800
From: "Philip R. Zimmermann" <prz@acm.org>
Date: Sun, 26 Oct 1997 17:18:59 +0800
To: cypherpunks@toad.com
Subject: InfoWar Epilogue 7 / TEXT
Message-ID: <345306C3.3014@acm.org>
MIME-Version: 1.0
Content-Type: text/plain
----------------------------------------------------------------------------
----------------------------------------------------------------------------
The True Story of the InterNet
Part III
InfoWar
Final Frontier of the Digital Revolution
Behind the ElectroMagnetic Curtain
by TruthMonger <tm@dev.null>
Copyright 1997 Pearl Publishing
----------------------------------------------------------------------------
----------------------------------------------------------------------------
InfoWar Table of Contents
* Epilogue
* I Broke PGP!
----------------------------------------------------------------------------
* When ignorance is bliss, it is folly to be wise.
----------------------------------------------------------------------------
Epilogue
----------------------------------------------------------------------------
Discoveries of any great moment in mathematics and other disciplines, once
they are discovered, are seen to be extremely simple and obvious, and make
everybody, including their discoverer, appear foolish for not having
discovered them before. It is all too often forgotten that the ancient
symbol for prenascence of the world is a fool, and that foolishness, being a
divine state, is not a condition to be either proud or ashamed of.
Unfortunately, we find systems of education today that have departed so far
from the plain truth that they now teach us to be proud of what we know and
ashamed of ignorance. This is doubly corrupt. It is corrupt not only because
pride in knowledge is to put an effective barrier against any advance upon
what is already known, since it makes one ashamed to look beyond the bounds
imposed by one's ignorance.
To any person prepared to enter with respect into the realm of his great and
universal ignorance, the secrets of being will eventually unfold, and they
will do so in a measure according to his freedom from natural and
indoctrinated shame in his respect of their revelation.
In the face of the strong, and indeed violent, social pressures against it,
few people have been prepared to take this simple and satisfying course
toward sanity. And in a society where a prominent psychiatrist can advertise
that, given the chance, he would have treated Newton to electric shock
therapy, who can blame any person for being afraid to do so?
To arrive at the simplest truth, as Newton knew and practiced, requires
years of contemplation. Not an activity. Not reasoning. Not calculating. Not
busy behavior of any kind. Not reading. Not talking. Not making an effort.
Not thinking. Simply bearing in mind what it is one needs to know. And yet
those with the courage to tread this path to real discovery are not only
offered practically no guidance on how to do so, they are actively
discouraged and have to set about it in secret, pretending meanwhile to be
diligently engaged in the frantic diversions and to conform with the
deadening personal opinions that are being continually thrust upon them.
In these circumstances, the discoveries that any person is able to undertake
represent the places where, in the face of induced psychosis, he has, by his
own faltering and unaided efforts, returned to sanity. Painfully, and even
dangerously, maybe. But nonetheless returned, however furtively.-G. Spencer
Brown.*
* The Laws of Form, London: Geo. Allen & Unwin, 1969.
----------------------------------------------------------------------------
"Whatever you do will be insignificant, but it is very important that you do
it."
-Mahatma Gandhi
----------------------------------------------------------------------------
----------------------------------------------------------------------------
I Broke PGP!
by RTFM
How to Protect Public Keys from Tampering
In a public key cryptosystem, you don't have to protect public keys from
exposure. In fact, it's better if they are widely disseminated. But it is
important to protect public keys from tampering, to make sure that a public
key really belongs to whom it appears to belong to. This may be the most
important vulnerability of a public-key cryptosystem.
This whole business of protecting public keys from tampering is the single
most difficult problem in practical public key applications. It is the
Achilles' heel of public key cryptography, and a lot of software complexity
is tied up in solving this one problem.
You should use a public key only after you are sure that it is a good public
key that has not been tampered with, and actually belongs to the person it
claims to. You can be sure of this if you got this public key certificate
directly from its owner, or if it bears the signature of someone else that
you trust, from whom you already have a good public key. Also, the user ID
should have the full name of the key's owner, not just her first name.
No matter how tempted you are-- and you will be tempted-- never, NEVER give
in to expediency and trust a public key you downloaded from a bulletin
board, unless it is signed by someone you trust. That uncertified public
key could have been tampered with by anyone, maybe even by the system
administrator of the bulletin board.
----------------------------------------------------------------------------
SECONDS: What is the hysteria to protect children from so-called obscene
stuff?
GINSBERG: It's a demagogic political issue that can be used to divert
attention from deeper corruption's like the S&L scandal or the rape of the
planet by the post-industrial nations. Although we conquered literary
censorship in books between the years '58 and '62 when, through a series of
trials, Henry Miller , Lady Chatterley's Lover by D.H. Lawrence, Naked Lunch
and Howl were all cleared and declared to be protected by the Constitution.
That same kind of censorship which was used on literature and film now only
applies to the main marketplace of ideas, electronic broadcasting.
SECONDS: Why do they want to censor things? Why don't they want people to
become
sexually excited?
GINSBERG: As Plato pointed out, "When the mode of music changes, the walls
of the city shake." So when you have modern free speech in idiomatic
language that people can understand and are interested in, immediately it
becomes a political issue. Demagogues want to hush it up because people get
to know too much. If you can get people by the balls you control their most
deep-seated emotions, which are erotic. Once you control that you control
all the other emotions.
You take emotional control, blank out the Eros, and substitute a lot of
violence.
----------------------------------------------------------------------------
Vulnerabilities
===============
No data security system is impenetrable. PGP can be circumvented in a
variety of ways. In any data security system, you have to ask yourself if
the information you are trying to protect is more valuable to your attacker
than the cost of the attack. This should lead you to protecting yourself
from the cheapest attacks, while not worrying about the more expensive
attacks.
Some of the discussion that follows may seem unduly paranoid, but such an
attitude is appropriate for a reasonable discussion of vulnerability
issues.
Compromised Pass Phrase and Secret Key
Probably the simplest attack is if you leave your pass phrase for your
secret key written down somewhere. If someone gets it and also gets your
secret key file, they can read your messages and make signatures in your
name.
Don't use obvious passwords that can be easily guessed, such as the names of
your kids or spouse. If you make your pass phrase a single word, it can be
easily guessed by having a computer try all the words in the dictionary
until it finds your password. That's why a pass phrase is so much better
than a password. A more sophisticated attacker may have his computer scan a
book of famous quotations to find your pass phrase. An easy to remember but
hard to guess pass phrase can be easily constructed by some creatively
nonsensical sayings or very obscure literary quotes.
For further details, see the section "How to Protect Secret Keys
from Disclosure" in the Essential Topics volume of the PGP User's Guide.
Public Key Tampering
A major vulnerability exists if public keys are tampered with. This may be
the most crucially important vulnerability of a public key cryptosystem, in
part because most novices don't immediately recognize it. The importance of
this vulnerability, and appropriate hygienic countermeasures, are detailed
in the section "How to Protect Public Keys from Tampering" in the Essential
Topics volume.
To summarize: When you use someone's public key, make certain it has not
been tampered with. A new public key from someone else should be trusted
only if you got it directly from its owner, or if it has been signed by
someone you trust. Make sure no one else can tamper with your own public key
ring. Maintain physical control of both your public key ring and your
secret key ring, preferably on your own personal computer rather than on a
remote timesharing system. Keep a backup copy of both key rings.
"Not Quite Deleted" Files
Another potential security problem is caused by how most operating systems
delete files. When you encrypt a file and then delete the original plaintext
file, the operating system doesn't actually physically erase the data. It
merely marks those disk blocks as deleted, allowing the space to be reused
later. It's sort of like discarding sensitive paper documents in the paper
recycling bin instead of the paper shredder. The disk blocks still contain
the original sensitive data you wanted to erase, and will probably
eventually be overwritten by new data at some point in the future. If an
attacker reads these deleted disk blocks soon after they have been
deallocated, he could recover your plaintext.
In fact this could even happen accidentally, if for some reason something
went wrong with the disk and some files were accidentally deleted or
corrupted. A disk recovery program may be run to recover the damaged files,
but this often means some previously deleted files are resurrected along
with everything else. Your confidential files that you thought were gone
forever could then reappear and be inspected by whomever is attempting to
recover your damaged disk. Even while you are creating the original message
with a word processor or text editor, the editor may be creating multiple
temporary copies of your text on the disk, just because of its internal
workings. These temporary copies of your text are deleted by the word
processor when it's done, but these sensitive fragments are still on your
disk somewhere.
Let me tell you a true horror story. I had a friend, married with young
children, who once had a brief and not very serious affair. She wrote a
letter to her lover on her word processor, and deleted the letter after she
sent it. Later, after the affair was over, the floppy disk got damaged
somehow and she had to recover it because it contained other important
documents. She asked her husband to salvage the disk, which seemed
perfectly safe because she knew she had deleted the incriminating letter.
Her husband ran a commercial disk recovery software package to salvage the
files. It recovered the files all right, including the deleted letter. He
read it, which set off a tragic chain of events.
The only way to prevent the plaintext from reappearing is to somehow cause
the deleted plaintext files to be overwritten. Unless you know for sure that
all the deleted disk blocks will soon be reused, you must take positive
steps to overwrite the plaintext file, and also any fragments of it on the
disk left by your word processor. You can overwrite the original plaintext
file after encryption by using the PGP -w (wipe) option. You can take care
of any fragments of the plaintext left on the disk by using any of the disk
utilities available that can overwrite all of the unused blocks on a disk.
For example, the Norton Utilities for MSDOS can do this.
Even if you overwrite the plaintext data on the disk, it may still
be possible for a resourceful and determined attacker to recover the data.
Faint magnetic traces of the original data remain on the disk after it has
been overwritten. Special sophisticated disk recovery hardware can
sometimes be used to recover the data.
Viruses and Trojan Horses
Another attack could involve a specially-tailored hostile computer virus or
worm that might infect PGP or your operating system. This hypothetical virus
could be designed to capture your pass phrase or secret key or deciphered
messages, and covertly write the captured information to a file or send it
through a network to the virus's owner. Or it might alter PGP's behavior so
that signatures are not properly checked. This attack is cheaper than
cryptanalytic attacks.
Defending against this falls under the category of defending against viral
infection generally. There are some moderately capable anti-viral products
commercially available, and there are hygienic procedures to follow that
can greatly reduce the chances of viral infection. A complete treatment of
anti-viral and anti-worm countermeasures is beyond the scope of this
document. PGP has no defenses against viruses, and assumes your own personal
computer is a trustworthy execution environment. If such a virus or worm
actually appeared, hopefully word would soon get around warning everyone.
Another similar attack involves someone creating a clever imitation of PGP
that behaves like PGP in most respects, but doesn't work the way it's
supposed to. For example, it might be deliberately crippled to not check
signatures properly, allowing bogus key certificates to be accepted. This
"Trojan horse" version of PGP is not hard for an attacker to create, because
PGP source code is widely available, so anyone could modify the source code
and produce a lobotomized zombie imitation PGP that looks real but does the
bidding of its diabolical master. This Trojan horse version of PGP could
then be widely circulated, claiming to be from me. How insidious.
You should make an effort to get your copy of PGP from a reliable source,
whatever that means. Or perhaps from more than one independent source, and
compare them with a file comparison utility.
There are other ways to check PGP for tampering, using digital signatures.
If someone you trust signs the executable version of PGP, vouching for the
fact that it has not been infected or tampered with, you can be reasonably
sure that you have a good copy. You could use an earlier trusted version of
PGP to check the signature on a later suspect version of PGP. But this will
not help at all if your operating system is infected, nor will it detect if
your original copy of PGP.EXE has been maliciously altered in such a way as
to compromise its own ability to check signatures. This test also assumes
that you have a good trusted copy of the public key that you use to check
the signature on the PGP executable.
I recommend you not trust your copy of PGP unless it was originally
distributed by MIT or ViaCrypt, or unless it comes with a digitally signed
endorsement from me. Every new version comes with one or more digital
signatures in the distribution package, signed by the originator of that
release package. This is usually someone representing MIT or ViaCrypt, or
whoever released that version. Check the signatures on the version that you
get. I have actually seen several bogus versions of PGP distribution
packages, even from apparently reliable freeware distribution channels such
as CD-ROM distributors and CompuServe. Always check the signature when you
get a new version.
Physical Security Breach
A physical security breach may allow someone to physically acquire your
plaintext files or printed messages. A determined opponent might accomplish
this through burglary, trash-picking, unreasonable search and seizure, or
bribery, blackmail or infiltration of your staff. Some of these attacks may
be especially feasible against grassroots political organizations that
depend on a largely volunteer staff. It has been widely reported in the
press that the FBI's COINTELPRO program used burglary, infiltration, and
illegal bugging against antiwar and civil rights groups. And look what
happened at the Watergate Hotel.
Don't be lulled into a false sense of security just because you have a
cryptographic tool. Cryptographic techniques protect data only while it's
encrypted-- direct physical security violations can still compromise
plaintext data or written or spoken information.
This kind of attack is cheaper than cryptanalytic attacks on PGP.
Tempest Attacks
Another kind of attack that has been used by well-equipped opponents
involves the remote detection of the electromagnetic signals from your
computer. This expensive and somewhat labor-intensive attack is probably
still cheaper than direct cryptanalytic attacks. An appropriately
instrumented van can park near your office and remotely pick up all of your
keystrokes and messages displayed on your computer video screen. This would
compromise all of your passwords, messages, etc. This attack can be
thwarted by properly shielding all of your computer equipment and network
cabling so that it does not emit these signals. This shielding technology is
known as "Tempest", and is used by some Government agencies and defense
contractors. There are hardware vendors who supply Tempest shielding
commercially, although it may be subject to some kind of Government
licensing. Now why do you suppose the Government would restrict access to
Tempest shielding?
Exposure on Multi-user Systems
PGP was originally designed for a single-user MSDOS machine under your
direct physical control. I run PGP at home on my own PC, and unless someone
breaks into my house or monitors my electromagnetic emissions, they
probably can't see my plaintext files or secret keys.
But now PGP also runs on multi-user systems such as UNIX and VAX/VMS. On
multi-user systems, there are much greater risks of your plaintext or keys
or passwords being exposed. The Unix system administrator or a clever
intruder can read your plaintext files, or perhaps even use special software
to covertly monitor your keystrokes or read what's on your screen. On a
Unix system, any other user can read your environment information remotely
by simply using the Unix "ps" command. Similar problems exist for MSDOS
machines connected on a local area network. The actual security risk is
dependent on your particular situation. Some multi-user systems may be safe
because all the users are trusted, or because they have system security
measures that are safe enough to withstand the attacks available to the
intruders, or because there just aren't any sufficiently interested
intruders. Some Unix systems are safe because they are only used by one
user-- there are even some notebook computers running Unix. It would be
unreasonable to simply exclude PGP from running on all Unix systems.
PGP is not designed to protect your data while it is in plaintext form on a
compromised system. Nor can it prevent an intruder from using sophisticated
measures to read your secret key while it is being used. You will just have
to recognize these risks on multi-user systems, and adjust your expectations
and behavior accordingly. Perhaps your situation is such that you should
consider running PGP only on an isolated single-user system under your
direct physical control. That's what I do, and that's what I recommend.
Traffic Analysis
Even if the attacker cannot read the contents of your encrypted messages,
he may be able to infer at least some useful information by observing where
the messages come from and where they are going, the size of the messages,
and the time of day the messages are sent. This is analogous to the
attacker looking at your long distance phone bill to see who you called and
when and for how long, even though the actual content of your calls is
unknown to the attacker. This is called traffic analysis. PGP alone does not
protect against traffic analysis. Solving this problem would require
specialized communication protocols designed to reduce exposure to traffic
analysis in your communication environment, possibly with some
cryptographic assistance.
Protecting Against Bogus Timestamps
A somewhat obscure vulnerability of PGP involves dishonest users creating
bogus timestamps on their own public key certificates and signatures. You
can skip over this section if you are a casual user and aren't deeply into
obscure public key protocols.
There's nothing to stop a dishonest user from altering the date and time
setting of his own system's clock, and generating his own public key
certificates and signatures that appear to have been created at a different
time. He can make it appear that he signed something earlier or later than
he actually did, or that his public/secret key pair was created earlier or
later. This may have some legal or financial benefit to him, for example by
creating some kind of loophole that might allow him to repudiate a
signature.
I think this problem of falsified timestamps in digital signatures is no
worse than it is already in handwritten signatures. Anyone may write a date
next to their handwritten signature on a contract with any date they choose,
yet no one seems to be alarmed over this state of affairs. In some cases, an
"incorrect" date on a handwritten signature might not be associated with
actual fraud. The timestamp might be when the signator asserts that he
signed a document, or maybe when he wants the signature to go into effect.
In situations where it is critical that a signature be trusted to have the
actual correct date, people can simply use notaries to witness and date a
handwritten signature. The analog to this in digital signatures is to get a
trusted third party to sign a signature certificate, applying a trusted
timestamp. No exotic or overly formal protocols are needed for this.
Witnessed signatures have long been recognized as a legitimate way of
determining when a document was signed.
A trustworthy Certifying Authority or notary could create notarized
signatures with a trustworthy timestamp. This would not necessarily
require a centralized authority. Perhaps any trusted introducer
or disinterested party could serve this function, the same way real notary
publics do now. When a notary signs other people's signatures, it creates a
signature certificate of a signature certificate. This would serve as a
witness to the signature the same way real notaries now witness handwritten
signatures. The notary could enter the detached signature certificate
(without the actual whole document that was signed) into a special log
controlled by the notary. Anyone can read this log. The notary's signature
would have a trusted timestamp, which might have greater credibility or more
legal significance than the timestamp in the original signature.
There is a good treatment of this topic in Denning's 1983 article in IEEE
Computer (see references). Future enhancements to PGP might have features
to easily manage notarized signatures of signatures, with trusted
timestamps.
Cryptanalysis
An expensive and formidable cryptanalytic attack could possibly be mounted
by someone with vast supercomputer resources, such as a Government
intelligence agency. They might crack your RSA key by using some new secret
factoring breakthrough. Perhaps so, but it is noteworthy that the US
Government trusts the RSA algorithm enough in some cases to use it to
protect its own nuclear weapons, according to Ron Rivest. And civilian
academia has been intensively attacking it without success since 1978.
Perhaps the Government has some classified methods of cracking the IDEA(TM)
conventional encryption algorithm used in PGP. This is every cryptographer's
worst nightmare. There can be no absolute security guarantees in practical
cryptographic implementations.
Still, some optimism seems justified. The IDEA algorithm's designers are
among the best cryptographers in Europe. It has had extensive security
analysis and peer review from some of the best cryptanalysts in the
unclassified world. It appears to have some design advantages over the DES
in withstanding differential and linear cryptanalysis, which have both been
used to crack the DES.
Besides, even if this algorithm has some subtle unknown weaknesses, PGP
compresses the plaintext before encryption, which should greatly reduce
those weaknesses. The computational workload to crack it is likely to be
much more expensive than the value of the message.
If your situation justifies worrying about very formidable attacks of this
caliber, then perhaps you should contact a data security consultant for
some customized data security approaches tailored to your special needs.
Boulder Software Engineering, whose address and phone are given at the end
of this document, can provide such services.
In summary, without good cryptographic protection of your data
communications, it may have been practically effortless and perhaps even
routine for an opponent to intercept your messages, especially those sent
through a modem or E-mail system. If you use PGP and follow reasonable
precautions, the attacker will have to expend far more effort and expense to
violate your privacy.
If you protect yourself against the simplest attacks, and you feel confident
that your privacy is not going to be violated by a determined and highly
resourceful attacker, then you'll probably be safe using PGP. PGP gives you
Pretty Good Privacy.
Copyright Anonymous <prz@acm.org>
----------------------------------------------------------------------------
Son, if you think it appropriate, you might tell your mom: The Aztecs were
extremely clean. The Spanish conquistadors were extremely dirty. The
Spaniards won.
LMBoyd Web Site
----------------------------------------------------------------------------
"The Xenix Chainsaw Massacre"
"WebWorld & the Mythical Circle of Eunuchs"
"InfoWar (Part III of 'The True Story of the InterNet')
Soviet Union Sickle of Eunuchs Secret WebSite
----------------------------------------------------------------------------
Return to October 1997
Return to ““Philip R. Zimmermann” <prz@acm.org>”
1997-10-26 (Sun, 26 Oct 1997 17:18:59 +0800) - InfoWar Epilogue 7 / TEXT - “Philip R. Zimmermann” <prz@acm.org>