From: "Philip R. Zimmermann" <prz@acm.org>
Date: Sun, 26 Oct 1997 17:19:24 +0800
To: cypherpunks@toad.com
Subject: InfoWar Epilogue 7 (Part III of 'The True Story of the InterNet')
Message-ID: <34530666.1192@acm.org>
MIME-Version: 1.0
Content-Type: text/html

Title: The True Story of the Internet Part II









The True Story of the InterNet

Part III


InfoWar

Final Frontier of the Digital Revolution

Behind the ElectroMagnetic
Curtain


by TruthMonger <tm@dev.null>




Copyright 1997 Pearl Publishing



InfoWar Table of Contents

Epilogue 
I Broke PGP!


When ignorance is bliss, it is folly to be wise.


Epilogue


Discoveries of any great moment in mathematics and other disciplines,
once they are discovered, are seen to be extremely simple and
obvious, and make everybody, including their discoverer, appear
foolish for not having discovered them before. It is all too often
forgotten that the ancient symbol for prenascence of the world
is a fool, and that foolishness, being a divine state, is not
a condition to be either proud or ashamed of.

Unfortunately, we find systems of education today that have departed
so far from the plain truth that they now teach us to be proud
of what we know and ashamed of ignorance. This is doubly corrupt.
It is corrupt not only because pride in knowledge is to put an
effective barrier against any advance upon what is already known,
since it makes one ashamed to look beyond the bounds imposed by
one's ignorance.

To any person prepared to enter with respect into the realm of
his great and universal ignorance, the secrets of being will eventually
unfold, and they will do so in a measure according to his freedom
from natural and indoctrinated shame in his respect of their revelation.

In the face of the strong, and indeed violent, social pressures
against it, few people have been prepared to take this simple
and satisfying course toward sanity. And in a society where a
prominent psychiatrist can advertise that, given the chance, he
would have treated Newton to electric shock therapy, who can blame
any person for being afraid to do so?

To arrive at the simplest truth, as Newton knew and practiced,
requires years of contemplation. Not an activity. Not reasoning.
Not calculating. Not busy behavior of any kind. Not reading. Not
talking. Not making an effort. Not thinking. Simply bearing in
mind what it is one needs to know. And yet those with the courage
to tread this path to real discovery are not only offered practically
no guidance on how to do so, they are actively discouraged and
have to set about it in secret, pretending meanwhile to be diligently
engaged in the frantic diversions and to conform with the deadening
personal opinions that are being continually thrust upon them.

In these circumstances, the discoveries that any person is able
to undertake represent the places where, in the face of induced
psychosis, he has, by his own faltering and unaided efforts, returned
to sanity. Painfully, and even dangerously, maybe. But nonetheless
returned, however furtively.-G. Spencer Brown.*

* The Laws of Form, London: Geo. Allen & Unwin, 1969.



"Whatever you do will be insignificant, but it
is very important that you do it." 
-Mahatma Gandhi



I
Broke PGP!

by RTFM

How to Protect Public Keys from Tampering

In a public key cryptosystem, you don't have to protect public
keys from exposure.  In fact, it's better if they are widely
disseminated. But it is important to protect public keys
from tampering, to make sure that a public key really belongs
to whom it appears to belong to. This may be the most important
vulnerability of a public-key cryptosystem.

This whole business of protecting public keys from tampering is
the single most difficult problem in practical public key
applications.  It is the Achilles' heel of public key cryptography,
and a lot of software complexity is tied up in solving this
one problem.  

You should use a public key only after you are sure that it is
a good public key that has not been tampered with, and actually
belongs to the person it claims to.  You can be sure of this
if you got this public key certificate directly from its
owner, or if it bears the signature of someone else that
you trust, from whom you already have a good public key.
 Also, the user ID should have the full name of the key's
owner, not just her first name.

No matter how tempted you are-- and you will be tempted-- never, NEVER
give in to expediency and trust a public key you downloaded from
a bulletin board, unless it is signed by someone you trust.  That
uncertified public key could have been tampered with by anyone, maybe
even by the system administrator of the bulletin board.


SECONDS: What is the hysteria to protect children from so-called
obscene stuff?

GINSBERG: It's a demagogic political issue that can be used to
divert attention from deeper corruption's like the S&L scandal
or the rape of the planet by the post-industrial nations. Although
we conquered literary censorship in books between the years '58
and '62 when, through a series of trials, Henry Miller , Lady
Chatterley's Lover by D.H. Lawrence, Naked Lunch and Howl were
all cleared and declared to be protected by the Constitution.
That same kind of censorship which was used on literature and
film now only applies to the main marketplace of ideas, electronic
broadcasting.

SECONDS: Why do they want to censor things? Why don't they want
people to become
sexually excited?

GINSBERG: As Plato pointed out, "When the mode of music changes,
the walls of the city shake." So when you have modern free
speech in idiomatic language that people can understand and are
interested in, immediately it becomes a political issue. Demagogues
want to hush it up because people get to know too much. If you
can get people by the balls you control their most deep-seated
emotions, which are erotic. Once you control that you control
all the other emotions.
You take emotional control, blank out the Eros, and substitute
a lot of violence.


Vulnerabilities
===============

No data security system is impenetrable. PGP can be circumvented
in a variety of ways. In any data security system, you have
to ask  yourself if the information you are trying to protect
is more  valuable to your attacker than the cost of the attack.
This should  lead you to protecting yourself from the cheapest
attacks, while not worrying about the more expensive attacks.

Some of the discussion that follows may seem unduly paranoid,
but such an attitude is appropriate for a reasonable discussion
of  vulnerability issues.  

Compromised Pass Phrase and Secret Key

Probably the simplest attack is if you leave your pass phrase
for your secret key written down somewhere. If someone gets
it and also gets your secret key file, they can read your
messages and make  signatures in your name. 

Don't use obvious passwords that can be easily guessed, such as
the names of your kids or spouse. If you make your pass phrase
a single word, it can be easily guessed by having a computer
try all the words in the dictionary until it finds your password.
That's why a pass phrase is so much better than a password.
A more sophisticated  attacker may have his computer scan
a book of famous quotations to find your pass phrase. An
easy to remember but hard to guess pass phrase can be easily
constructed by some creatively nonsensical  sayings or very
obscure literary quotes. 

For further details, see the section "How to Protect Secret
Keys from Disclosure" in the Essential Topics volume
of the PGP User's Guide. 

Public Key Tampering

A major vulnerability exists if public keys are tampered with.
This may be the most crucially important vulnerability of
a public key cryptosystem, in part because most novices don't
immediately recognize it. The importance of this vulnerability,
and appropriate  hygienic countermeasures, are detailed in
the section "How to Protect Public Keys from Tampering"
in the Essential Topics volume. 

To summarize: When you use someone's public key, make certain
it has not been tampered with. A new public key from someone
else should be trusted only if you got it directly from its
owner, or if it has been signed by someone you trust. Make
sure no one else can tamper with your own public key ring.
Maintain physical control of both your  public key ring and
your secret key ring, preferably on your own  personal computer
rather than on a remote timesharing system. Keep a backup
copy of both key rings. 

"Not Quite Deleted" Files

Another potential security problem is caused by how most operating
 systems delete files. When you encrypt a file and then delete
the original plaintext file, the operating system doesn't
actually  physically erase the data. It merely marks those
disk blocks as deleted, allowing the space to be reused later.
It's sort of like discarding sensitive paper documents in
the paper recycling bin  instead of the paper shredder. The
disk blocks still contain the original sensitive data you
wanted to erase, and will probably  eventually be overwritten
by new data at some point in the future.  If an attacker
reads these deleted disk blocks soon after they have been
deallocated, he could recover your plaintext. 

In fact this could even happen accidentally, if for some reason
 something went wrong with the disk and some files were accidentally
 deleted or corrupted. A disk recovery program may be run
to recover  the damaged files, but this often means some
previously deleted files are resurrected along with everything
else. Your confidential files that you thought were gone
forever could then reappear and be  inspected by whomever
is attempting to recover your damaged disk.  Even while you
are creating the original message with a word processor or
text editor, the editor may be creating multiple  temporary
copies of your text on the disk, just because of its  internal
workings. These temporary copies of your text are deleted  by
the word processor when it's done, but these sensitive fragments
 are still on your disk somewhere. 

Let me tell you a true horror story. I had a friend, married with young
children, who once had a brief and not very serious affair.  She
wrote a letter to her lover on her word processor, and deleted
 the letter after she sent it. Later, after the affair was
over, the floppy disk got damaged somehow and she had to
recover it because it contained other important documents.
She asked her husband to  salvage the disk, which seemed
perfectly safe because she knew she had deleted the incriminating
letter. Her husband ran a commercial  disk recovery software
package to salvage the files. It recovered  the files all
right, including the deleted letter. He read it, which  set
off a tragic chain of events. 

The only way to prevent the plaintext from reappearing is to somehow
 cause the deleted plaintext files to be overwritten. Unless
you know for sure that all the deleted disk blocks will soon
be reused, you must take positive steps to overwrite the
plaintext file, and also any fragments of it on the disk
left by your word processor. You can overwrite the original
plaintext file after encryption by using the PGP -w (wipe)
option. You can take care of any fragments of the  plaintext
left on the disk by using any of the disk utilities  available
that can overwrite all of the unused blocks on a disk. For example,
the Norton Utilities for MSDOS can do this.

Even if you overwrite the plaintext data on the disk, it may still
be possible for a resourceful and determined attacker to
recover the data. Faint magnetic traces of the original data
remain on the disk after it has been overwritten. Special
sophisticated disk recovery  hardware can sometimes be used
to recover the data. 

Viruses and Trojan Horses

Another attack could involve a specially-tailored hostile computer
 virus or worm that might infect PGP or your operating system.
This hypothetical virus could be designed to capture your
pass phrase or secret key or deciphered messages, and covertly
write the captured  information to a file or send it through
a network to the virus's  owner. Or it might alter PGP's
behavior so that signatures are not properly checked. This
attack is cheaper than cryptanalytic attacks. 

Defending against this falls under the category of defending against
 viral infection generally. There are some moderately capable
 anti-viral products commercially available, and there are
hygienic  procedures to follow that can greatly reduce the
chances of viral  infection. A complete treatment of anti-viral
and anti-worm countermeasures is beyond the scope of this
document. PGP has no defenses against viruses, and assumes
your own personal computer is a trustworthy execution environment.
If such a virus or worm actually  appeared, hopefully word
would soon get around warning everyone. 

Another similar attack involves someone creating a clever imitation
 of PGP that behaves like PGP in most respects, but doesn't
work the way it's supposed to. For example, it might be deliberately
crippled  to not check signatures properly, allowing bogus
key certificates to be accepted. This "Trojan horse"
version of PGP is not hard for an attacker to create, because
PGP source code is widely available, so anyone could modify
the source code and produce a lobotomized zombie imitation
PGP that looks real but does the bidding of its diabolical  master.
This Trojan horse version of PGP could then be widely  circulated,
claiming to be from me. How insidious.

You should make an effort to get your copy of PGP from a reliable
 source, whatever that means. Or perhaps from more than one independent
source, and compare them with a file comparison utility. 

There are other ways to check PGP for tampering, using digital
 signatures. If someone you trust signs the executable version
of PGP, vouching for the fact that it has not been infected
or tampered  with, you can be reasonably sure that you have
a good copy. You  could use an earlier trusted version of
PGP to check the signature on a later suspect version of
PGP. But this will not help at all if your operating system
is infected, nor will it detect if your  original copy of
PGP.EXE has been maliciously altered in such a way as to
compromise its own ability to check signatures. This test also assumes
that you have a good trusted copy of the public key that you use
to check the signature on the PGP executable.

I recommend you not trust your copy of PGP unless it was originally
 distributed by MIT or ViaCrypt, or unless it comes with
a digitally  signed endorsement from me. Every new version
comes with one or more digital signatures in the distribution
package, signed by the  originator of that release package.
This is usually someone representing MIT or ViaCrypt, or
whoever released that version.  Check the signatures on the
version that you get. I have actually  seen several bogus
versions of PGP distribution packages, even from apparently
reliable freeware distribution channels such as CD-ROM  distributors
and CompuServe. Always check the signature when you get a
new version. 

Physical Security Breach

A physical security breach may allow someone to physically acquire
 your plaintext files or printed messages. A determined opponent
 might accomplish this through burglary, trash-picking, unreasonable
 search and seizure, or bribery, blackmail or infiltration
of your  staff. Some of these attacks may be especially feasible
against  grassroots political organizations that depend on
a largely volunteer  staff. It has been widely reported in
the press that the FBI's  COINTELPRO program used burglary,
infiltration, and illegal bugging  against antiwar and civil
rights groups. And look what happened at the Watergate Hotel.

Don't be lulled into a false sense of security just because you
have a cryptographic tool. Cryptographic techniques protect
data only  while it's encrypted-- direct physical security
violations can still compromise plaintext data or written
or spoken information. 

This kind of attack is cheaper than cryptanalytic attacks on PGP.
 

Tempest Attacks

Another kind of attack that has been used by well-equipped opponents
 involves the remote detection of the electromagnetic signals
from  your computer. This expensive and somewhat labor-intensive
attack is probably still cheaper than direct cryptanalytic
attacks. An  appropriately instrumented van can park near
your office and remotely  pick up all of your keystrokes
and messages displayed on your  computer video screen. This
would compromise all of your passwords,  messages, etc. This
attack can be thwarted by properly shielding all of your
computer equipment and network cabling so that it does not emit
these signals. This shielding technology is known as "Tempest",
 and is used by some Government agencies and defense contractors.
 There are hardware vendors who supply Tempest shielding
commercially,  although it may be subject to some kind of
Government licensing. Now why do you suppose the Government
would restrict access to Tempest  shielding?

Exposure on Multi-user Systems
PGP was originally designed for a single-user MSDOS machine
under  your direct physical control. I run PGP at home on
my own PC, and unless someone breaks into my house or monitors
my electromagnetic  emissions, they probably can't see my
plaintext files or secret keys. 

But now PGP also runs on multi-user systems such as UNIX and VAX/VMS.
 On multi-user systems, there are much greater risks of your
plaintext  or keys or passwords being exposed. The Unix system
administrator or a clever intruder can read your plaintext
files, or perhaps even use special software to covertly monitor
your keystrokes or read what's  on your screen. On a Unix
system, any other user can read your  environment information
remotely by simply using the Unix "ps"  command.
Similar problems exist for MSDOS machines connected on a local
area network. The actual security risk is dependent on your particular
situation. Some multi-user systems may be safe because  all
the users are trusted, or because they have system security  measures
that are safe enough to withstand the attacks available to the
intruders, or because there just aren't any sufficiently interested
intruders. Some Unix systems are safe because they are only
used by one user-- there are even some notebook computers  running
Unix. It would be unreasonable to simply exclude PGP from running
on all Unix systems.

PGP is not designed to protect your data while it is in plaintext
 form on a compromised system. Nor can it prevent an intruder
from using sophisticated measures to read your secret key
while it is being used. You will just have to recognize these
risks on multi-user systems, and adjust your expectations
and behavior  accordingly. Perhaps your situation is such
that you should consider  running PGP only on an isolated
single-user system under your direct physical control. That's
what I do, and that's what I recommend. 

Traffic Analysis

Even if the attacker cannot read the contents of your encrypted
 messages, he may be able to infer at least some useful information
by observing where the messages come from and where they
are going, the size of the messages, and the time of day
the messages are sent.  This is analogous to the attacker
looking at your long distance phone bill to see who you called
and when and for how long, even though the actual content
of your calls is unknown to the attacker. This is called
traffic analysis. PGP alone does not protect against traffic  analysis.
Solving this problem would require specialized  communication
protocols designed to reduce exposure to traffic  analysis
in your communication environment, possibly with some  cryptographic
assistance.


Protecting Against Bogus Timestamps
A somewhat obscure vulnerability of PGP involves dishonest
users  creating bogus timestamps on their own public key
certificates and signatures. You can skip over this section
if you are a casual user and aren't deeply into obscure public
key protocols.

There's nothing to stop a dishonest user from altering the date
and time setting of his own system's clock, and generating
his own public key certificates and signatures that appear
to have been created at a different time. He can make it
appear that he signed something  earlier or later than he
actually did, or that his public/secret key pair was created
earlier or later. This may have some legal or  financial
benefit to him, for example by creating some kind of  loophole
that might allow him to repudiate a signature.

I think this problem of falsified timestamps in digital signatures
is no worse than it is already in handwritten signatures.
Anyone may write a date next to their handwritten signature
on a contract with any date they choose, yet no one seems
to be alarmed over this state of affairs. In some cases,
an "incorrect" date on a handwritten signature
might not be associated with actual fraud. The timestamp  might
be when the signator asserts that he signed a document, or maybe
when he wants the signature to go into effect.

In situations where it is critical that a signature be trusted
to have the actual correct date, people can simply use notaries
to  witness and date a handwritten signature. The analog
to this in digital signatures is to get a trusted third party
to sign a signature certificate, applying a trusted timestamp.
No exotic or overly formal protocols are needed for this.
Witnessed signatures  have long been recognized as a legitimate
way of determining when a document was signed.

A trustworthy Certifying Authority or notary could create notarized
 signatures with a trustworthy timestamp. This would not
necessarily  require a centralized authority. Perhaps any
trusted introducer or disinterested party could serve this
function, the same way real  notary publics do now. When
a notary signs other people's signatures, it creates a signature
certificate of a signature  certificate. This would serve
as a witness to the signature the same way real notaries
now witness handwritten signatures. The notary  could enter
the detached signature certificate (without the actual  whole
document that was signed) into a special log controlled by the notary.
Anyone can read this log. The notary's signature would have a
trusted timestamp, which might have greater credibility or more
 legal significance than the timestamp in the original signature.

There is a good treatment of this topic in Denning's 1983 article
in IEEE Computer (see references). Future enhancements to
PGP might  have features to easily manage notarized signatures
of signatures,  with trusted timestamps.

Cryptanalysis

An expensive and formidable cryptanalytic attack could possibly
be mounted by someone with vast supercomputer resources,
such as a Government intelligence agency. They might crack
your RSA key by using some new secret factoring breakthrough.
Perhaps so, but it is noteworthy that the US Government trusts
the RSA algorithm enough in some cases to use it to protect
its own nuclear weapons, according to Ron Rivest. And civilian
academia has been intensively attacking it without success
since 1978. 

Perhaps the Government has some classified methods of cracking
the IDEA(TM) conventional encryption algorithm used in PGP.
This is every cryptographer's worst nightmare. There can
be no absolute  security guarantees in practical cryptographic
implementations. 

Still, some optimism seems justified. The IDEA algorithm's designers
 are among the best cryptographers in Europe. It has had
extensive  security analysis and peer review from some of
the best cryptanalysts  in the unclassified world. It appears
to have some design advantages  over the DES in withstanding
differential and linear cryptanalysis,  which have both been
used to crack the DES. 

Besides, even if this algorithm has some subtle unknown weaknesses,
 PGP compresses the plaintext before encryption, which should
greatly  reduce those weaknesses. The computational workload
to crack it is likely to be much more expensive than the
value of the message. 

If your situation justifies worrying about very formidable attacks
of this caliber, then perhaps you should contact a data security
 consultant for some customized data security approaches
tailored to your special needs. Boulder Software Engineering,
whose address and phone are given at the end of this document,
can provide such  services. 

In summary, without good cryptographic protection of your data
 communications, it may have been practically effortless
and perhaps  even routine for an opponent to intercept your
messages, especially  those sent through a modem or E-mail
system. If you use PGP and  follow reasonable precautions,
the attacker will have to expend far more effort and expense
to violate your privacy. 

If you protect yourself against the simplest attacks, and you
feel confident that your privacy is not going to be violated
by a determined and highly resourceful attacker, then you'll
probably be safe using PGP. PGP gives you Pretty Good Privacy.

Copyright Anonymous <prz@acm.org>


Son, if you think it appropriate, you might tell your mom: The
Aztecs were extremely clean. The Spanish conquistadors were extremely
dirty. The Spaniards won.

LMBoyd Web Site 


"The Xenix Chainsaw Massacre"

"WebWorld & the Mythical Circle of Eunuchs"

"InfoWar (Part III of 'The True Story of the InterNet')

Soviet Union Sickle of Eunuchs Secret WebSite