a look at the pgp keyserver data
play

A look at the PGP keyserver data Hanno B ock 1 / 23 The PGP - PowerPoint PPT Presentation

Dec 19, 2022 •550 likes •798 views

Introduction Keyserver data Attacking bad random numbers Thanks A look at the PGP keyserver data Hanno B ock 1 / 23 The PGP Ecosystem Introduction Should we care? Keyserver data PGP problems Attacking bad random numbers Is PGP here

  1. Introduction Keyserver data Attacking bad random numbers Thanks A look at the PGP keyserver data Hanno B¨ ock 1 / 23

  2. The PGP Ecosystem Introduction Should we care? Keyserver data PGP problems Attacking bad random numbers Is PGP here to stay? Thanks Conclusion The PGP Ecosystem The OpenPGP standard (RFC 4880) Software packages (Original PGP, GnuPG, endtoend, ...) Key servers (today mostly sks) When I say PGP I mean the ”PGP ecosystem” (software, standards etc.), not the PGP software product itself 2 / 23

  3. The PGP Ecosystem Introduction Should we care? Keyserver data PGP problems Attacking bad random numbers Is PGP here to stay? Thanks Conclusion Should we care? ’Why is GPG ”damn near unusable”?’ (31C3) ”In the 1990s, I was excited about the future, and I dreamed of a world where everyone would install GPG. Now I’m still excited about the future, but I dream of a world where I can uninstall it.” (Moxie Marlinspike) ”Please throw some money to the GPG guy. Even though PGP sucks, it’s the best we’ve got.” (Matthew Green) 3 / 23

  4. The PGP Ecosystem Introduction Should we care? Keyserver data PGP problems Attacking bad random numbers Is PGP here to stay? Thanks Conclusion PGP problems Crypto is outdated, some of that is not fixable within the current model (Forward secrecy) PGP is and has always been ”damn near unusable” Lots of backwards compatibility cruft, complex format, limited software options (no library) No subject encryption Two competing mail formats (PGP/MIME and PGP/Inline) each with its own advantages and disadvantages The trust model (web-of-trust, key signing) is incomprehensible for everyone outside the geek cosmos 4 / 23

  5. The PGP Ecosystem Introduction Should we care? Keyserver data PGP problems Attacking bad random numbers Is PGP here to stay? Thanks Conclusion Is PGP here to stay? Google and Yahoo work on PGP-based solutions (endtoend) Nothing currently seeks to replace it in the E-Mail space Systems like Textsecure and Pond are technically superior, but they’re not built to replace E-Mail 5 / 23

  6. The PGP Ecosystem Introduction Should we care? Keyserver data PGP problems Attacking bad random numbers Is PGP here to stay? Thanks Conclusion Conclusion I hate PGP, but I still try to make it better Fuzzing GnuPG found various vulnerabilities (CVE-2014-9087, CVE-2015-1606, CVE-2015-1607) Made proposal for subject encryption (a variant of it developed by Daniel Kahn Gillmor may land in Enigmail) I looked at the keyserver data to find crypto attacks (this talk) 6 / 23

  7. The Idea Inspiration Introduction Look at keyserver data Keyserver data Parser challenges Attacking bad random numbers Database challenges Thanks How does it work? How does it look like? What data? The Idea PGP key servers store all keys ever sent to them on an add only basis You can’t delete keys from key servers, you can just revoke them This leads to all kinds of potential problems (keyservers can be flooded with bogus data, privacy issues, ...) Crypto researchers perspective: Great, lots of data to investigate. 7 / 23

  8. The Idea Inspiration Introduction Look at keyserver data Keyserver data Parser challenges Attacking bad random numbers Database challenges Thanks How does it work? How does it look like? What data? Inspiration EFF SSL Observatory (2010) Mining Your Ps and Qs (Nadia Heninger et al, 2012) 8 / 23

  9. The Idea Inspiration Introduction Look at keyserver data Keyserver data Parser challenges Attacking bad random numbers Database challenges Thanks How does it work? How does it look like? What data? Look at keyserver data Large scale analysis of Internet wide scans for TLS certificate found crypto vulnerabilities For PGP we don’t have to scan the Internet - we can get the data from the keyservers Let’s put the crypto values in a database and analyze it 9 / 23

  10. The Idea Inspiration Introduction Look at keyserver data Keyserver data Parser challenges Attacking bad random numbers Database challenges Thanks How does it work? How does it look like? What data? Parser challenges Lack of software: There is no low-level library to parse PGP key data pgpdump: Command line tool, doesn’t give us all the data we want I wrote my own parser in python (warning: I’m not a good coder, the code looks horrible, but it works) keyr (abbr for key parser) will take keyserver data and output MySQL statements 10 / 23

  11. The Idea Inspiration Introduction Look at keyserver data Keyserver data Parser challenges Attacking bad random numbers Database challenges Thanks How does it work? How does it look like? What data? Database challenges Large database (84 GB), careful adjustments of parameters (e. g. indexes) Used MyISAM, MySQL 5.6 and tcmalloc (improved memory allocator from Google) Increased values for max allowed packet, key buffer size, wait timeout, interactive timeout (Warning: My MySQL knowledge is limited) 11 / 23

  12. The Idea Inspiration Introduction Look at keyserver data Keyserver data Parser challenges Attacking bad random numbers Database challenges Thanks How does it work? How does it look like? What data? How does it work? Download keyserver dump, unpack if neccessary Create database and tables from keyr-tables.sql Run keyr on keyserver dump files, pipe output to MySQL 12 / 23

  13. The Idea Inspiration Introduction Look at keyserver data Keyserver data Parser challenges Attacking bad random numbers Database challenges Thanks How does it work? How does it look like? What data? How does it look like? 13 / 23

  14. The Idea Inspiration Introduction Look at keyserver data Keyserver data Parser challenges Attacking bad random numbers Database challenges Thanks How does it work? How does it look like? What data? What data? Keys and signatures splittet into their hex encoded crypto values Hashes for signatures Rememer: Crypto keys and signatures are just numbers Ignored: User ID strings etc. - everything that’s not crypto/math 14 / 23

  15. Attack idea: RSA Batch GCD Introduction DSA is common Keyserver data DSA duplicate k Attacking bad random numbers Lots of DSA keys and signatures Thanks Give me duplicate r’s The broken key What could be done next? Attack idea: RSA RSA public key: Modulus N (product of primes p, q) and exponent e If we know p and q we can break the key If due to a bad random number generator two RSA keys share one factor of N (p*q1, p*q2) we can efficiently break the keys by calculating the greatest common divisor (GCD) Same attack as Heninger et al and Lenstra et al (2012) 15 / 23

  16. Attack idea: RSA Batch GCD Introduction DSA is common Keyserver data DSA duplicate k Attacking bad random numbers Lots of DSA keys and signatures Thanks Give me duplicate r’s The broken key What could be done next? Batch GCD We can replicate the attack with the code from Nadia Heninger, but no new insights Leads to two valid looking breakable keys, reason unknown Various obviously broken keys (small factors, no user ids etc.) - the key servers are full of invalid data, likely due to data transmission errors 16 / 23

  17. Attack idea: RSA Batch GCD Introduction DSA is common Keyserver data DSA duplicate k Attacking bad random numbers Lots of DSA keys and signatures Thanks Give me duplicate r’s The broken key What could be done next? DSA is common GnuPG by default created primary DSA keys with 1024 bit for a long time 1024 bit is considered bad, it can be broken by attackers with a large budget I don’t have millions of euros and no degree in advanced number theroy But: DSA has a weakness when it comes to random numbers 17 / 23

  18. Attack idea: RSA Batch GCD Introduction DSA is common Keyserver data DSA duplicate k Attacking bad random numbers Lots of DSA keys and signatures Thanks Give me duplicate r’s The broken key What could be done next? DSA duplicate k When creating a DSA signature one has to create a temporary, random and unique value k If two signatures where created with the same k it leads to the same r, so we can easily find these signatures If due to bad random numbers we have two different signatures with a shared k/r value we can break the private key This is a real problem: Attack on Playstation 3 and Bitcoin stealing 18 / 23

  19. Attack idea: RSA Batch GCD Introduction DSA is common Keyserver data DSA duplicate k Attacking bad random numbers Lots of DSA keys and signatures Thanks Give me duplicate r’s The broken key What could be done next? Lots of DSA keys and signatures We have lots of DSA keys and signatures - if there ever was a PGP DSA implementation with a flawed random number generator we will probably find it A look at the code of original PGP and GnuPG shows that the developers knew of this problem and did a lot of things to prevent it from happening 19 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Data Preparation Data cleaning Data integration and transformation (Data

Data Preparation Data cleaning Data integration and transformation (Data

Data Preprocessing Why preprocess the data? Data Preparation Data cleaning Data integration and transformation (Data preprocessing) Data reduction, Feature selection Discretization and concept hierarchy generation 2

891 views • 21 slides
DATA MINING LECTURE 2 What is data? The data mining pipeline What is Data Mining? Data

DATA MINING LECTURE 2 What is data? The data mining pipeline What is Data Mining? Data

DATA MINING LECTURE 2 What is data? The data mining pipeline What is Data Mining? Data mining is the use of efficient techniques for the analysis of very large collections of data and the extraction of useful and possibly unexpected

2.4k views • 94 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 68 / 91 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4 2

729 views • 24 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 28 / 89 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4

455 views • 23 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 51 / 89 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4

344 views • 17 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 68 / 91 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4 2

579 views • 8 slides
Data Preparation Data cleaning Discretization (Data preprocessing) Data

Data Preparation Data cleaning Discretization (Data preprocessing) Data

Data Preprocessing Why preprocess the data? Data Preparation Data cleaning Discretization (Data preprocessing) Data integration and transformation Data reduction, Feature selection 2 Why Prepare Data? Why Prepare

462 views • 15 slides
DATA QUALITY AND DATA DATA QUALITY AND DATA PROGRAMMING PROGRAMMING "Data cleaning and

DATA QUALITY AND DATA DATA QUALITY AND DATA PROGRAMMING PROGRAMMING "Data cleaning and

DATA QUALITY AND DATA DATA QUALITY AND DATA PROGRAMMING PROGRAMMING "Data cleaning and repairing account for about 60% of the work of data scientists." Christian Kaestner Required reading: Schelter, S., Lange, D., Schmidt, P.,

1.1k views • 86 slides
Data stories with The Pudding So what is data storytelling? Data academia & data science

Data stories with The Pudding So what is data storytelling? Data academia & data science

Data stories with The Pudding So what is data storytelling? Data academia & data science dense complex static/non-interactive often not accompanied by an easy-to-follow narrative Data art beautiful abstract

647 views • 5 slides
Data Acquisition Chapter 2 Data Acquisition 1 st step: get data Usually data gathered by

Data Acquisition Chapter 2 Data Acquisition 1 st step: get data Usually data gathered by

Data Acquisition Chapter 2 Data Acquisition 1 st step: get data Usually data gathered by some geophysical device Most surveys are comprised of linear traverses or transects Typically constant data spacing Perpendicular to

432 views • 12 slides
Data Collection and Aggregation Data Collection and Aggregation 1 Challenges: data Challenges:

Data Collection and Aggregation Data Collection and Aggregation 1 Challenges: data Challenges:

Data Collection and Aggregation Data Collection and Aggregation 1 Challenges: data Challenges: data Data type: numerical sensor readings. Rich and massive data, spatially distributed and correlated. Data dynamics: data

713 views • 48 slides
Business Statistics CONTENTS The role of data The data matrix Data types Aspects of data

Business Statistics CONTENTS The role of data The data matrix Data types Aspects of data

DATA Business Statistics CONTENTS The role of data The data matrix Data types Aspects of data Obtaining data Further study THE ROLE OF DATA Data refers to observed facts there are 82 persons in this train the weight of

683 views • 22 slides
DataCamp Data Types for Data Science DataCamp Data Types for Data Science Data types Data type

DataCamp Data Types for Data Science DataCamp Data Types for Data Science Data types Data type

DataCamp Data Types for Data Science DataCamp Data Types for Data Science Data types Data type system sets the stage for the capabilities of the language Understanding data types empowers you as a data scientist DataCamp Data Types for Data

526 views • 23 slides
q.Datum Data Exchange The marketplace for big data Data is the new oil of the Internet and the

q.Datum Data Exchange The marketplace for big data Data is the new oil of the Internet and the

q.Datum Data Exchange The marketplace for big data Data is the new oil of the Internet and the new currency of the digital world . World Economic Forum 1 Problem: access to big data Data accessed & analyzed Data in organizations

543 views • 30 slides
Concatenating data Cleaning Data in Python Combining data Data may not always come in 1

Concatenating data Cleaning Data in Python Combining data Data may not always come in 1

CLEANING DATA IN PYTHON Concatenating data Cleaning Data in Python Combining data Data may not always come in 1 huge file 5 million row dataset may be broken into 5 separate datasets Easier to store and share May have

425 views • 26 slides
Prioritizing Data and Purpose of Data Points What data do I have? What data do I trust? What

Prioritizing Data and Purpose of Data Points What data do I have? What data do I trust? What

Prioritizing Data and Purpose of Data Points What data do I have? What data do I trust? What data do I use most? Session Target: After todays session, you will be able to: 1. Insert/include data opportunities into PL models. 2.

710 views • 12 slides
MAKING SOVEREIGN DEBT SAFE WITH A FINANCIAL STABILITY FUND (BY LIU, MARIMON & WICHT)

MAKING SOVEREIGN DEBT SAFE WITH A FINANCIAL STABILITY FUND (BY LIU, MARIMON & WICHT)

A DISCUSSION OF MAKING SOVEREIGN DEBT SAFE WITH A FINANCIAL STABILITY FUND (BY LIU, MARIMON & WICHT) Aitor Erce (UPNA) My nutshell The paper designs a co-insurance contract: Use strict rules (DSA) and state-contingent contracts

362 views • 14 slides
Direct School Admission for Secondary Schools (DSA-Sec) Entering a secondary school PSLE/S1

Direct School Admission for Secondary Schools (DSA-Sec) Entering a secondary school PSLE/S1

Direct School Admission for Secondary Schools (DSA-Sec) Entering a secondary school PSLE/S1 Posting Process DSA-Sec Based on a students PSLE score Based on a diverse range of talents and Most students enter secondary achievements

446 views • 17 slides
Certification of data repositories: CDS experience and RDA outputs F. Genova & G. Landais

Certification of data repositories: CDS experience and RDA outputs F. Genova & G. Landais

Certification of data repositories: CDS experience and RDA outputs F. Genova & G. Landais (thanks to I. Dillo and Herv L Hours) 2 Perhaps the biggest challenge in sharing data is trust: how do you create a system robust enough for

546 views • 26 slides
Dynamic Spectrum Access in 5G Narayan B. Mandayam WINLAB, Rutgers University

Dynamic Spectrum Access in 5G Narayan B. Mandayam WINLAB, Rutgers University

Dynamic Spectrum Access in 5G Narayan B. Mandayam WINLAB, Rutgers University narayan@winlab.rutgers.edu winlab.rutgers.edu/~narayan 1 WINLAB What is 5G ? Wide range of spectrum choices Wide range of application choices 100s of MHz to

944 views • 32 slides
Post-transplant DSA Monitoring Shiang Cheng Kung MBBCh Clinical Professor of Medicine Division

Post-transplant DSA Monitoring Shiang Cheng Kung MBBCh Clinical Professor of Medicine Division

9/20/2016 In 1954 These Identical Twins Made Kidney Transplant History Post-transplant DSA Monitoring Shiang Cheng Kung MBBCh Clinical Professor of Medicine Division of Transplantation University of California, San Francisco Skin allografts

219 views • 6 slides
USAID TAS Workshop Azalai Hotel, Abidjan-Cote d'Ivoire Ernest Mensah | January, 14, 2020

USAID TAS Workshop Azalai Hotel, Abidjan-Cote d'Ivoire Ernest Mensah | January, 14, 2020

USAID TAS Workshop Azalai Hotel, Abidjan-Cote d'Ivoire Ernest Mensah | January, 14, 2020 Advanced country LF programs across the USAID supported countries - 67% stopped MDA - DSA in 82% of remaining districts Background in 2020 Disease

269 views • 7 slides
ANNUAL REPORT to the Board of Directors of North Monterey County Unified School District

ANNUAL REPORT to the Board of Directors of North Monterey County Unified School District

ANNUAL REPORT to the Board of Directors of North Monterey County Unified School District 10/1/2015 First Annual Report: Passage through June 30, 2015 Measure H Citizens Bond Presented by Committee Chair Lorena Miranda Oversight

278 views • 5 slides
A Practical Introduction to Data Structures and Algorithm Analysis - JA VA Edition slides

A Practical Introduction to Data Structures and Algorithm Analysis - JA VA Edition slides

A Practical Introduction to Data Structures and Algorithm Analysis - JA VA Edition slides derived from material by Clifford A. Shaffer 1 The Need for Data Structures [A primary concern of this course is efficiency.] Data structures organize

2.29k views • 196 slides

More recommend