OnPoint by Keith Ng


The Gift that Keeps on Making Me Barf

Last week, we saw the first indication that the NSA & friends have developed "groundbreaking cryptanalytic capabilities". This week, we found out exactly what that means. Basically, the keys that major companies use to encrypt their traffic have been stolen or weakened with flaws; backdoors have been put into products and networks; this is sometimes done with the willing cooperation of companies, sometimes with coerced cooperation, and other times, without their knowledge at all.

To draw an analogy: They haven't yet figured out how to picked the locks on your door, but they've managed to steal keys, to open windows, and to make your locksmith install dodgy locks. Of course, once they've done this, they're not the only ones who can climb through those windows and break those dodgy locks.

This why the news is significant: Not only does their mass survelliance system reach deep into secure systems used by everyone, they've also worked with industry to seed security holes throughout the entire system. It is an utter nightmare - these systems are the basis for "e-commerce", or as we call it these days, "commerce". Not only can we not trust the systems, we can't trust the people who build the systems.

This is a huge deal.

However, despite this being framed as a breach of encryption, the actual process of encryption (the actual "lock") hasn't been broken. What this has really shown is that if you want security, there is no alternative to doing it yourself and verifying it yourself.

Part 3: Verifying Keys

So there's a public key on my page. How do you know that's *my* key? Anyone could have created that key, just like I created the John PGPKey key. For all you know, some Russian hacker could have taken over Public Address and put that key there.

As a first step, you should look up my key. My key is published, so you can go to this keyserver and look up it up using my name.

The second one looks like me. Which is nice, but doesn't mean much - that could be faked too. You can check the fingerprint against the one I have on my twitter profile and the one I have on my Public Address page.

They match up! This means the person who created the key also controls my Twitter and Public Address accounts. But what if both those things were hacked? Last year, Wired writer Mat Honan got hacked - from his Amazon account, they got his credit card number; with his credit card number, they got his Apple account and his Apple email; with his email, they got EVERYTHING, and remotely wiped both his computer and his phone.

Now we move on to the next step: Little further down, we see Idiot/Savant. He has signed my key, which means that he has used his key to vouch for my key. We can check I/S's key fingerprint against the fingerprint on his Twitter bio. That can be hacked as well, of course, but it means that the hacker would have to hack both our accounts, as well as Public Address and No Right Turn.

The thing that makes signed keys special is that those signatures can't be changed. If I make up a new key, those signatures have to be renewed.

If you met I/S and verified his key, then that takes you one step closer: You know that his key is not faked, therefore you can be more confident that my key is not faked.

(I'll be organising a key-signing party at some stage, which is why I haven't talked about key signing. Also, I'm on a bus to Warkworth.)

42 responses to this post

First ←Older Page 1 2 Newer→ Last