214 lines
10 KiB
Plaintext
214 lines
10 KiB
Plaintext
|
* Security and authentication using PGP in FidoNet
|
||
|
|
|
||
|
|
THOUGHTS ON SECURITY AND AUTHENTICATION
|
||
|
|
FOR EMAIL SYSTEMS
|
||
|
|
Tom Jennings (1:125/111)
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
Some ideas on public key security systems. To sum up ahead of time, I
|
||
|
|
assert that the public broadcasting of public keys is more than
|
||
|
|
enough security and authentication for casual, privacy needs in the
|
||
|
|
FidoNet or other email network.
|
||
|
|
|
||
|
|
All of this article assumes the use of PGP version 2.0, the RSA
|
||
|
|
double-key encryption system implemented as freeware.
|
||
|
|
|
||
|
|
|
||
|
|
This is all new to most of us, this security/privacy thing. Both
|
||
|
|
technologically and socially. What privacy we have we take for granted
|
||
|
|
without much thought; letters in envelopes, "who is it?" to knocks on
|
||
|
|
the door, etc. When we try to break down these things into their
|
||
|
|
underlying assumptions, well, it's hard. We shouldn't get upset with
|
||
|
|
ourselves or others if "we don't get it" right away. And we'll find
|
||
|
|
some obvious things aren't, and vice versa.
|
||
|
|
|
||
|
|
I will assume that if you really, really need utter absolute security,
|
||
|
|
you can achieve that with PGP or whatever. If it's that sensitive,
|
||
|
|
sending it over an electronic medium probably isn't recommended. This
|
||
|
|
article isn't about how to achieve bank-vault security.
|
||
|
|
|
||
|
|
Within the FidoNet, the most common use we all seem to talk about is
|
||
|
|
PRIVACY, rather than SECURITY. I can only speak for myself, but, my
|
||
|
|
netmail (not echomail) traffic is probably a reasonable example. I
|
||
|
|
read about 100 messages a week, and send out about 50. There's a dozen
|
||
|
|
or so people I talk with regularly, and about 50 per week that I do
|
||
|
|
not know. Most of it is of the "Oh yeah, so and so said this. How's
|
||
|
|
your mother. Did you get that file OK...". Even if an eavesdropper
|
||
|
|
read this stuff, I would barely care.
|
||
|
|
|
||
|
|
There are some times though when revealed message contents could be...
|
||
|
|
personally compromising. Embarrassing. A real life example: a long
|
||
|
|
time ago, a sysop in a net was having trouble with their net host.
|
||
|
|
Some messages critical of that net host were intercepted by the host,
|
||
|
|
some passed on, and some we each got replies to! Not Good.
|
||
|
|
|
||
|
|
What *I* want is a way to ensure that sometimes, only the addressee
|
||
|
|
can read a given message. I am willing to pay some penalty for this,
|
||
|
|
but I won't live with a system that restrains me like a stone castle
|
||
|
|
and moat. My needs and risks just aren't that great.
|
||
|
|
|
||
|
|
With that as a background assumption, let's look at two separate
|
||
|
|
issues that look at first to be the same -- SECURITY and
|
||
|
|
AUTHENTICATION.
|
||
|
|
|
||
|
|
|
||
|
|
SECURITY -- given an encrypted message, how likely is it that someone
|
||
|
|
can ascertain what's inside it (assuming you're not the addressor or
|
||
|
|
addressee)? As an operating assumption, I will take it for granted
|
||
|
|
that PGP produces files that are secure in themselves (barring bugs,
|
||
|
|
etc). Like the docs say, a frontal cryptological assault is hard, and
|
||
|
|
in our casual privacy case, probably not what we've got to worry
|
||
|
|
about.
|
||
|
|
|
||
|
|
There are other ways to figure out what's going on. Imagine you're
|
||
|
|
that net host. You've had trouble with this particular sysop before.
|
||
|
|
You notice he's just sent a flurry of messages to the local RC, then
|
||
|
|
the ZC. Hmmm!! Do you really need to know what's in those messages?!
|
||
|
|
(This is called traffic analysis. In pre-WWII Germany, the Nazis
|
||
|
|
tracked down "Jew sympathizers" with traffic analysis of telephone
|
||
|
|
billing information; Europeans don't get itemized phone bills any
|
||
|
|
longer... like here in the US. So I was told, the information is no
|
||
|
|
longer kept. (Do I really believe that...:-))
|
||
|
|
|
||
|
|
Anyways, security is more than cryptographic strength. Turns out,
|
||
|
|
there's a way around this: anonymous remailers. In a private Internet
|
||
|
|
mailing list Eric Hughes came up with a trick to anonymously remail
|
||
|
|
messages; you send mail destined for system X to the remailer instead;
|
||
|
|
it strips off the header info and mails it to system X. Anonymity
|
||
|
|
isn't really needed though in the case above, simple remailing will
|
||
|
|
do. Again, our *general* FidoNet needs are modest.
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
AUTHENTICATION is the sticky one for us. Authentication is
|
||
|
|
determining: is this person really the person they say they are? But I
|
||
|
|
think you'll see it isn't the fatal problem it appears to be at first.
|
||
|
|
|
||
|
|
Let's get the obvious case out of the way first again: if you need
|
||
|
|
utter and absolute security, you better damn well know the person
|
||
|
|
ahead of time, you should get a key delivered by hand, and you should
|
||
|
|
think about if you really want to conduct business over an electronic
|
||
|
|
link in the first place. Authentication in this case isn't -- or
|
||
|
|
shouldn't be! -- a problem.
|
||
|
|
|
||
|
|
For our relatively-casual privacy use, authentication is almost moot.
|
||
|
|
Some people I have already exchanged keys with, *I've never met face
|
||
|
|
to face in my life* and may never. In spite of this I feel I know
|
||
|
|
them. I trust or assume that they are who they say they are. This is
|
||
|
|
the environment we need to work in.
|
||
|
|
|
||
|
|
This, plus the fact that we've got (at the moment) some 16,000
|
||
|
|
potential keys, means we simply can't do the full-blast security
|
||
|
|
thing. How much "security" can I expect, or need, with someone I've
|
||
|
|
never met? Consider again the utter-security case again.
|
||
|
|
|
||
|
|
But the bottom line is in fact already taken care of, PGP or not --
|
||
|
|
how do you know that "the real Tom Jennings" wrote this article? Our
|
||
|
|
underlying social system, so frequently overlooked, takes care of it.
|
||
|
|
You can assume I, and many people who have been in the net, are
|
||
|
|
verifiable. You have a number of ways to determine if I really wrote
|
||
|
|
this article. Simply asking via FidoNet will uncover most fakes.
|
||
|
|
Looking at old nodelists to see what info on my name has changed. Ask
|
||
|
|
people who might know me. And so on.
|
||
|
|
|
||
|
|
If our public keys are scattered to the wind like plants scatter
|
||
|
|
pollen, it is certainly possible that I could fake "your" public key,
|
||
|
|
and gain access through all the methods discussed in detail in the
|
||
|
|
literature. However, assuming the real person and the fake person(s)
|
||
|
|
are both generating keys (and using them to sign and send messages),
|
||
|
|
the more keyrings were passed around the chances of detecting the
|
||
|
|
incompatible keys becomes almost certain. At that point, even a casual
|
||
|
|
effort would be able to track it down, to at least determine that
|
||
|
|
there *was* a fake.
|
||
|
|
|
||
|
|
Example: Mary has been using PGP for a few months, and conversing with
|
||
|
|
friends and acquaintances. Her public key is filerequestable, and
|
||
|
|
probably appears on a hundred keyrings.
|
||
|
|
|
||
|
|
Over the next few months, other people get messages from "Mary" making
|
||
|
|
increasingly odd claims, via encrypted mail. The impostors fake key,
|
||
|
|
in order to be useful at all, would also have to be widely
|
||
|
|
distributed.
|
||
|
|
|
||
|
|
Curious, someone sends Mary a message encrypted with what appears to
|
||
|
|
be her public key, and a plaintext one telling her that the
|
||
|
|
cyphertext was encrypted with her public key, and that he suggests if
|
||
|
|
she can't decipher it someone may have faked her key.
|
||
|
|
|
||
|
|
What Mary actually does depends on many things. If she has indeed
|
||
|
|
been creating the crazy messages, well, the problem's elsewhere. If
|
||
|
|
she finds she can't read the message, her recourse depends on what is
|
||
|
|
available to her: if there are public key repositories, she would be
|
||
|
|
advised to contact them and notify them of the alleged faked key(s),
|
||
|
|
and follow whatever process is setup to generate a new key.
|
||
|
|
|
||
|
|
The very knowledge of key collision would be enough to flag to users
|
||
|
|
that there's a potential problem.
|
||
|
|
|
||
|
|
|
||
|
|
There are more practical issues that limit our need for traditional
|
||
|
|
security measures on keys.
|
||
|
|
|
||
|
|
Even if you stored your private key on disk, it would take physical
|
||
|
|
access of your machine to get it. This is not what I'm worried about
|
||
|
|
in private FidoNet mail. If a FidoNet member tries to break into my
|
||
|
|
house or system to get at my key, I've got other troubles!
|
||
|
|
|
||
|
|
Practically speaking, it might even be a good idea to have two keys; a
|
||
|
|
small (256 bit) one for casual, email privacy, and a big one (1024
|
||
|
|
bits) that you give to people by hand on diskette. The small key will
|
||
|
|
mean better performance, more important on bulk casual email, and
|
||
|
|
certainly adequate against eavesdropping. For high-security needs,
|
||
|
|
which most people don't have (I certainly don't), the performance
|
||
|
|
penalty probably won't matter as much.
|
||
|
|
|
||
|
|
The worst part of security systems is that people will *rely* on them
|
||
|
|
as absolutes. This is the only thing that makes a faked, encrypted
|
||
|
|
message worse than a faked, plaintext message.
|
||
|
|
|
||
|
|
Again, it's important to remember the goal (as if we could ever
|
||
|
|
possibly agree to a *single* goal...) -- if it's privacy, the ability
|
||
|
|
to stop eavesdroppers, then a broadcast public key system is more than
|
||
|
|
adequate, and public key repositories even better. If you want a
|
||
|
|
maximum-security vault, you take added precautions. No one system will
|
||
|
|
solve all problems. I'm a firm believer in a broadcast public key
|
||
|
|
system for email.
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
PRACTICAL SUGGESTIONS FOR PGP USE IN FIDONET PRIVACY:
|
||
|
|
|
||
|
|
* Use small (256 bit) keys for routine, low-security use, such as
|
||
|
|
netmail privacy with people you don't know personally (and don't get
|
||
|
|
keys from physically).
|
||
|
|
|
||
|
|
* Public key encryption is most useful for email, ie. FidoNet
|
||
|
|
netmail, especially when it flows through multiple hosts on its way
|
||
|
|
to its destination.
|
||
|
|
|
||
|
|
* The current password scheme for echomail links is proven to be
|
||
|
|
adequate to safeguard what is basically a public forum, anyways.
|
||
|
|
Further security doesn't seem to be needed on these links.
|
||
|
|
|
||
|
|
* When adding keys received via FidoNet to your public keyring,
|
||
|
|
answer "do you want to certify this key yourself" with NO, unless you
|
||
|
|
received the key by hand. It doesn't hurt the usefulness of the key
|
||
|
|
itself; however, if someone later uses your public keyring they won't
|
||
|
|
be lulled into a false security. (Certification of keys can be done
|
||
|
|
at any time.)
|
||
|
|
|
||
|
|
* Passing keyrings around willy-nilly, though counter to "good
|
||
|
|
security practice" in traditional uses is actually a good thing for
|
||
|
|
us. "Key Repositories" scattered throughout the net (each exchanging
|
||
|
|
keyrings as well as posting lists of "trouble keys") is a better idea.
|
||
|
|
|
||
|
|
* Reserve large (1024 bit) keys for people who you know, and can
|
||
|
|
ensure security in traditional ways (some pointed out in the PGP
|
||
|
|
documentation).
|
||
|
|
|
||
|
|
* As seems to be developing, have your public key filerequestable as
|
||
|
|
magicname "PGPKEY" (your own public key only), and your keyring as
|
||
|
|
"KEYRING" (all of your public keys). These should be ASCII-armor
|
||
|
|
files (PGP -kxa)
|