Which type of key should I choose and why?

[Paul L. Allen]

[Please Cc me replies as I don't subscribe to the list]

On Mon, Oct 16, 2000 at 12:00:59PM +0100, David Pick wrote:
> > > >                                                  They'll still suspect
> > > > that you have an encryption key (possibly signed by your sign-only key)
> > > > hidden elsewhere.
> > > 
> > > Sure. Which is why I suggest actually using a pair of keys (well, of
> > > course, in a public-key system a pair of key-pairs) so that if you
> > > *do* (eventually!) reveal the encryption key you don't compromise the
> > > signature key.
> > 
> > That makes sense.  To a degree.  I'm uncertain about the practicability
> > of wiping out the signing key before they manage to kick the door in.
> 
> But I don't think you have to. Provided it *is* a signing-only key they
> can't compell you to reveal it.

Provided they take your word for it that it is a signing-only key.
Maybe you fiddled with the packet data somehow to make it appear to be
a signing-only key.  Maybe you're using a hacked version of GPG that can
put a wrapper around a cryptographic hash to turn it into an encryption
algorithm (it may be crude, and possibly weaker than a "real" encryption
algorithm, but it works).  By the time they've taken your encryption key 
away and found they can't decode all your traffic, you've destroyed the 
"signing" key.

That puts you in a situation where you can't turn over one of your
encryption keys.  For most people that would put them in deeper trouble
from the perpetual imprisonment problem; for the types of people the
gov't are really going after that might be preferable.  If you're a
traitor then destroying your encryption key protects the rest of the
network and means it's no good them trying to rubber-hose the password
out of you.  You end up in prison for life but all the other moles are
protected.  Ditto for hardened criminals - life imprisonment with your
dependents being cared for by your cronies is better than what your
cronies would do to you if you grassed them up by revealing your
encryption key.

They're going to want the keyring on the spot.  No messing about or
extracting the key you say is your only encryption key.  They'll take
your computer then insist on the pass phrase.  We know from previous
cases not involving encryption that they take the computer away anyway
as the first thing they do in case there's any incriminating stuff on
it.  That won't stop just because they can now insist you hand over
your encryption key so they can read your e-mail they've recorded.
They'll want everything on your computer and they'll want to ensure
you can't delete anything.  The only way of doing that is to impound
your computer.

In any case, they also have the legal power to sneakily break in and 
bug your computer.  If you're under serious suspicion they'll do that
in order to ensure they get your pass-phrase.  That or park a van
near your house for a while so they can monitor your keyboard emissions.
Too expensive in resources for lightweight criminals but those are the
sort of people who will give in to the threat of perpetual imprisonment.

> > > Oh, I know. I'm just trying to point out why signature-only keys can
> > > help protect your signatures if nothing else. BTW the notices *can* be
> > > challenged, but the onus is on you to justify the refusal.
> > 
> > In theory, there's no difference between theory and practise; in
> > practise there is.  Theoretically you can challenge, but actually
> > succeeding with a challenge is unlikely.
> 
> The intent is to get a plain-text copy of the encrypted data for the
> investigators. If you are willing to decrypt the data for them and
> *supply* the plain text that should be enough.

If you can decrypt all the messages they want decrypted on the spot that
ought to be enough.  I doubt it will be.  RIP is basically fishing-
expedition stuff.  They want everything on your computer *plus* the
contents of any encrypted e-mail and any encrypted filesytems *plus*
(in some cases) opening up your hard disk and trying to pick up deleted
stuff from residual magnetic fields.  They already do that sort of thing
in cases where they have "reasonable grounds" to suspect the computer
contains incriminating evidence ("reasonable grounds" appears to mean
that they suspect you of something and you have a computer).

> If they don't trust
> you to do so completely and want to do it themselves *then* they can
> force you to give up the key. A counter-proposal from you that keeps
> the key away from them but also gives them the plain text should be
> enough. That's why I suspect the TTPs may become popular...

Don't forget they'll have your computer.  They could give that to the
TTP, but I doubt it will happen.  Anyone you nominate they'll suspect
of having a pre-arrangement with you to hide certain text.  Anyone
they nominate will be suspected by you of having an arrangement with
the gov't to hand over secret keys.  TTPs in this scenario are every
bit as flawed as TTPs for key escrow.  They're really Untrusted Third
Parties.  If they happen the only ones the gov't will ever use are the
ones who are their puppets - you'll not be able to reject their choice
unless you pick another of their puppets.  The police might not go
along with this deliberately, but you can bet they'll be supplied a list
of "approved" TTPs.  The police may not get your future traffic but
the spooks will.

So your only sensible option after using a TTP is to revoke your encryption 
key and generate a new one.  Which means that there's no point in using a
TTP in the first place.

You can't even rig a thermite charge around your hard disk and set it
off at the first signs of trouble.  You'll claim you're not refusing to
hand over your key but that it no longer exists so you cannot.  They'll
claim you have another copy hidden away somewhere (which you probably do
if you're serious enough to rig up a thermite charge) and you're refusing
to hand over that one...

> <snip>
> > While it would be nice for those of us who are not criminals but do
> > wish to keep our privacy, I don't see the gov't allowing it.  They don't
> > just want your past traffic, they want anything that might come your way
> > in the future.
> 
> So you revoke your encryption key and publish a new one; you don't have
> to revoke your signature key and can use it to sign the revocation and
> new encryption key.

That won't stop messages coming in using the old key until you manage to
get the revocation published.  Which is hard to do when you're in a
police cell while they read through all the plaintext you've just
supplied them (and "follow up leads found in the plaintext").  And then 
they'll want those new messages decrypted and the leads followed up, by 
which time some more will have come in...  The only way to escape that
trap if you get a lot of encrypted mail is to hand over the pass-phrase at
the start.  Eventually, the mail will dry up in most cases, but it could
take a long time for some people.  Subscribing to a mailing list that
encrypts mail sent to recipients would be a bad idea...

[...]
> > Getting your encryption key also gives them traffic analysis.
> 
> The phrase "traffic analysis" in these circles normally refers to
> an analysis of the patters of messages between communicating parties
> without reference to the content. For example, sudden changes in the
> volume of battlefield radio traffic from the enemy usually warns of
> *sonething* nasty about to happen...
> 
> I suspect you mean they get the content of past messages they've
> tapped and recorded.

Nope, I mean that they find out who you've been communicating with if
you were using an anonymous remailer.  Even if the content to and from
one particular person was always innocuous, they'll still be suspicious
of that person.  Similarly, if that person is also under suspicion or
has known past history, that will throw further suspicion upon you no
matter what the content of the mail (can you say "known associate"? - if
you chat to somebody in the pub every so often and you have no idea he's
really a criminal, you can still end up under investigation as a known
associate).  And if you've been corresponding with that nice young
Bulgarian lady (or gent, if you're that way inclined) you met on
holiday...

Technically, finding out who you've been corresponding with via an
anonymous remailer involves reading the decrypted content, but it is
actually also traffic analysis - it tells them who you've been
corresponding with and how often.  Even if the content looks innocuous
you could have been using a code underneath the cipher, so the traffic
analysis aspect is important.

> <snip - and *I* didn't take it as a rant ;->
> > Rant over...  

Not really appropriate here, though.  Except to the extent that the only
way we're going to be relatively safe is if more people use GPG so that
they don't have the resources to go after everyone.  It's ironic.  The
US finally allows export of strong encryption; France drops its ban
on the use of strong encryption; the UK enacts legislation that kills
privacy on the net and civil liberties and exceeds anything the US has 
tried to put into place in the past.

> <snip again>
> 
> > Trouble is, one of the reasons I'm looking at GPG is for use with
> > automated verification systems used by various domain registrars.
> > They use PGP but don't say what version.
> 
> And I'd bet the registries don't agree between themselves!

Possibly not.  But there's slightly more chance of a different version
of PGP operating with what they're using, it looks like.  What with
your mention of version 3 and 4 packets, and GPG's mention of some packet
field incompatibilities it's starting to look like I'll have to go for
PGP to be on the safe side.  If the registrars had thought of checking
or ensuring GPG interoperability they'd tell us to use PGP or GPG.  The
only way of being sure it to try it and it's probably not worth the
extra time and effort involved if it doesn't work.

> > > There's also module implementing the AES selection, Rijndael,
> > > already...
> > 
> > So I noticed, although I hadn't realized that was the AES selection.  To
> > be honest, if they're happy with it, I'm not, given the political
> > constraints they probably operated under...
> 
> Given how public NIST were, I'm fairly happy. It'll certainly get more
> intensive cryptanalysis for the next few years.

Yep, but I reckon the NSA must believe it's within their capabilities
(even if only just and only for a very small number of messages per
week) to crack or it wouldn't have been allowed to be chosen.  No
matter how public NIST were, you cannot know what out-of-band
communications were taking place between them and the NSA (but you can
guess).  Certainly the NSA would have been consulted about the strengths
of the algorithms in case they knew of serious flaws.  It would be easy
for them to say they knew of a flaw but they couldn't reveal what it
was for security reasons (like it would alert the Russians to the fact
that their favourite cipher had the same flaw).  A few fiddles like
that could knock out a couple of good candidates (with NIST inventing
plausible excuses for dropping them) and leave one the NSA prefer in 
its place.  I don't say it happened, just that you can't be sure it
didn't.

-- 
Paul

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org