A Death Blow to the Web of Trust
12:51PM Jul 26, 2020
file allocation table
All right, so we're, we should have got a countdown from Jolie and we'll be starting
right on time.
that's clean. Good.
I think we're live from Jolie.
Go ahead. We are live.
Good morning, afternoon and evening to all attendees who have joined us from all around the world for hope 2020. We have a more days of hope 2020 with some really cool talks, workshops, and villages to learn from. So please stay tuned and enjoy our amazing sessions coming up for the rest of the week. Today, we all are encouraged to use end to end encrypted communication. But how do we validate trust a first stop for the day is titled A dead blow to the web of trust, by statics. He will talk about how PGP protocol works and explain some flirting issues with the web of trust in our, in BGP is broken aesthetics, also likes to talk left amenia, but we don't talk about it, aesthetics.
Please start your session.
Hi everyone, I'm Alex, and thanks for watching this talk. Before I start, I just wanted to give a quick shout out to the hope conference, and everyone who's involved be an organizer be volunteers, and especially the attorneys the people who pay for tickets, because really it's, I think everyone is facing a monumental challenge with this disease and CIC trying to take all this stuff online has been a huge challenge for all of us, but even more importantly the people who have been directly affected by the disease just to know the thoughts are with you. That said, This talk is called a death blow to the web of trust. And for those who are not familiar with PGP or the web of trust, I'll get into that in a moment. And just for reference for people who might not be aware. The image is taken from the Nintendo game, Mike Tyson's punch out where you have Little Mac hidden, kind of a few cheap effigy of PGP. So, the thesis of this talk is that I really like the PGP pretty good privacy, or the new PG the open source GPG protocol. However, I want the public key servers to die. So let's start with the short primer on what PGP GPG, which I will use those terms interchangeably. Let's start with the short primer on what those are. So we have two kinds of cryptography symmetric and asymmetric. So let's let's start with the scenario that Alice and Bob, Alice wants to send a message to Bob. But, Tommy trickster is an evil guy, and he wants to intercept this message. So the question is how does Alice communicate, how do Alice and Bob communicate securely. Well, before not to 91, which is the essence of pvp. The steps to defeat to defeat Tommy tripster were number one Ellison Bob that would meet somewhere secretly, and agree on a key number two they would then use this key to both encrypt and decrypt their messages. And number three, if Tommy trickster learns the key. They're fucked. Basically, we call this a symmetric cryptography because it uses the same key to encrypt and decrypt the message. So, next we have when PGP came out this this concept of public key asymmetric cryptography was actually around for a while before but PGP is when it became really commercially accessible. So with PGP, we have the steps to defeat Tommy tripster. Number one, Bob publishes his public key. Number two, Alice finds his public key and use it to encrypt your message. Number three, Bob receives Alice's message, and he uses his private key which only he has to decrypt it. Tommy tripster must get Bob's private key to read the message. This is called asymmetric cryptography, because it uses one key to encrypt and another key to decrypt, and the idea would be that you have it splits into two keys so you would have a public and a private key, and you keep the private key for yourself and you give the public key off to everyone else. So this creates tune. This brings up two new questions which is first, where can Bob publish his key so that Alice can find it. And second, how can Alice, be sure that this key is actually hits the general answer that was created by PGP is with a key server that is full of signed keys that is I create a key, and then I upload it to the key server so you can get it. But then the question is how do you know that key belongs to me. Well, we have this concept called key signing, where let's say Bob wants to post his key, Alice will then use her key to sign Bob's key, and then Bob's key signed by Alice's key goes to the key server. And so if I am searching to find bugs key. I can see that. Alice has signed Bob's key and I already trust Alice's key. Now I can see that because I also signed Bob's key contrast Bob's key too. And in general, this seemed like a really good idea at the time, and many key servers were created, and this was effectively called the web of trustworthy these key servers all true. All key servers were distributed widely sharing all the different keys and the key relationships. There is a big problem with this. Yeah, there is a big problem with this. The problem is that when you publish a key that has the Simon's, it reveals your trust relationships and infection, effectively reveals your social networks to the world. And this can be a really problematic sometimes.
The other issue I ran into was if you look at the key servers, they're all run by independent entities, and so Hkp itself which is the protocol when you do the GPG send, was it server send key when you upload your key to the key server effectively, effectively does an HTTP POST where it has the, the, was it the host would be the host name of the key server. And then the path would be PKs dash ad, and then the key itself is effectively when you do GPG export armor and you get that. It basically takes that and it formats into something that's URL friendly and appends that it was posted, and that goes and gets uploaded. And so, that's the entire protocol behind the the key server, at least for the input side. And one of the issues I ran into is the key servers will first off you can see in this list of the host names, some of them support ipv6 Some don't some support ish KPS which is these SSL the secure version of it, but most of them don't. Some of them are running Apache some other number. Some of them are running nginx, and some of them have a timeout of like 30 seconds and some of them don't. And in order to get this working I actually had to go through all these different key servers and keep uploading it and get him timeouts until I would find one or two key servers, it would didn't have a timeout setting would actually let me. Allow me to upload the keys. So that was a lot of work and I found out a lot about the key servers in the process. But, yeah, so this brought me to a new question which was, how can we upload large bloated files of key server, while using all standard tools, because like custom compiled GPG works for me but that doesn't work for anyone else. So, if you step back and think about how a computer works. You have this idea of the file allocation table which is how a file is stored on a disk. So, we have a file we break it into chunks, or clusters in this case, and you are blocks and you put them onto a drive and what I realized is that, in the same way that a file allocation table, or in the same way that a file can be broken into chunks. We could also take a file and break it into keys. And if you have the keys, serving as the individual chunks. Then, we could actually use this and upload it to the kieser. So, in general, we will take a large data like I don't know an mp3 or something, break it into component parts added into the keys some way and then upload the key to the key server. So I did this for my fourth attempt, and we call this, this was for Berlin so it's 2017. And
this was a lot of fun.
And in general, the way that I decided, if you recall, earlier where I was playing with the comments, I basically figured out. One of the attributes of a GPG key is the ability to add a comment, and normally that's something like where somebody is, why is there creating the key for example if you look through the key server you'll find a number of cues that have to do with this was created at such and such key signing party. And what we want to do now is I went through the code and I found it did some back and forth on this and I found that the maximum size character length that you could take a comment. And then I took that character length, and I took the in mp3 or whatever else. and I split it into chunks that were exactly the character links created keys of that length, and then uploaded that to it. Okay. Yeah. So, as you can see here, the way that that effectively worked, was it creates a key uploads the key the key server and then you have a key signature that you can use to refer to the key words in the key in the key servers. So, ultimately this created this created an extra version of a file allocation table which I call it a cat. A k t file for key allocation table. So there's some issues with this, or there's there's some good things to. First off, the way key servers work, the keys themselves are never deleted they're only revoked. And in fact, if you take a look at the PGP mit.edu FAQ Frequently Asked Questions page it says can you delete my key from the key server. No, we cannot. They recommend that you simply revoke it, although revoke and just basically creates a revoking creates a flag in the file of the keys it's similar to sign in or doing a sub signing of a key. So you revoke it but it key never goes away. So, this is actually good for us because if we want to store a file safely somewhere, and we're worried that you know disk might fail or something, then it's it's the keys never deleted so we never have to worry about the key going away. And in this dp servers have actually effectively become a root one clone system. And you can see here raid one is where you have, you know, just 012 and three that are all effectively duplicates of data so that if disk one goes down, you still have three disks that contain all the same data. Well, it turns out that the key servers that compromise that comprise the Web of Trust also turn into a raid one system. So I upload the key, and it gets distributed. And every key that I uploaded will get distributed and so thus my file is pretty resilient, that's nice. And it's also a fun and hilarious way to abuse the public key servers. So there's some bad things. First you don't control where your data is, it's sort of like, uploading something to the cloud, you. I mean, unless you're running a key server but then you still control where it is, if it's on these other key servers. You can't lose your cat file. And this can be annoying because the cat files get really big and they're really bulky and they themselves become really large file, and it's pain in the ass. Next, it's very slow. So let's assume the. We have a script that's going through and a pluton queue one by one. Well, you also have to wait for the, assuming the network speed of uploading each key waiting for the server to verify it and process it and some of these key servers are really slow. So that's no fun. and ultimately if you're trying to upload like a couple of Meg's of keys that can take a while if you're trying to upload any more than that, forget it I mean at that point you're not trying to store data you're just messing with the cloud which you know I do approve of messing with the key servers, but still. Finally it's really only security through obscurity because if you're trying to securely store something this way, in theory you could take a look at the keys and the keys that are generated by GPG Fs are all going to have similar metadata on them, like the name of the key and you could in theory like rip them out and download them and recompile so it's not super secure. And I just want to set the record straight on something here because I know this came up a couple of years ago in terms of people screaming at the key servers where to put it. vulnerable to attack, and you know they are, but if you notice, I uploaded this to GPG PGP s Fs. And the last commit I heard was in July 5 of 2017, and that was before it became a discussion.
thinking, Well, what is a large bloated useless file that I can upload to the key servers and have lots of fun with it and ruin everyone's life. How about the blockchain. So I went ahead and downloaded torrent of the blockchain. And this file right here. I think that's about 250 gigabytes in size, I'm sure. I think it was like a couple of years old so there's probably a newer version of it but yes what we're doing is we're uploading the blockchain to the key servers. So now you can see here with flask and I open a sequel alchemy database to a sequel lite instance that I set up, and I have three fields, the ID which is just a primary unique fields in the database fingerprint. This would be the GPG fingerprint of the key, and then it's whether it's uploaded or not. And this key, this database is sort of like the cat file except it's in the database now so it's easier access. So then we have the command here that creates all that creates the table, a GPG key with these fields on it, and then it goes through and creates a key. So, global GPG, it picks up that we're the GPG home directory would be and so on. The key object, we get some input data. And this is all just basically junk data, and I set it as a key length of 1024 but you can change it to whatever you want I basically did that because I wanted something fast. And then the Create key returns a key with the information and.
Is it the input data, yeah okay so.
Right, so then we have a command that goes through. And the other thing to point out here is. Yep. Well that's going through the counter, and I just put it in insanely high number on it. The idea was it would just run until the file is over and for context I had this run on. I had this running on a hurts a little hetzner system that's like, I don't know, one core two gigs of RAM, something like that, and I ran it for about a week and I generated around 100,000 keys. So that gives you an idea of the kind of stuff that this is going to generate. So then you have file secret seats the 750 that was the number of characters that I could reliably fit into a comment. So it takes so it's taken the the the block file here, and it's as if, and then it's seeking through the block file from wherever the start the counter, counter starting at zero, and count zero times 750 characters reads in those characters, and then it uses the Create key to create a key, where the comment itself, yeah okay see the name, comment here, where the comment on the key is the base 64 decode or the base 64 encoding of whatever the of the input from the zip file, and then it creates a database session, it adds the, it adds the fingerprint of the key into the table commits it, and then counter equals counter plus one moves on to the next one.
Excuse me. So that's pretty straightforward.
I'm trying to remember what that was doing.
Excuse me. So, then we.
I'll do that second so first I want to show you this confirm URL uplifts key equals fingerprint. So what this does is you go into the do where is it. Confirm your confirm you were all goes to crypto caster keys slash Mark use cheat, which is here. So, here, went the Mars keys key, I have the argument that's a get request with the parameter key I signed up to be fingerprinted, not to do some checks on it, do some regular expressions. So, if it is not. If it doesn't have hexadecimal characters and it's not 42 or 40 characters long. Then, you basically return the function out to a blank screen. And if it's done you check to see if it's in the database and if it's not, then you return. And the reason for these two things I know this is very ironic when I'm basically instructing people on how to DDoS the key servers, but this prevents me from getting DDoS, it's kind of. And then at the end here is actually this prevents DDoS and it also comes into handy here because this is a database query. I couldn't figure out how to use the sequel alchemy to do the update the key table the way that I wanted so I just have it set to update the key GPG key uploaded equals true where the fingerprint is equal to the thing that we send out, and the first rule of SQL queries is that you never allow. What is it, you always parse the input and you unset you never allow unsanitized input into the database.
So that's basically what I got. Um, the code is available for free use off first off, it's available at crypto cats.me if you want to test it out and run at yourself and just get some cat photos, and if you want to set up your own crypto cats server, you can go to this GitHub URL and you can set it up, and it's it's really not so hard, the way that I set up was with an nginx reverse proxy, which then went to the flask URL I had it wrapped in G unicorn, which allows multiple workers to be running, instead of the base flask but in general is pretty nice. If you have any questions about this, feel free to email me or ask any questions after the talk, and by the way yes those GPG key IDs are real they all work. I very much implore if you want to send me an encrypted message choose the first one, I don't actually know if I have the other private keys anymore. Thank you very much, and I'm now open for questions.
aesthetics, we have some questions from the audience. The first question would be, it's not clear that abusing key servers really break the PGP web of trust. Please elaborate. That's a
good question and what I would say to that it's I don't think that the key servers should exist I do not think that the Web of Trust works I think that the web of trust, when you have people upload and especially their trust relationships to it. jeopardizes their privacy in ways that a lot of people are not aware of and therefore I think it's actually
the existence of the key servers as a problem. So,
if using them. I have tried to rationally, as you saw in the first few examples I've tried rationally explaining why you shouldn't use it. And people didn't listen. And I said, Well, maybe I can just take care of it myself.
And there's another question. Since the key servers network is so vulnerable to DoS attacks. Does this mean we should really stop promoting this as a critical infrastructure. Yes.
The key servers don't work. Here's what I mean, I'm
putting up keys. So,
this is complicated. Let me try to to break it down to something very small, when I upload a key, the whole point of the key servers and just know that the key belongs to me. And that's what the whole point of the trust relationships is. But first off, it's, you can think that if you actually look, if you do the data mining and you see the different clusters, you can spoof that, and ultimately there's no way to tell if the question is how do I share my key. There's a simple answer to that, put put your key up on your website or somewhere else or you can say yet the key isn't the key server and then you go to my website or your Twitter account or whatever here's my signature, and you can get it that way, you can put the keys up anywhere you want the issues the trust relationships and if you think about what happens when. Well, one example I've used before to describe this is, let's say that I'm at a key signing party, and I sign a somebody key and a couple years later that person is indicted for a crime, and the government is doing discovery to try to find everyone who's related that person and I get a phone call or worse, because I am linked to them by the key sign. I'm not aware of the case where that's happened yet but that's a possibility. So does that answer that question. Like there are alternate ways to do this
with my confidence be is another integration. Okay. Go on, go on
with your confidence we increased, if we could remove keys from the servers. Is that even a reasonable solution to allow key removal. So,
this is something I thought about a lot and I don't know that there's a way to do it, unless we introduce state into the key servers and that's really hard and it actually changes the entire nature of how the key servers work. For example, the issue with the Web of Trust is I upload a key to a key server and it will ideally immediately but you know there's some delay it gets propagated to all the other key servers. Well, if I delete the key is due to the nature of the key servers, it's just going to sync synchronize with another system and the key is going to go right back to it. So the only real way to do that would be to have the keys removed from all the key servers at once and as you saw earlier. The key servers are not all run in the same software so to expect them to be doing a key management like that is, like, I think that's too much of an ask.
All right, depending on the time we can take some more questions but I have one more check and ask you right now, for the audience. How do you feel about keybase approach.
The issue with keybase is that it's not public, at least the last I checked. They don't do nightly dumps of their keys or anything like that. Further, I think, is a how to put it. I hate to use the this kind of language but they're like kind of Polish a turd. And it's basically put in a social network onto something that already doesn't work. It's very pretty. It's very easy to use, and I think people are using it as a social network. and if you want to use a social network great, but in terms of a web of trust. Well first off I'm not going to trust anything unless I can like see it, and if cubis it maybe they do this now the last time I checked, they, they were not doing nightly dumps of all their cues, whereas SK OS which I've been using does. And beyond that, again, this may be outdated but when I tried to use Cubase, and I use their tool to create a key. But the default option was to have my private key stored on their server, which defeats the entire point of using GPG encryption. So, I'm mixed, I don't want to tell anybody not to do this and that, and maybe keybase has some magic behind the scenes I don't know about but based on what I've seen, it's the same crap.
All right, we have one last question. Why hasn't talked to talk cells or kiddie porn, or whatever appeared on key SOS, since it's so easy to upload arbitrary data.
Okay, this is
a question that's come up before, and the real answer is that we don't know. Like the question being, why hasn't it happened we don't actually know if it's happened or not because I mean I released the GPG f RPG PFS a couple of years ago, and I didn't keep track of who's using it I guess I could download the SK s dump and take a look. But then I would have to go through and reconstruct anything that's been uploaded to it. And I guess the question would be, what's the benefit of doing that and in terms of toxin. one of the questions that you have to ask is if we've already established that we can't really trust anything on the key servers, if we could trust it then we wouldn't need the level of trust. Then, why would I trust what's being doxed on there I could just upload something and say that, you know,
some hackers real name is Bill Clinton. And I mean that just nonsense. So,
it's hard to say.
All right, one last question. So, what are your thoughts on auto crypt as an alternative to Wi Fi.
I don't have any because I'm not super familiar with auto crypt. So, I will have to look into that. Thank you for letting me know
when we still have a couple of minutes or a short answer to this last question. What do you recommend we use instead of key servers network manual sharing of these in person, or something else that you would recommend.
Sure. Well, first off, sharing keys in person is always. So I've got another side rant on this key server parties that require a government issued ID or bullshit. If you actually look at the specifications I think it's RFC four zero of the open GPG format where it says what the trust levels are, it's very very vague on that I've actually talked to a couple of the designers, including john Kallis about this. And the whole point of it is that there are different avenues where you can Institute trust, so maybe I do trust a government ID I personally wouldn't. Maybe I do trust somebody who's been introduced by somebody else. The whole point of the trust levels is supposed to be you have alternate avenues that you can use and therefore, in personal key science with ID goes against that entire philosophy. There was another oh so in terms of sharing keys. So, I realized that making a website is hard to do now that Facebook is there, but I don't know if you have a. We have verified Twitter accounts, so why don't you put your key on that. I mean, there you are, and by the way that has the same problem but that's beyond the scope of this talk.
All right. Thank you so much, ascetics for your valuable time and being part of hope 2020 for our audience. Stay tuned. We will be back with another cool talk in 10 minutes. Until then, stay safe. Thank you so much again. Right, Absolutely. My pleasure.