9 April 2014.From: Werner Koch To: John Young , email@example.comSubject: FYI: quickly looking at keyidsDate: Wed, 09 Apr 2014 09:46:12 +0200Hi folks,instead of looking at pgpdump output (which is useful for a detailedanalyis), you may simply do that: $ xclip -o - | gpg -v --keyid-format=long --list-only gpg: armor header: Version: iPGMail (2.0.7) gpg: public key is A0BAEFAF17D4D0B2 gpg: public key is 31DB00B98A0C5522 gpg: public key is AA4E6903B940F753 gpg: encrypted with RSA key, ID AA4E6903B940F753 gpg: encrypted with RSA key, ID 31DB00B98A0C5522 gpg: encrypted with RSA key, ID A0BAEFAF17D4D0B2 $ xclip -o - | gpg -v --keyid-format=long --list-only gpg: armor header: Version: GnuPG v1.4.14 (GNU/Linux) gpg: armor header: Comment: Using GnuPG with Thunderbird [...] gpg: public key is AA4E6903B940F753 gpg: public key is 31DB00B98A0C5522 gpg: encrypted with RSA key, ID 31DB00B98A0C5522 gpg: encrypted with RSA key, ID AA4E6903B940F753xclip is used by me to paste from a different X session,--keyid-format=long prints all 64 bits of the keyid, and --list-onlyskips the actual decrytion (in case you have the private key)
9 April 2014.
Cryptome views the Jacob Appelbaum's information in a message below an allegation similar to the original message. The message he provided could be tampered with as alleged of the original. PGP vulnerabilities are well known among comsec experts but not the public. Comsec experts often conceal vulnerabilities out of self-interest; instead provide misleading information -- a practice widespread in most security industries.
Twitter excerpts: https://twitter.com/search?q=cryptomeorg&src=typd&f=realtime
8 April 2014. Jacob Appelbaum @ioerror: @Cryptomeorg I emailed a correction to your latest PGP email leak about @ggreenwald and @JesselynRadack. I hope you'll update it.
8 April 2014. Jacob Appelbaum @ioerror: @kristamonster @Cryptomeorg @ggreenwald @JesselynRadack I have the full PGP payload and I sent it to @Cryptomeorg to publish it.
8 April 2014. Jacob Appelbaum @ioerror: @joshuafoust She wasn't hacked, she encrypted the message to a third key. I emailed @Cryptomeorg to update his disinfo post.
8 April 2014. Cryptome @Cryptomeorg: @ioerror @ggreenwald @JesselynRadack Updated.
8 April 2014. Jacob Appelbaum @ioerror: @Cryptomeorg @ggreenwald @JesselynRadack Thanks. Watch out of truncated PGP messages. It was a tell that you were being played.
8 April 2014. Cryptome @Cryptomeorg: @ioerror @ggreenwald @JesselynRadack We published your allegation as requested as with the other allegation. Fine tell tales, both.
9 April 2014. Jacob Appelbaum @ioerror 4h: @Cryptomeorg @ggreenwald @JesselynRadack The PGP message that I gave you is the original. The one you published is the same one, truncated.
9 April 2014. Jacob Appelbaum @ioerror: @Cryptomeorg @ggreenwald @JesselynRadack The one you published is also tampered with to change the PGP header text.
9 April 2014. Jacob Appelbaum @ioerror: @Green_Footballs Specifically because I assert that it isn't evidence that PGP is "broken" as @Cryptomeorg was stating. Big difference!
[Note: Cryptome did not claim PGP was broken, see below.]
8 April 2014.
Key tampering and forgery excerpts added by Cryptome.
The GNU Privacy HandbookChapter 3. Key Management
Key tampering is a major security weakness with public-key cryptography. An eavesdropper may tamper with a user's keyrings or forge a user's public key and post it for others to download and use. For example, suppose Chloe wants to monitor the messages that Alice sends to Blake. She could mount what is called a man in the middle attack. In this attack, Chloe creates a new public/private keypair. She replaces Alice's copy of Blake's public key with the new public key. She then intercepts the messages that Alice sends to Blake. For each intercept, she decrypts it using the new private key, reencrypts it using Blake's true public key, and forwards the reencrypted message to Blake. All messages sent from Alice to Blake can now be read by Chloe.
Good key management is crucial in order to ensure not just the integrity of your keyrings but the integrity of other users' keyrings as well. The core of key management in GnuPG is the notion of signing keys. Key signing has two main purposes: it permits you to detect tampering on your keyring, and it allows you to certify that a key truly belongs to the person named by a user ID on the key. Key signatures are also used in a scheme known as the web of trust to extend certification to keys not directly signed by you but signed by others you trust. Responsible users who practice good key management can defeat key tampering as a practical attack on secure communication with GnuPG.
http://www.pgp.net/pgpnet/pgp-faq/pgp-faq.html [Dated 1996-2002.]
Q: Can a public key be forged?
A: In short: not completely, but parts may be.
There are four components in a public key, each of which has its own weaknesses. The four components are user IDs, key IDs, signatures and the key fingerprint.
It is quite easy to create a fake user ID. If a user ID on a key is changed, and the key is then added to another keyring, the changed user ID will be seen as a new user ID and so it gets added to the ones already present. This implies that an unsigned user ID should never be trusted. Question Should I sign my own key? discusses this in more detail.
It is possible to create a key with a chosen key ID, as Paul Leyland explains:
A PGP key ID is just the bottom 64 bits of the public modulus (but only the bottom 32 bits are displayed with pgp -kv). It is easy to select two primes which when multiplied together have a specific set of low-order bits.
This makes it possible to create a fake key with the same key ID as an existing one. The fingerprint will still be different, though.
By the way, this attack is sometimes referred to as a DEADBEEF attack. This term originates from an example key with key ID 0xDEADBEEF which was created to demonstrate that this was possible.
There are currently no methods to create a fake signature for a user ID on someone's key. To create a signature for a user ID, you need the signatory's secret key. A signature actually signs a hash of the user ID it applies to, so you can't copy a signature from one user ID to another or modify a signed user ID without invalidating the signature.
Yes, it is possible to create a public key with the same fingerprint as an existing one, thanks to a design misfeature in PGP 2.x when signing RSA keys. The fake key will not be of the same length, so it should be easy to detect. Usually such keys have odd key lengths.
Paul Leyland provided the following technical explanation:
Inside a PGP key, the public modulus and encryption exponent are each represented as the size of the quantity in bits, followed by the bits of the quantity itself. The key fingerprint, displayed by pgp -kvc, is the MD5 hash of the bits, but NOT of the lengths. By transferring low-order bits from the modulus to the high-order portion of the exponent and altering the two lengths accordingly, it is possible to create a new key with exactly the same fingerprint.
Q: How do I detect a forged key?
A: As explained in question Can a public key be forged?, each component of the public key can be faked. It is, however, not possible to create a fake key for which all the components match.
For this reason, you should always verify that key ID, fingerprint, and key size correspond when you are about to use someone's key. And when you sign a user ID, make sure it is signed by the key's owner!
7 April 2014. Cryptome: Extracting keys from a message is easy with online key dumps such as http://www.pgpdump.net/cgi-bin/pgpdump . That does not mean keys extracted are bonafide or that a bonafide message has been decrypted. Spoof messages can be encrypted by falsely real keys giving the appearance of being authentic. Authentic keys can be obtained from key servers for confecting false messages. Distributing spoof keys and messages are a common technique for clouding and doubting comsec. That is a reason to publish this example for critique.
Cryptome is not aware of any reports of PGP being broken although allegations about it are commonplace. If there such bonafide reports please send: cryptome[at]earthlink.net.
7 April 2014
Jesselyn Radack Emails Glenn Greenwald
Alleged Jesselyn Radack Email (BG may be Barton Gellman):
Congrats on the McGill award!! I look forward to seeing you at Polks.
On that note, is my client making a surprise appearance? BG said you mentioned this to him at the Polk media event.
I won't tell anyone, including BG, if it's a surprise, but as his attorney, I'd like to know...and also what medium would be used (Google or the BEAMbot).