Previous link:
In 2021, use PGP in a more modern way (middle)
Publish and exchange PGP public keys
There are few Chinese articles discussing public key security exchange, which is the most important part of the whole encryption system. Most PGP tutorials end with the user uploading the public key, which is outdated and irresponsible, so here’s how to publish and exchange PGP public keys.
The principle of
To be clear, uploading a public key to a public key server is not necessary, or even dangerous.
If you are new, do not publish your public key to the public key server.
primers
From the previous section, you have become familiar with the native use of GPG and have generated your own PGP key pair.
Imagine if you lived in the 1980s and wanted to communicate encrypted with distant friends. You had to exchange each other’s public keys first, and there was no unified, trusted authentication authority.
In person? Sure, but you won’t want to do the following
This long public key is copied onto a piece of paper, and then driven to a friend who can copy it into his computer. If there is a change, repeat the above process n times.
So is there another way?
At that time, there was no instant messaging software such as Line and wechat, and email providers were unreliable by default, otherwise PGP would not have been born. And since HTTPS had not yet been invented, it was not secure to exchange public keys for PGP via email.
The problem is that both of you need to be able to easily exchange public keys and verify that the public keys you have obtained from each other are untampered with and valid. This is where the public key server comes in.
Public KeyServer KeyServer
Public key servers make it easy for people to download public keys from public key servers by exchanging their short key ids or user ids.
History and design intention
The first KeyServer is called HKP (Web-based OpenPGP HTTP KeyServer Protocol) KeyServer, which was created in the 1990s by Marc Horowitz for his thesis when he was studying at MIT. Before that, most people relied on E-mail to exchange public keys, although it was not so secure.
While servers are available, developers worry that the government will try to force key server operators to replace certificates with a variety of government-chosen ones.
So they made a decision: the public key server would never delete information. A public key server can add information to an existing certificate (such as revoke/sign or change expire time), but will never, ever, ever delete the certificate or certificate information.
To achieve this goal, they started running a distributed international network of public key servers, now known as KeyServer. Public key servers around the world regularly communicate with each other, synchronizing and comparing directories. If the government forces the public key server operator to delete or modify the certificate, it will be caught in the comparison step. The disabled public key server updates itself with the contents of the intact key server directory.
Nothing gets deleted, which sounds nice and a simple and effective solution to the government censorship problem, but it’s this principle that has caused endless problems for KeyServer.
Web of Trust
Well, now that we have a place where we can easily upload and download public keys, is that all right?
For KeyServer, anyone can upload a public key and claim to be Linus, Zuckerberg, or anyone else, and KeyServer does not verify that you are who you claim to be (because KeyServer does not have a centralized operator).
If you have some background in cryptography, you know that the asymmetric encryption algorithm on which THE PGP protocol relies is most vulnerable in the exchange of public keys. The public key exchange is most vulnerable to man in the middle attack. You must make sure that the public key you receive is really the one you want to communicate with. Therefore, TSL introduced the CA certificate authentication system, which is authenticated by a trusted third party and issued certificates to solve the identity authentication problem. See the HTTPS series for more on HTTP and HTTPS.
“Trusting an authoritative third party” was obviously unacceptable to the original hack – minded developers.
Of course, you can download the public key and verify the fingerprint of the public key over the phone. But imagine if you found someone on a public key server who claimed to be Linus Torvalds and had no other contact information, you would never be able to determine who the owner of the public key was or whether the public key was trustworthy, which would be inefficient and reduce the system to a small network of acquaintances.
After all, according to the Six Degrees of Separation, it takes an average of Six people for any two people in the world who don’t know each other to connect. So can I think of it this way? Suppose I have met little A and checked his public key, so I know that little A’s public key really belongs to him, and I choose to trust little A. And little A also validates little B’s certificate and signs and endorses little B’s certificate — the holder of little A’s certificate hereby certifies that the certificate is truly owned by little B. So I don’t need to see little B personally, I can also accept little B’s certificate through little A’s endorsement.
And so the cycle goes on, creating a network, a network of trust.
Mainstream Public Key Server
1. SKS Keyserver Pool
The largest pool of Key servers in the world today, public Key servers around the world that meet its standards regularly communicate with each other, synchronize, compare directories, and open data for download. Now that’s what you’re talking about when you talk about KeyServer.
Although KeyServer has always been an important basic setup of PGP, the SKS KeyServer Pool actually has less than 20 servers at present, and the HKPS Pool that GnuPG uses by default has only four servers.
2. Base Modern Software KeyServer
Some keyservers do not use SKS software and run more modern and stable software, notably Ubuntu KeyServer, which still syncs with the SKS pool based on Hockeypuck.
3. The KeyServer independently
These servers do not synchronize data with the SKS pool, are run by a centralized operator, authenticate public key uploaders, and support deletion of their own public keys.
Typical examples are keys.openpgp.org, KeyBase, etc.
Used in GPG
release
gpg --send-keys {keyid/uid}
Copy the codedownload
gpg --recv-keys {keyid/uid}
Copy the codeAn error may be reported
gpg: "xxxxxr" not a key ID: skipping
Copy the codeIn this case, change the KeyServer:
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys {keyid/uid}
Copy the codeSign and verify other people’s public keys
Verification of public key authenticity depends on multi-channel verification of public key fingerprint.
Generally, after signing someone else’s public key, you need to send it back to him or to the public key server (preferably with your consent).
gpg --sign-key {keyid/uid} If you sign the key, you will endorse the authenticity of the key, please be careful
Copy the codeAdvanced Settings
Since KeyServer is not recommended, only the basics are listed here.
If you decide to use KeyServer, refer to OpenPGP best practices – KeyServer to set up your client to communicate with the server using the HKPS (HKP On SSL) protocol and periodically update the public key downloaded from the server.
Security risks and controversy, being played bad KeyServer
In the early 1990s, when developers had faith in technology and human hope to create a friendly, pure, uncensored land, KeyServer’s ability to delete anything that had been uploaded sounded good and the design seemed reasonable.
But the truth is that the anonymous environment of the web is full of less friendly and even malicious users, and KeyServer is not a robust system in today’s world that is riddled with problems, many of which have been known for more than a decade with no hope of fixing.
The abuse of
According to the official recommendation, a User ID (UID) is used to store User information, which should be filled with your name and email. A GPG account can have several Uids.
In fact, there is no mandatory limit to this UID, which means you can put anything in a UID, be it a novel clip, be it a magnetic link, but in the form of encoded images, audio or video……
When uploading to KeyServer, UID limits 2k characters. So much so that someone wrote a project keyServer-fs to save files using KeyServer.
Again, imagine how bad it would be if you uploaded a file to a web disk, shared it with someone else, and the world could add files to it and never delete them.
The fragile KeyID
I’ve seen some tools that generate PGP “pretty numbers”, that is, specify your favorite ID rule, and the tool will generate PGP keys by force, which will return the key you want.
From this, it is easy to imagine that if an attacker knows the target’s KeyID, he could simply use a tool to generate the exact same KeyID (that is, a collision) and upload it to the KeyServer to impersonate the target.
And how easy it is to forge a KeyID, some researchers with the help of Scallion program, the use of ordinary GPU (Nvidia GeForce GTX) for collision, took 4 seconds to generate a specified 32 bit KeyID.
The official recommendation for publishing your KeyID is to publish at least 64 bits, but research shows that 64-bit keyids are also collectable.
poisoning
Public KeyServer anyone can upload a public key, even you can upload someone else’s public key. For example, you can upload a signed public key to the KeyServer.
Signature Dos
In the design of the WOT authentication system, when a client receives an unknown certificate, it should pull the certificates of all the people who signed the certificate from the public key server and see if it can find a certificate that is already trusted by the user. If you can, consider the trust card to be trusted.
In June 2019, an attacker maliciously submitted signature endorsements for two famous Internet users to a public key server. The certificate of Robert J. Hansen, the victim, was signed 15,000 times. So anyone’s GPG trying to verify his certificate pulls 15,000 signatures. GPG can get stuck in verifying so many signatures for a long time.
Because of their high status in the GPG community, the two individuals who were attacked were fairly central to the GPG trust network. This means — when you verify either certificate, there is a good chance that you will accidentally pull both certificates and your GPG will get stuck. Not only were their certificates unusable, but the certificates they had signed were in danger, and even the certificates signed by both of them…
And everything uploaded to KeyServer is undeletable… To solve this problem, GnuPG 2.2.17 LWN.net starts with downloading public keys from KeyServer and does not download associated public keys by default. If you want to feel a certificate DoS attack, you can enable it in Settings:
# ~/.gnupg/gpg.conf
keyserver-options no-self-sigs-only,no-import-clean
Copy the codeblasting
A brilliant programmer named Yegor Timoshenko (who also worked on the previous SKS file storage project) wrote a tool called Sks-exploit that can corrupt anyone’s PGP public key and make it unimportable.
The tool can also append a forged UID (not a KeyID) to anyone’s public key and fool the KeyServer.
In addition, it can directly bring down KeyServer.
Privacy issues
Ironically, PGP, which was originally created to protect people’s privacy, made a public SKS public key server illegal in Europe because it failed to meet the GDPR, which stipulates that the service provider must provide the option to delete personal information.
Many newbies follow the instructions to create PGP keys with their real names and upload public keys to the KeyServer, which is a disaster in today’s world of human social workers.
I tried searching for PGP keys left by bloggers on KeyServer. Some were more private, but most of them posted their real names (Chinese characters or pinyin) to the server along with their email addresses, where data is public and can never be deleted. Others realize the problem and revoke a public key with its real name, but it is still visible and becomes more visible (the revoke key becomes red).
Other methods of publishing public keys
1. WKD (Web Key Directory)
WKD works by checking a “well known” URL on the domain name server through the email client. If a public key corresponding to the email address is matched, the URL is downloaded using HTTPS, and no other operations are required. The user does not need the GPG command line and other complex operations, PGP encryption back to pure mail encryption itself, a bit like S/MIME, but not the same.
For example, a URL like this: https://intevation.de/.well-known/openPGPkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h is corresponding to “[email protected]” this email address.
This is an example through the use of Gpg4win,
This method doesn’t expose your email and doesn’t require fingerprint verification, but it does require the support of your email service.
Proton mailbox supports WKD natively, but it uses its own private key and doesn’t seem to be able to use its own local public key, as well as other support.
If you have your own email server and want to play around with it, you can refer to WKD Hosting.
2. Face to face
If it’s with a close friend, you can arrange to exchange keys in any way you like, such as paper, TF cards or USB devices, sign each other for authentication, and get the public key.
If you want to meet as many people as possible and have your public Key authenticated by as many people as possible, you can attend a Key Signing party. Partygoers exchange fingerprints of public keys (usually stored on a server or somewhere others can download, where only fingerprints are exchanged) and even show each other id cards, passports, driving licences and proof of origin to verify their identity.
3. DNS
There are many ways to publish your public key through the DNS service, but some methods only work with older versions of GnuPG, and some methods only work with newer versions of GnuPG, which are incompatibable and cumbersome, so you can look them up on your own. It is not recommended here.
4. On your website or social media app
Now in the Chinese world, PGP users are many independent bloggers. If you have your own blog or personal website, of course you can choose to publish your own public key on it, preferably give your website an Https.
You can post PGP’s public key here, or put your fingerprint here, so that people who download the public key through other channels can also confirm their identity.
5. Code repository or Gist
Whether you’re a developer or not, you can have a Github account, and you can open a repository for publishing your own public keys, or for publishing public keys to Gist.
6. Share notes
Notion: Notion: displays your public key where you can share your notes.
The last
Use a decentralized, multi-channel, possibly offline way to exchange and verify public keys, and don’t trust public keys and fingerprints lying around.
Verifying the fingerprint immediately following the public key is as useless as asking a fraudster if he is a fraudster.
If you do not face to face, please verify at least two channels. For example, you have obtained my public key from one channel (for example, here). If you want to communicate with me safely, you must obtain my fingerprint from another place (for example, the profile of other accounts I have published) before importing it.
Repeat the above steps each time to make sure your public key is up to date.
Refer to the link
[1]. Protect code integrity with PGP
[2]. The GNU Privacy Handbook
[2]. GnuPG: using multiple sub keys to protect the primary key | missing idea (wordpress.com)
[3]. PGP self-literacy
[4]. Correct use posture of GPG
[5]. Guide to email encryption
[6]. Short key IDs are bad news (with OpenPGP and GNU Privacy Guard)
[7]. Gnupg Key Signing Principle and Process // Shell’s Home (Shell909090.org)
[8]. PGP Key Server| Roll Your Own Network
[9]. Are SKS keyservers safe? Do we need them?
[10]. SKS Keyserver Network Under Attack
[11]. OpenPGP Best Practices – Public Key Server
[12]. GPG SKS synchronization network poisoning event and its impact
[13]. where-to-upload-PGP-public-key-are-keyservers-still-surviving
[14]. GPG introduction