Muddled thoughts re keysigning parties

Originally, this post tried to propose a where some people would only learn to generate their key-pair at the party. Bottom line, it was a bad idea. I propose an alternative idea (although it’s probably not worth the hassle).

First, here’s why my previous idea was bad: My assumption was that people could (or even should) come to the party as pseudonyms. Perhaps I know some of them, but for the sake of the party I call them by pseudonym.

The question is: who do you identify me as? If it’s not something publicly known, it’s meaningless. Identifying me as The Dod only means “I’ve met a guy who called himself The Dod”. Perhaps it’s another person who really calls himself that.  It should be something publicly known (for example a blog or a socnet account). A statement that you have met me (whether “me” is a blog, a twitter account, or a driver’s license) is something meaningful and binding, and it’s not an easy concept for beginners to grasp.

To have such a party where some of the people have just generated their keys and some are skilled pranksters trying to devise new ways to attack them would be reckless. If we assume all people can understand what a keysigning party protocol  is, we can fairly assume they know how to generate a key in advance.

A CryptoParty is not only for people who want to learn pgp/gpg. Some already know that, have their keys, etc. and come there to learn/teach other things. These people can have a keysigning party,  but people who have just generated their keys shouldn’t attend.

Alternative idea: Sandboxed keysigning party

The idea is that all keys generated during the workshop have “for practice only” in the comment, and shouldn’t be used for anything practical.

  • The party sets up a sandboxed mail server (internal mail only), and each participant gets a mailbox.
  •  The party also sets up an internal socnet system (identica, elgg, etc.) that only allows subscription from the party’s mail server. People should create at least one account there.
  • When you generate a key, the “real name” should be the “real name” of an account you control at the socnet, the email address should be at the sandboxed server, and – of course – the comment should say “do not use – practice only”.
  • Once we have all keys, we can do a camera-assisted ad-hoc party (instead of drwaing N-1 cards, I draw one and everyone takes a photo of it). Your card should also contain a “promise”: a sentence you claim you’ll publish via your socnet account in the future.
  • When you request someone else to sign your key, you send a link to your post/status/etc. that contains the promised text. Before I sign your key, I should verify that the promised text is there, and that comes from the account name that appears as the key’s “real name”.

I think (or at least hope) that since the keys have “practice only” written on them, an attacker can’t gain anything from manipulating me into signing something (or even pwning my private key).

Having said that…

I still have doubts whether it’s productive to overwhelm people who are just learning what public key cryptography is with the details of a keysigning protocol, and add administrative technicalities on top of that. It’s probably best is if they go home, let it all sink, and attend a proper keysigning party some other time.

Nevertheless, maybe the idea of a “promise” of a future post/status/etc.in order to validate an Internet identity could be useful. Especially for people who are only publicly known as pseudonyms 🙂

————>8—————–

As you probably know, there’s a revival of CryptoParties lately, and it would be a waste not to throw a key signing party at such an occasion. There are two problems at such events with “traditional” protocols, though:

  1. Some people would only learn how to use pgp/gpg (and generate their key-pairs) during the party, while even the ad hoc protocol requires having a key beforehand.
  2. The “traditional rules” say you should identify yourself with a Photo ID (a driver’s licence, a passport, etc.), and in a CryptoParty, people should have the right to avoid that. Since we don’t want such people to “stick out”, no one should do so (feel free to show each other your passports and whatnot, as long as you don’t do it in public ;)).

The second problem – IMHO – is a matter of interpretation:  we can decide that by signing a key, we verify that the person we’ve met has access to the private key and can receive messages sent according to the key’s contact details. After all, many SSL certificates out there verify exactly that.

The first problem, OTOH, is a real production pain: if we used the traditional protocols, people would need to produce N-1 copies of their fingerprints (without using an untrusted printer), and this would be time consuming, error prone, and no fun at all.

 

 

 

Proposed solution: unique-card signing party

 

 

  1. No one is too lame fo this :)You only prepare a single card with your key’s fingerprint on it, and you try to draw on it, use a pre-printed paper, etc. so that you can verbally describe it in a unique way. For example, I could describe the card on the right as “Written on a maze. Contains an attempt to draw the ear-less robot cat doraemon“. It may not be pretty or creative, but I’m sure no other card at the party matches this description.
  2. Each participant takes photos of all cards (using a phone or a personally-owned camera).
  3. When you get home, you look at the photo of my card, fetch my key (0xC2C1AEFB), and verify the fingerprints. You shouldn’t sign my key yet (you’ll need to encrypt to me with “–trust-model always” for the time being). This is because there’s still the possibility that you’ve met someone who impersonated as me (anyone could pull my public key from the keyserver). I’m not sure what anyone could gain from that, but since such an attack can be easily avoided, let’s avoid it.
  4. You encrypt and sign to me a signature-request text message. It should include a description of your own card. For example: “My card at the party was a pink napkin with a rose on it, please sign my key”.
  5. You send it according to the key’s contact details (usually it’s an email address, but – as you can see – not always).
  6. I find the photo of your card, fetch the key, verify its fingerprint, and then I can sign it and send the signed key to you in an encrypted and signed message. That message can also contain my signature-request to you.

The only possible “attack vector” I see here is if I send someone to pretend to be me (perhaps because he looks better). In that case, if you decide to “meet again”, I’ll need to send the same guy again. If you like him – no harm in that. Eh? 😉

 

This entry was posted in Specific. Bookmark the permalink.

8 Responses to Muddled thoughts re keysigning parties

  1. Ira says:

    I’m trying to think what that extra visual verification could achieve. you would be able to tell that the person you are emailing with is a tiny bit more likely to have been the one at the party, but you are already trusting only a photo ID and a bloody email address. if anyone wants to fake it, especially if he has government or criminal org resources, he can do it easily. also, to make sure you have no man-in-the-middle attack, you have to be sure that none of the people in the room was some operative that was passing on the “exclusive knowledge” of your card or napkin to others, thus the “what you know” is also out the window.

    At the bottom line, I don’t see why this is useful. I am happier with electronic lists of fingerprints that make is easier than reading people’s handwriting from photos, and it also lets me automate the signing once I’ve verified all the fingerprints.

    • Ira says:

      and btw, Captcha? seriously?

    • The Dod says:

      > if anyone wants to fake it, especially if he has government or criminal org resources, he can do it easily
      The easiest way would be to copy your camera’s chip at the airport, but they’d also need your private key (doable. e.g. via rubber-hose).
      Nevertheless – wrong attack vector 🙂

      I was thinking more about the possibility of someone pretending to be me. Like I said – I have no idea what someone could gain from manipulating you into signing my key (possible prank: someone impersonates as me and says he’s a drug dealer / she loves you / etc. :)).

      You’re right that it’s probably enough to say the protocol starts with you saying “We’ve met at the such-and-such party, please sign my key”, and if I wasn’t there (or can’t find your fingerprints on my camera), I’ll go “huh?” and won’t sign (possible attack – identify noobs who don’t verify and pretend to be them :)).

      Still, I think that:
      * It’s important to make noobs go through the motions of a verification stage. If they don’t do it in the first round, chances are they never will.
      * Unique cards are at least good as a mnemonic aid (reminds me that the pink napkin belonged to the person who looked like …, helps me locate the card in a folder of photos, etc.).

      > I am happier with electronic lists of fingerprints that make is easier than reading people’s handwriting from photos
      True, but this you can only do at pro party where people already had a public key before they came to the event. I agree that Sassaman rules, but I think that if many people are generating their key at the event, only a variation of ad-hoc can work, and using cameras is the only sane way. It won’t scale in a large party, but who says it has to be N*N?

    • The Dod says:

      > and btw, Captcha? seriously?
      Is it considered uncool now? What do the younsgters use instead?

  2. Jean Jordaan says:

    Your solution looks sane, but the topic will never be simple and will always be opaque to many people. xkcd would probably be able to make a useful working analogy. Given the complexity, I think it would be very valuable to prepare people who want to come to this cryptoparty, so that they can make sure that they have a valid key to sign, and what bits and pieces they should bring. Trying to explain everything in one go may completely mystify some people.

    If I’m free when it happens, I’ll surely come.

    • The Dod says:

      > I think it would be very valuable to prepare people … so that they can make sure that they have a valid key to sign
      It’s an interesting concept, but from my experience with remote customers who had to install gpg is that the only way to get it done is by hiring/asking a trusted firm/friend to go over and train them. Unattended, noobs do the weirdest shit (like mail me their private key), and I don’t trust them to verify checksums either 🙂

  3. The Doctor says:

    Mumbling about it at work, this protocol breaks in a way that seems to advertise someone screwing around under certain circumstances – let’s say that I impersonate you at a key signing part and develop a card that has your key ID and matching fingerprint. Me-impersonating-you and other people do the dance, but then you suddenly start getting e-mails from people at the keysigning party asking to sign their key. Uh-oh, you don’t know about any of this and tell them so, so the jig’s up. This might be what you’re aiming for, though – attending a keysigning party by proxy because you want signatures on your key.

    However, for bootstrapping a net.identity that pretends to be you with a PGP keypair, this might work if due diligence is not performed. I could pretend to be you setting up a keypair for a new e-mail address that only references a Twitter feed that I post some LOLcats to or something (“My blog’s deprecated, I’m moving completely over to Twitter and want to start over.”) and it might work on a few people. Probably not well, the more paranoid folks are going to do some digging, find out that me-pretending-to-be-you is trying to pull a fast one, and hit the panic button. Assuming that anyone bothers to google the story I-pretending-to-be-you gave them at the party.

    Thy way around that case is to post publically that you will be at a keysigning party and participating in macaroni card identity verification. You could even post a picture of your macaroni card, to say “I’ll be at this-and-such key signing party using this protocol, this is what my card looks like, if it doesn’t then you can’t trust it’s me there.” Alternatively, you could post your macaroni card afterward to a well known forum (like a multi-year blog or Twitter feed) so there will be an additional bit of data corroborating the claim that the macaroni card is yours.

    That is, if you don’t mind all and sundry knowing that you went to a cryptoparty, that in itself might be suspicious to some parties.

  4. The Dod says:

    > However, for bootstrapping a net.identity that pretends to be you with a PGP keypair, this might work if due diligence is not performed
    True, especially if the key has my real name on it (and the example card does). It’s even more complex for people who have publicly known nicknames:
    * I’m called “The Dod”, but it doesn’t say this on my key. If you generate a key where the name is “The Dod” – you look more convincing than me.
    * You’re called “The Doctor”, but there are a dozen others, and they’ve even been on TV 😉

    > You could … say “I’ll be at this-and-such key signing party using this protocol, this is what my card looks like”
    Brilliant! Although we don’t want to ask noobs to generate keys in advance, we could ask them to prepare a nice empty card in advance.

    > That is, if you don’t mind all and sundry knowing that you went to a cryptoparty
    True, but this doesn’t have to be public. Our party has a members-only community site, so people can publish to a much smaller audience (it may include feds, but not your boss or mother in law).

    It still won’t prevent me from joining the party and calling myself “The Doctor”, but perhaps if I claim that I own a blog/twitter/etc., I should post a benign picture there (e.g. of my cat), where my empty “macaroni card” also appears in the frame. I then publish a link to the image on the party’s private forum, and get my identity pretty much established (unless the cat eats my card before the party).

    I’ll sleep on it (5:30AM here). Hopefully, you’ll have comments by the time I wake up.

Comments are closed.