Berlinsides 2015

—WHY I HATE PGP—aestetix

https://help.ubuntu.com/community/GnuPrivacyGuardHowto

https://help.ubuntu.com/community/GnuPrivacyGuardHowto

WHAT THE FUCK DO TRUST LEVELS MEAN?!?!

!

• Direct Trust !

• Hierarchical Trust !

• Cumulative Trust

A few types of “trust”:

From RFC 4880 “OpenPGP Message Format"(5.2.1. Signature Types) ! 0x10: Generic certification of a User ID and Public-Key packet. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the User ID. ! 0x11: Persona certification of a User ID and Public-Key packet. The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified. ! 0x12: Casual certification of a User ID and Public-Key packet. The issuer of this certification has done some casual verification of the claim of identity. ! 0x13: Positive certification of a User ID and Public-Key packet. The issuer of this certification has done substantial verification of the claim of identity. ! Most OpenPGP implementations make their "key signatures" as 0x10 certifications. Some implementations can issue 0x11-0x13 certifications, but few differentiate between the types.

How my trust tool works:

Example `pgpring -S -k keystore` output: !

pub:q:4096:1:681D3A753B6C249E:2013-12-22:2017-12-22:::Laura Schmitz <[email protected]>: sig::::681D3A753B6C249E:2013-12-22:::::13: sub:q:4096:1:E8A53B713BA1A13E:2013-12-22:2017-12-22:::Laura Schmitz <[email protected]>: pub:q:1024:17:DD6909ABB128136B:1998-09-17::::J\xfffffffcrgen Marschall <[email protected]>: sig::::31B221441DDAA684:1998-09-17:::::10: sig::::DD6909ABB128136B:1998-09-17:::::10: sub:q:2048:16:0BE4CB3712565F36:1998-09-17::::J\xfffffffcrgen Marschall <[email protected]>: pub:q:1024:17:7C951D88B8CCB59D:2009-01-02::::Carol <[email protected]>: sig::::7C951D88B8CCB59D:2009-01-02:::::13: sub:q:1024:16:CFFB706540C239DA:2009-01-02::::Carol <[email protected]>: pub:q:1024:1:CE040C74F9A3F1DD:1997-05-03::::RGB <[email protected]>: sig::::CE040C74F9A3F1DD:1998-02-18:::::10: pub:q:2048:1:C56C3CAA9995BDE7:2011-05-27:2016-05-25:::[email protected] <[email protected]>: sig::::C56C3CAA9995BDE7:2011-05-27:::::13: sub:q:2048:1:8F38A91BB2F768B8:2011-05-27:2016-05-25:::[email protected] <[email protected]>: pub:rq:1024:1:BDAB86311EA5DE89:1999-06-29::::Rudolph Pereira <[email protected]>: rev::::BDAB86311EA5DE89::::::20: sig::::BDAB86311EA5DE89:1999-06-29:::::10: pub:q:2048:1:5964884DB64C74F1:2012-09-30::::Cheng Ye <[email protected]>: sig::::5964884DB64C74F1:2012-09-30:::::13: sub:q:2048:1:DB6BF5D7096C9858:2012-09-30::::Cheng Ye <[email protected]>:

From RFC 4880 “OpenPGP Message Format"pub:q:4096:1:681D3A753B6C249E:2013-12-22:2017-12-22:::Laura Schmitz <[email protected]>:

!Where field separator is “:” !0 - record type 1 - validity 2 - key length 3 - algorithm 4 - key id 5 - date created 6 - expiration date 7 - certificate serial number 8 - owner trust 9 - name/email (user id) 10 - signature class

Convert keystore to sql databasewhile (<FILE>) { my @key = split(':', $_); ! # Get rid of annoying characters for (@key) { s/'//g; s/\///g; s/\\//g; } # Guide to key format # 0 - record type # 1 - validity # 2 - key length # 3 - algorithm # 4 - key id # 5 - date created # 6 - expiration date # 7 - certificate serial number # 8 - owner trust # 9 - name/email (user id) # 10 - signature class # 11 - parent (if subkey) ! if ($key[0] eq "pub") { $pubkey = $key[4]; $query = "INSERT INTO key_store (record_type, validity, key_length, algorithm, key_id, date_creation, date_expire, serial_number, owner_trust, user_id, signature_class, parent) VALUES ( '$key[0]', '$key[1]', '$key[2]', '$key[3]', '$key[4]', '$key[5]', '$key[6]', '$key[7]', '$key[8]', '$key[9]', '$key[10]', '');"; } else { $query = "INSERT INTO key_store (record_type, validity, key_length, algorithm, key_id, date_creation, date_expire, serial_number, owner_trust, user_id, signature_class, parent) VALUES ( '$key[0]', '$key[1]', '$key[2]', '$key[3]', '$key[4]', '$key[5]', '$key[6]', '$key[7]', '$key[8]', '$key[9]', '$key[10]', '$pubkey');"; } $dbh->do($query); }

What email providers have “secure” users?

Example query: select count(user_id) from key_store where user_id

like '%gmail.com%' and record_type = 'pub';

gmail 334,333

hotmail 107,813

yahoo 60,446

hushmail 5,016

What news organizations have “secure” users?


like '%wsj.com%' and record_type = 'pub';

wall street journal 18

new york times 159

fox news (wtf?) 3

What “intelligence” agencies have “secure” users?


like ‘%nsa.gov%' and record_type = 'pub';

nsa.gov 54

cia.gov 39

.mil 7,908

dhs.gov 28

goatse.cx 0

http://nsa.gov

http://cia.gov

http://dhs.gov

How do universities use PGP?

query: select user_id, count(*) as freq from key_store where user_id like '%.edu%' and record_type = 'pub' group by user_id order by freq desc limit 10;

+----------------------------------------------+------+ | user_id | freq | +----------------------------------------------+------+ | Re-An M. Pasia <[email protected]> | 181 | | nylee <[email protected]> | 26 | | Charles <[email protected]> | 18 | | Bobby <[email protected]> | 16 | | Cheung Chi Wai <[email protected]> | 14 | | Robert S. Newnam <[email protected]> | 13 | | Shawn Nock <[email protected]> | 12 | | Gaby Abed <[email protected]> | 12 | | Steven I. Altchuler <[email protected]> | 12 | | Rafael Villavicencio <[email protected]> | 12 | +----------------------------------------------+------+

Who has signed the most keys?

query: select parent, count(*) as freq from key_store use index (record_type_parent) where record_type = 'sig' group by parent order by freq desc limit 10;

+------------------+-------+ | parent | freq | +------------------+-------+ | F7F0E70F307D56ED | 12627 | Noèl Köthe <[email protected]> | 9710B89BCA57AD7C | 10629 | PGP Global Directory Verification Key | 2F951508AAE6022E | 8825 | Karlheinz Geyer (RBOS) <[email protected]> | 57930DAB0B86B067 | 7479 | Joost van Baal <[email protected]> | 30028D244813B5FE | 6223 | Andreas Scherbaum <[email protected]> | 18A0CC8D5706A4B4 | 6221 | Simon Richter <[email protected]> | D2BB0D0165D0FD58 | 5832 | CA Cert Signing Authority (Root CA) <[email protected]> | 948FD6A0E10F502E | 5231 | Marcus Frings <[email protected]> | DE7AAF6E94C09C7F | 5106 | Peter Palfrader | E544DE079B7C328D | 4254 | Luk Claes <[email protected]> +------------------+-------+

http://trust.aestetix.com

http://trust.aestetix.com/index.pl?pgpid=d255d3f5c868227f&Submit=Submit

Engineering

Berlinsides 2015