Silk Road forums

Discussion => Security => Topic started by: mseller on December 30, 2011, 08:02 pm

Title: What do you think about changing every 3months PGP key?
Post by: mseller on December 30, 2011, 08:02 pm
I know that this may carry complications but hear me out.
In the event where seller is compromised all encrypted/signed messages can be strong prove against an seller. Even old message are deleted who know where copy can be found.
And its pretty simple to sign with old pgp key clear text where is new pgp key. It is not so hard but def better protection.
Title: Re: What do you think about changing every 3months PGP key?
Post by: SierraRS on December 30, 2011, 10:50 pm
If seller is compromised, this will not help at all. The encrypted messages are only on Silk Road messaging system. If using WinPT, the received message can be copied to clipboard, decrypted and pasted into new notepad window and read. No need to save it, so there is no saved unencrypted messages floating around. And You must use full disc encryption with Truecrypt anyway, this is the best way to stop anyone taking a look into your computer and mind.

If key is compromised it is compromised instantly. The expiry date on GPG keys are for a situation when you have lost your private key and have no revocation certificate, the key eventually will expire.
Title: Re: What do you think about changing every 3months PGP key?
Post by: mseller on December 30, 2011, 11:02 pm
Thanks for your answer. But many of sellers use and other route of communication (email, privacybox etc) and not only SR messaging system.
Its maybe difficult to explain for me but signing cleartext can be incrimanating and use as prove of authorship.
I have a pgp key what expire, if I change that fingerprint would also be changed?
Anyhow, would anybody change pgp or not its solely up to them. I prefer not to risk it no matter if that need to change pgp keys. I use Bestcrypt as a mandatory tool for safety.
Title: Re: What do you think about changing every 3months PGP key?
Post by: SierraRS on December 30, 2011, 11:12 pm
Well, when communicating with buyers you must use only SR messaging system. Even when encrypted by PGP, the e-mail will show who is communicating with you and so on. If buyer asks for other means of communication, best avoid them.

The signed and encrypted cleartext are proof of authorship in cryptographic terms. In legal terms, even unsigned plaintext is proof. This might depend from jurisdiction to jurisdiction. Expired keys still are valid for decryption and verification of authorship, they only cannot be used for making new encrypted items.

Bestcrypt is closed source, so there is no proof that backdoor does not exist. And even if there is no intentional backdoor, who knows what shortcuts the developers have taken that unintentionally compromise it's security or stability? I remember using Bestcrypt on external drives on corporate environment, but long time ago it all was replaced by Truecrypt or russian built alternative called Diskcryptor.
Title: Re: What do you think about changing every 3months PGP key?
Post by: mseller on December 30, 2011, 11:28 pm
When saying emails I meant for hushmail and other where no headers exist. I use external privacybox what is automaticly encrypted with my PGP and can be sent to email (encrypted without heathers from privacymail) ssl email or tormail.

Bestcrypt has ability to import cyphers (has a forum where people code it and provide source) and it served me very well. Is there backdoor or not I really dont know ( I doubt it as it contradict use of security of software and they have publish source of encryption and hash modules) - it cost money but that does not mean that anything suspicious reside in the software.
edit
I have checked and Jetico(bestcrypt) offer source code of encryption and hashing module. With hdd encryption with 12 ciphers software has feature like USDoD 7 pass wipe utility, wipe and encrypt windows swap temp files (those hidden files what windows always write on disk and serve as virtual memory, schedule of wipe selected files, docs,history temp.cookie etc etc. Arhives whit 12 ciphers, PGP decryption with Key Manager and many other features.
Look at www.jetico.com

Receiving mail - its beyond my control who and what somebody send me. Same thing with encrypted message as I can not control as recipient.
Signing cleartext - prove of authorship if key compromised. That is what I think, even slim chances and many things what I can not think of, factor x, whatever, changing pgp can be good.
Title: Re: What do you think about changing every 3months PGP key?
Post by: TravellingWithoutMoving on January 07, 2012, 03:54 am
I know that this may carry complications but hear me out.
In the event where seller is compromised all encrypted/signed messages can be strong prove against an seller. Even old message are deleted who know where copy can be found.
And its pretty simple to sign with old pgp key clear text where is new pgp key. It is not so hard but def better protection.

- it could help by being evasive -changing your "id" , although if they could prove the message came from you / your account evidence might still count against you.
  {i'm no lawyer..}
- you would have to keep posting your updated key somewhere and / or updating clients ...or not...
- may look suspicious from a buyer perspective -ie may notice you have changed your key 3x times already.
- how do you maintain a good seller / seller relationship if they send you messages only to realise there are key issues..
- have to come up with some sort of explanation for above 2 posts.