Frell: New keys

37 views
Skip to first unread message

Frell Remailer Admins

unread,
May 13, 2008, 9:49:38 PM5/13/08
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Recently generated keys could have used a weak random number generator,
introduced by Debian's OpenSSL package:

http://lists.debian.org/debian-security-announce/2008/msg00152.html


Mixmaster: New mixmaster and PGP keys generated. The old PGP keys were
generated before the bug was packaged into a debian archive but they're
overdue anyway. I will do a few tests and announce them here. The new
mixmaster key is at the end of this message.

Old secret keys are kept for at least a month to process any messages
encrypted to them.


Tor: Identity keys regenerated

Fingerprints:
frell 6A87 EA8A E8E8 14AA 90EA 7FD5 EC6A DDD3 EA3A 072A
frell2 F095 5A24 3CD8 7DA1 5588 DC4D 199A 3738 E214 4301

Hidden service keys have been regenerated without changing the .onion
hostname.


Mixminion node: Identity key regenerated on 'frell2', renamed to 'frell2a':
Identity: MIIBCgKCAQEAwpmpuWIg8odMsRQV0yXB6+dXTwqkmGg1Q9TIp49xfqbSIef5vZayIlCDB6SNzPC0VYSPvC7ByJdjZVojPQugAH6iR+oYJewSAR48Zz1aLKbJ6DvILFa/t2w7t3svHEzz5utQSawdMicVp3Wt2Xz+4kl0iRRv7EJ2K3oqX0VGpPgjvJDmWW+xbGAn5ucwji5l8a9zrPcaRXC0wu3VKmC+bPzJXGd4izJEGwTidbaVumJ+W9l1+s0QxomVNPeFHhRsGJrcSho7kaPEWAz40ech+PHUcBmBVgLxqWVzofVVNAhLG5vA0vs/AaPYUdWKu2wixXDhk2E4DFA/P+1ZGeln5QIDAQAB

Mixminion nodes must be approved manually before they are included in the
directory, so it's going to take a few days until it reappears.

The mixminion key on 'frell' was generated before the bug was introduced
and remains unchanged.


Here is the remailer key:

frell go...@remailer.frell.eu.org acbe618c652720c929ef40ed148f45d9 2:3.0rc1 CNm 2008-05-14 2009-06-08

- -----Begin Mix Key-----
acbe618c652720c929ef40ed148f45d9
258
AASwsq8VvmksAUJ7slZ32L+7XC8La0QeQUGNQX5E
1w0nnRK9k/69feT58gBU6ulpKr6rc/cFNlb4+InN
n8J3jwpS7dBl0ALz4Hvqnu+VZ9gIsRg0/+N0fqDk
E2YeqvTyQFfKakfIQiebY4EEfjXvcr1N4JnWRVD5
7IeGG/kyBXkhkwAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAQAB
- -----End Mix Key-----

Frell Remailer Admins

-----BEGIN PGP SIGNATURE-----
Version: N/A

iQEVAwUBSCpEsmaR/ww89Cq9AQImlwgAuTr5BMaeYXN85j9KTZstdD19Wddqts5d
a468GKVVqSfbY5Am8JO3lMvRgkgw4xEDG4n4ki9PzvmKs15to3i1XhL3wWSRX3ur
MJk/H6mcZ5sSuuyBCBfMlITCjKDxvasY0w4jgYD+3mH2E+0e1yhZSJ/mw4HT1Yrv
mUfC3KvuQ97u4CHvjXbAQYBK3rB2MDHEbh83s4IkJCWTw7IqerxCY1aS9RzRLbeW
Fvj/pfAf0l6J2RhJf24Ene5X1a2Y9BY2d4GzaL28v2/R1gbbW1QD93nlz3KnMQx3
Cf+WtVk3RmN33VLFmMLoJ8I2EBAUKSuX8X0G9GRQVBKhgoUy8H3CQA==
=F2FF
-----END PGP SIGNATURE-----

Frell Remailer Admins

unread,
May 14, 2008, 7:11:41 AM5/14/08
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I gave up trying to import keys generated and signed by GnuPG into
mixmaster. I had planned to make them 4096 bit and signed by the old keys.
I just don't know how to export them into a format recognized by mixmaster.
Yes, I already have them IDEA protected but still the key packet format
differs and GnuPGP doesn't seem to be able to set the parameters needed by
mixmaster's OpenPGP implementation.

If anyone has some advice on this, I would be glad to hear it.


So here are the new 1024 bit keys:


Type Bits/KeyID Date User ID
pub 1024R/09754B59 2008-05-14 Frell Remailer <go...@remailer.frell.eu.org>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mixmaster 3.0rc1 (OpenPGP module)

mQCNA0gqxM8AAAEEAL8clMHnyOB84A0XKL7sPHAq2RWKsFWPFWVTRdH7OrYu572b
+/xbDSDkSiGAwUWCCdfu5ShZHq7VM2XGVTCXI/gt9N6d3D0ooptQ2HMYoXQ2qsEC
sC7x689jPCVHqLA4y7U+wOVdnMnUKOPgtV85dt4xkOwmPXcBFCp4VnUJdUtZAAUR
tCxGcmVsbCBSZW1haWxlciA8Z29kb3RAcmVtYWlsZXIuZnJlbGwuZXUub3JnPokA
lQMFEEgqxM8qeFZ1CXVLWQEBgFsD/R9bf8QDgeK0zNOpgKE2KczffuYBiG+v/t9F
dtgkZl4ikec2rNCWsvOyyxkrVvOct1mEin+6nSRBMJ+9nq8/PbZLq1xjXyPn3OxM
+hA2oMCGmTPkEh0JO3F2Qp+hFmmX4y5hyf87p+r88qFIAgldlWW/rSQ+1QACPBFs
mvsgb4XY
=MOjU
- -----END PGP PUBLIC KEY BLOCK-----

Type Bits/KeyID Date User ID
pub 1024D/FBEEF86D 2008-05-14 Frell Remailer <go...@remailer.frell.eu.org>
sub 1024g/07129114 2008-05-14

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mixmaster 3.0rc1 (OpenPGP module)

mQGiBEgqxM8RBACFpGxe3jEId9+BxkDWr3JTQMtZkzfhN8gXxfSS0RJ6xkNVuTZT
LevHXSJpd4/wW9rvI1nGGAWjiFXFQf4z+ywdqtvLEgNX5raoE4YOS3vFXymLqImY
pmUCtsQWV/VCg/dqAcB6aoLjaxZwEyEymAA2aapdtGI99wOrW+8uD5HfswCg0u64
0iNKkt08KfFa/HAXT6DN+iED/10fL154ikD6Alslh4qQ8sHa829Sukc26cPTKvTU
k/qI0gJ+yHkwzMUM8tT7C87+Wdl4suG5FxjC+oHSlOepkzAxTfktAK7WzFKMT+cD
3VFhpe4t80JjQ0OvODA7Gq5qDfWCvRMYIk1nWvQpW+lp8f9rgC1+nKMU9DXhusbB
WRZNA/9MIK+9BCxe0ei8w+v3GBHj7ODcA4oqASMJdU7b3TIdxvpc+VBKRucBiexP
hVT4tT5ZCTKjZN+qJPd3vF+gD8MZLH2lsjzjcELtHtit/tdiDdWzHApeIxPQyzdR
MMOHPh9bjIBlNC1iXOKO76B8G0dNfsHRnkxryYAcB7UvCFteWbQsRnJlbGwgUmVt
YWlsZXIgPGdvZG90QHJlbWFpbGVyLmZyZWxsLmV1Lm9yZz6JAE0EEBECAA0FAkgq
xM8DCwMCAh4BAAoJEKzOfev77vhtMI8An3/wU/d2V+E4uSdzIxo2qqmlDQCKAJ9y
Avt4nyob1BxX5zcJvNq5nkn0wrkBDQRIKsTPEAQA7ZehQpCZHzRDEBEemaJlWgod
Kih9mehyLJPXORd1TgotafJe4HbWLUqo45fjU9yWMbgHKHJ2mK5WYSg2C+buc2Vp
Z5Y/sxigL2XiYW+9CIirLyQwMOxSaAl2QIiqu5uIVXX/o6QqpRQIJ88qWWHhY6vk
zMlMaK7pdV7NHpVALq8AAwUD/10zn3evym8jRQSSrvp03qrdvFpc8+T6+TVPu9Ln
UqH4euHM1p8QYeD/dSmebCKILP4/wRD+DQz9KkvV6FB+vVP2s5CRaLSTLx4iN0nS
FHjfTlSS5QS72D9UzVVWJDvQBMmvIgHgKY8UgW0L1pB7uK6l04D4c0H7Sltg7k80
vSF0iQBGBBgRAgAGBQJIKsTPAAoJEKzOfev77vhtA3wAn3rJ9ghA7qJAQla4A7cP
50s3lPTaAKCNggQLGdTohqv4B4hxqpF2Kxt9iQ==
=6Y5N
- -----END PGP PUBLIC KEY BLOCK-----

Frell Remailer Admins

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6(ish)

iQEVAwUBSCrIHWaR/ww89Cq9AQInNwgA08uDIC+2eeEzOWzL8sZsp8tsYbWeo+34
Xm7h5jqSfHNOrjfuDoDyKnUW7sUfvKqUrNbZRC2Znma2Q6+3gbPauXCDdlujJB22
7Z6zTVhjXwp19hYtTW77GXqBSpq0FDeC5Lo76OPQwx4sPYP/wY64tRRtXqbDad66
nSjI4bvF2eFRCnA5C22I1ow4GTVhYU6qdYcPFWXajSRhAHF1PGRZkYS8tfO6ZV0t
Oyo1n8n0yRO2SA9UpDko0QAbxCNFSw6Q+Xm5/mw2u4tuTXbevS0CvPCassAPmYNP
A1gnLePt2sK3AEgvXpGj16FIjBvf9AJs5hzYD7O1ULyCHNsaXrvSFg==
=WRCX
-----END PGP SIGNATURE-----

George Orwell

unread,
May 14, 2008, 6:02:01 PM5/14/08
to
> Mixmaster: New mixmaster and PGP keys generated. The old PGP keys were
> generated before the bug was packaged into a debian archive but
> they're overdue anyway. I will do a few tests and announce them
> here.

Remops please use pubkeys 2048 bits and larger. 1024 bit keys will be
vulnerable in the near term.

Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it

Frell Remailer Admins

unread,
May 14, 2008, 10:44:35 PM5/14/08
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

George Orwell <nob...@mixmaster.it> wrote:

> Remops please use pubkeys 2048 bits and larger. 1024 bit keys will be
> vulnerable in the near term.

In this respect, mixmaster is at a dead end, I'm afraid. Mixmaster has a
hard-coded key size of 1024 bits and the mixmaster message format itself
allows a maximum key size of ~1500 bits.

See also <E1IWI7q-...@frell.theremailer.net>:

>>A note about key sizes: I tinkered with the mixmaster source a while ago
>>and tested if it could work with keys >1024 bit. The maximum possible key
>>size for mixmaster messages is ~1500 bit. The fixed size message format
>>cannot handle larger keys. Also, though the key size appears to be
>>transported in the protocol (see the "258" above, that's 258 bytes of key
>>data = 16 bit key id, 1024 bit public key, 1024 (nulled) secret key,
>>IIRC), clients won't be able to use remailer keys other than 1024 bit
>>without changing the source code. So, mixmaster is bound to 1024 bit key
>>size. It might be possible to use larger keys by changing the protocol
>>and restricting chains to less than 20 hops. But why change a Type 2
>>protocol when there's already Type 3 in the works?

I have no information about key sizes and limits in mixminion but I would
assume that it allows for a broader range of keys and ciphers. Mixminion
creates its keys all by itself in the distant depths of its work directory.
I usually don't go there.


Regarding Type 1 keys, I really tried to create 4096 bit keys, signed by
the old remailer key and the admin key. I just found it impossible to save
and export the secret key from GnuPG in a way that mixmaster would
recognize it. I spent some time trying to make sense of the differing
outputs from --list-packets, tried various switches, --openpgp
- --simple-sk-checksum --s2k-cipher et.al., but no combination would make
mixmaster accept the secret key. Unfortunately, the knowledgeable people on
IRC were all busy with updating their SSH keys. I finally gave up and let
mixmaster create its Type 1 keys, which are also hardcoded to 1024 bit.
See also <E1JwEtZ-...@mail.frell.eu.org>.

OTOH, reply chains in general and Type 1 especially should be considered
somewhat broken anyway and the only Type 1 remailers that should still be
used are the local remailers on nym servers, dumping encrypted nym messages
into aam through a random remix chain. Let's hope Type 4 nym servers are
available before time runs out.


BTW, in the light of a major blunder like Debian-OpenSSL's unseeded random
generator, "1024 bit keys will be vulnerable in the near term" is merely an
academic notion. Here's how I understood the implications of the change[1]
so far: The PRNG was seeded with the current process ID alone, which offers
rather little variation compared to the total keyspace, reducing the
effective key size on a typical Linux/i386 system to 15 bits[2] with an
uneven distribution (low process IDs taken by system processes) allowing
even further prediction. The problem affected all keys generated by
OpenSSL, including ephemeral TLS session keys, between somewhen last
year[3] when the package entered the "stable" branch and the past days[4].
DSA keys that were created before or elsewhere can be reconstructed from
signatures made with the key on a vulnerable system[5]. But it made
valgrind happy[6].

I would like to be wrong on this, so please correct me.

[1] http://tinyurl.com/6olv3j (aka http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&#038;view=diff&#038;r1=141&#038;r2=140&#038;p1=openssl/trunk/rand/md_rand.c&#038;p2=/openssl/trunk/rand/md_rand.c )

[2] http://metasploit.com/users/hdm/tools/debian-openssl/

[3] http://www.links.org/?p=327#comment-176542

[4] http://lists.debian.org/debian-security-announce/2008/msg00152.html

[5] http://blog.sesse.net/blog/tech/2008-05-14-17-21_some_maths.html

[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516

Frell Remailer Admins

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FNORD/Thingy)

iQEVAwUBSCuivmaR/ww89Cq9AQIdmwf/SKYov65BpKxj+LGmsDF7Oc+iJkWYhhT+
Vq8r2JiCAV4CVDSr1QlXSimuVjIgSVJ0HqXLNp/HKRkxcOJPTQ2I5eaWwIlX8L3l
rC6xbGY4rKC7xBm4ApxPwVzd8Bhezfd7qsIPJSSU6gpIu6WxUTeqRmb3rSZ85Mf6
GUXoZq/6mk3YamONbaWhsWd6ek3j+Mu5g8Fxtm6EFT6Kpub8Iud/xyK8Ghu+yDKR
UmqDeGgrrpqmqvaRPowY/vWh8wV/25z1X5zM4veMsZcVPzUfdDvCynE+yzft0rPj
qON2ldkzo9GxkqcwIWY+/mDucitj1VclbuVMeSH4b3VyZKD+xElXWA==
=d+g7
-----END PGP SIGNATURE-----

Borked Pseudo Mailed

unread,
May 15, 2008, 8:17:08 AM5/15/08
to
> In this respect, mixmaster is at a dead end, I'm afraid. Mixmaster has
> a hard-coded key size of 1024 bits and the mixmaster message format
> itself allows a maximum key size of ~1500 bits.

Thanks for this piece of info which I've not heard before. I did see
some 2048 bit keys used by Type I remailers. I now suspect they are
running JBN, Reliable, etc. rather than Mixmaster.

> Regarding Type 1 keys, I really tried to create 4096 bit keys, signed
> by the old remailer key and the admin key. I just found it impossible
> to save and export the secret key from GnuPG in a way that mixmaster
> would recognize it.

I suppose it would be worth a try to do the same thing with PGP 6.5.8
instead of GnuPG as GPG exported keys may well not be recognized by the
Mixmaster PGP module for various reasons. It shouldn't take much time to
try this if the OP still wants to create 4096 bit keys. 4K keys would
really be grand for Type I remailer use and should see us safely into
the future for many years.

> OTOH, reply chains in general and Type 1 especially should be
> considered somewhat broken anyway and the only Type 1 remailers that
> should still be used are the local remailers on nym servers, dumping
> encrypted nym messages into aam through a random remix chain. Let's
> hope Type 4 nym servers are available before time runs out.

Quite so but as they're the only game around we've not got much choice.

> BTW, in the light of a major blunder like Debian-OpenSSL's unseeded
> random generator, "1024 bit keys will be vulnerable in the near term"
> is merely an academic notion.

Well I haven't read the OpenSSL news but my comment about 1024 bit keys
being vulnerable was my opinion based on what I've seen in publicly
available results on progress in factoring in the past several
years. Extrapolating the results I believe it may be soon or already
possible to factor 1K pubkeys within 3-6 months for certain global
adversaries and it should be apparent to everyone that the remailer
network's pubkeys are high on the list of ones worth having a go
at. There is the nasty bit of breaking reply blocks every time a pubkey
changes but perhaps its well advised to generate new pubkeys at least
twice yearly or even quarterly. After all, the remailer community is
nothing if not respectably paranoid.

I personally ignore the naysayers who attack anyone who says 1K pubkeys
are more than enough as either blind, stupid or working for various
nefarious agencies who'd be quite pleased to have everyone thinking
their keys are unfactorable. It's quite worth the effort for a bit of
security or then why bother with remailing and encryption at all.

Zax

unread,
May 15, 2008, 10:06:41 AM5/15/08
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, 15 May 2008 00:02:01 +0200 (CEST), George Orwell wrote in
Message-Id: <7af89e471df8ec50...@mixmaster.it>:

> Remops please use pubkeys 2048 bits and larger. 1024 bit keys will be
> vulnerable in the near term.

Check out the RC5-72 challange at:
http://stats.distributed.net/projects.php?project_id=8

With very large, distributed computing power they have been working to
crack a 72bit key for 1990 days. At the moment they have tested 0.494%
of the potential keyspace. A 1024bit key is very big indeed.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFILENxlKZ6CY7Vd0MRCrnsAJ4n6gvxzJ52C2FKswz3KF2ybdrJYgCfalnM
7Qpik/eRDfrhiWm/xigqXUY=
=/OCm
-----END PGP SIGNATURE-----

--
pub 1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE EBB4 94A6 7A09 8ED5 7743
uid Admin <admin.bananasplit.info>

Anonymous

unread,
May 15, 2008, 2:05:13 PM5/15/08
to
>> Remops please use pubkeys 2048 bits and larger. 1024 bit keys will be
>> vulnerable in the near term.

>Check out the RC5-72 challange at:
>http://stats.distributed.net/projects.php?project_id=8
>
>With very large, distributed computing power they have been working to
>crack a 72bit key for 1990 days. At the moment they have tested 0.494%
>of the potential keyspace. A 1024bit key is very big indeed.

Uhhh, Zax, no coffee this morning?

That's a 72 BYTE key. I could factor a 72 BIT key on my calculator.

Anyway, that is not the latest or most advanced factoring
information. Anyone who wants to check further can find out. More
progress has been made using a modest network of cheap machines and well
funded groups can amass a thousand times more power without breaking the
bank.

George Orwell

unread,
May 15, 2008, 2:59:43 PM5/15/08
to
Anonymous <cri...@ecn.org> wrote:

> >With very large, distributed computing power they have been working to
> >crack a 72bit key for 1990 days. At the moment they have tested 0.494%
> >of the potential keyspace. A 1024bit key is very big indeed.
>
> Uhhh, Zax, no coffee this morning?
>
> That's a 72 BYTE key.

Are you on decaf?

"As of 03 December 2002, we're now working on the 72-bit RSA Labs
secret-key challenge (RC5-32/12/9)."

http://distributed.net/rc5/

> I could factor a 72 BIT key on my calculator.

Is that a bet?

Solo

unread,
May 15, 2008, 5:10:22 PM5/15/08
to
In article <20080515180513.987181A79A5@isole>

Anonymous <cri...@ecn.org> wrote:
>
> That's a 72 BYTE key. I could factor a 72 BIT key on my calculator.

WAB!

George Orwell

unread,
May 16, 2008, 9:13:21 AM5/16/08
to
> Are you on decaf?
>
> "As of 03 December 2002, we're now working on the 72-bit RSA Labs
> secret-key challenge (RC5-32/12/9)."

> http://distributed.net/rc5/

The OP is quite correct lads. This is old news and actually falls quite
short of other work done even earlier. Can't you chaps do a simple web
search? Even RSA's corp web page announced a 663 bit number was factored
in 2004. You can well imagine that big operations have surpassed these
marks set by teams with PC's with the supercomputers they've got.

Have a look here

www.rsa.com/rsalabs/node.asp?id=2964
www.rsa.com/rsalabs/node.asp?id=2879

Results summarised on

en.wikipedia.org/wiki/RSA_Factoring_Challenge

RSA's official challenges don't represent the state of the art in
factoring as they stopped awarding competitors in 2007 (for obvious
reasons???) Each year brings steady advances in progress and we must
conclude computing power for factoring 1024 bits is certainly within
reach of major players in a few months time.

Here are some other links since your web searches haven't been working
including info on successes on 512 bit and larger numbers early as 1999

mathworld.wolfram.com/news/2005-11-08/rsa-640
www.cs.uwaterlook.ca/~mwg/teaching/01-02/887/readings/RSA155.pdf

Now here's quite an interesting bit of news from 2007 which appears to
show a team have factored a 1039 bit number

www.loria.fr/~zimmerma/records/21039-

This seems to be using the multiprime method so they haven't quite
factored a normal RSA key in the manner needed to attack a 1039 bit RSA
key used created with PGP which is the product of two primes. It's quite
interesting nevertheless.

There are numerous other results from small teams who've published their
works anyone can find them if they will only have a look.

Reply all
Reply to author
Forward
0 new messages