Running a secure keysigning party

[Tony Arcieri]

There's a few problems with trying to do a keysigning party at DEFCON:

1) Most people won't be able to get on the Internet and use keyservers. We can try to provide a secure network (i.e. our own network served off the DEFCON upstream one, firewalled)

2) USB thumb drives are probably a pretty bad idea, because of malware

What should we do? Try to provide Internet access for keyserver use, or find some way to do secure peer-to-peer exchanges of keys (QR codes? o_O) without the use of external media?

--
Tony Arcieri

[Adi Kamdar]

Roping in Alan, who's in charge of the keysigning on Friday.

--
You received this message because you are subscribed to the Google Groups "Crypto and Privacy Village" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptovillag...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
Adi Kamdar
Activist, Electronic Frontier Foundation
https://eff.org
a...@eff.org | 415.436.9333 x144

[Tony Arcieri]

On Tue, Jul 29, 2014 at 8:33 PM, Alan Eliasen <eli...@mindspring.com> wrote:

   These are valid issues, but, luckily, we don't need to rely on

internet access, or anyone having their computers with them.  All that's
*really* required is that the people attending have the fingerprint of
their public key with them.  (It can be on a piece of paper.)

That's not really a keysigning party so much as a "collect fingerprints" party. Participants won't leave with signed keys in that case.

People can retroactively sign keys, but having an actual mechanism for exchanging public keys and signatures would be a lot more useful, IMO. How many people do you think will retroactively download and sign keys based on the fingerprints they collected, versus doing it in person? 

--
Tony Arcieri

[Adi Kamdar]

On 7/29/14, 8:42 PM, Tony Arcieri wrote:
>
> That's not really a keysigning party so much as a "collect
> fingerprints" party. Participants won't leave with signed keys in that
> case.
>
> People can retroactively sign keys, but having an actual mechanism for
> exchanging public keys and signatures would be a lot more useful, IMO.
> How many people do you think will retroactively download and sign keys
> based on the fingerprints they collected, versus doing it in person?
>

A fair few, I think. Most of the key signing parties I've been to have
operated this way—exchanging fingerprints, verify identities, sign after
at your leisure.

[Tony Arcieri]

On Tue, Jul 29, 2014 at 11:46 PM, Alan Eliasen <eli...@mindspring.com> wrote:

   Many common keysigning party rules actually go to lengths to tell
people *not* to bring their computer.  For example,
http://rhonda.deb.at/projects/gpg-party/gpg-party.en.html#toc3

Encouraging people not to bring a computer to the keysigning party is probably for the best.

--
Tony Arcieri

[Karl Koscher]

My understanding is that computers are discouraged at *any* key signing party.

Here's one way of running a large key signing party: http://keysigning.org/methods/sassaman-efficient

--

[Tony Arcieri]

On Wed, Jul 30, 2014 at 12:07 AM, Karl Koscher <supe...@gmail.com> wrote:

My understanding is that computers are discouraged at *any* key signing party.

Something of a plan for what's going to happen would be nice 

Here's one way of running a large key signing party: http://keysigning.org/methods/sassaman-efficient

In DKIM we trust, then? ;)

--
Tony Arcieri

[Tony Arcieri]

On Wed, Jul 30, 2014 at 12:22 AM, Tony Arcieri <bas...@gmail.com> wrote: 

Here's one way of running a large key signing party: http://keysigning.org/methods/sassaman-efficient

This process seems to predate smartphones... or hash functions more sophisticated than SHA1...

Can we do better? 

[Adi Kamdar]

I don't think Alan's full email went to the cryptovillage group. (Tony, can you add him? Or Alan, can you send an email with "subscribe" in the subject line to "cryptovilla...@googlegroups.com"?)

Alan, do you mind sending a breakdown of what you plan to do on Friday? I have full faith in your methods (and have been poring over your site), but a summary for the rest of us might be helpful.

Adi

-------- Original Message --------

Subject:	Re: Running a secure keysigning party
Date:	Wed, 30 Jul 2014 00:46:11 -0600
From:	Alan Eliasen <eli...@mindspring.com>
To:	Adi Kamdar <a...@eff.org>, Tony Arcieri <bas...@gmail.com>
CC:	crypto...@googlegroups.com <crypto...@googlegroups.com>

On 07/29/2014 09:56 PM, Adi Kamdar wrote:
> On 7/29/14, 8:42 PM, Tony Arcieri wrote:
>>
>> That's not really a keysigning party so much as a "collect
>> fingerprints" party. Participants won't leave with signed keys in that
>> case.
>>
>> People can retroactively sign keys, but having an actual mechanism for
>> exchanging public keys and signatures would be a lot more useful, IMO.
>> How many people do you think will retroactively download and sign keys
>> based on the fingerprints they collected, versus doing it in person? 
>>
> A fair few, I think. Most of the key signing parties I've been to have
> operated this way—exchanging fingerprints, verify identities, sign after
> at your leisure.

   Many common keysigning party rules actually go to lengths to tell
people *not* to bring their computer.  For example,
http://rhonda.deb.at/projects/gpg-party/gpg-party.en.html#toc3

   "Keysigning party" is a bit of a misnomer; it's the validating of
identities and checking of fingerprints that is the reason for meeting
face-to-face.  The actual keysigning can be done at leisure, and is
usually not done at the event in my experience.  I, personally, will
probably not be signing any keys during the event.  (In fact, I try to
avoid carrying my strong crypto keys when traveling, especially to the
Most Hostile Network On Earth.  I replace my hard drive with one that
has never touched my secure systems before I go to DEFCON.)

   As part of my crypto evangelism, I also find myself being a bit of a
pedant and checking others' keys for good practices.  For example, I
usually make sure that the symmetric encryption algorithms specified in
their public key preferences require strong algorithms first (the
default in GPG is to be weak).  I usually verify that they're using
stronger algorithms before publicly signing their key.  This is
discussed in this section of my document:

https://futureboy.us/pgp.html#StrongerAlgorithms

   I usually like to check their other indicators at leisure, including
looking for any unrevoked or duplicate keys, and looking for any other
red flags.

   In any case, if someone wants to sign others' keys at the event, and
they have network connectivity, they are absolutely free to do so (if
the keys are available on a keyserver.)  They just can't expect that
everyone else signs theirs on the spot (if at all; participants should
be free and under no pressure to vouch for anyone they don't want to.
We need to make sure that it's "okay" for people to not feel forced to
exchange information with anyone they don't want to, and do so in a way
that makes people feel safe.)

   Participants should also not expect that others will be able to
import a raw public key during the event if the public key is not on a
keyserver.  They'll have to just verify the fingerprint and identity and
arrange another way to exchange the private key.

   I'd like for us to have a roll of blue painter's tape available so
people can feel free to cover up sensitive information that might appear
on their photo ID.  We don't want this to be an Identity Theft Party nor
a Stalker Party.  Let's face it; there are some creepy people there and
we don't want to *hurt* peoples' privacy; we want to enhance it.

   We need to think about good ways to help people safely say "no" to
requests to exchange information with others.  Maybe something like what
I've seen at other conferences:  each person had a color of the
stoplight on their badge:  green means it's okay to hug when we meet,
even if I don't know you;  yellow means it's okay to hug iff I know you;
 red means don't hug me ever.  We could do the same.  Yellow could mean
I'm only here to exchange keys face-to-face with people I know or
initiate contact with.  Red could mean "don't ask me for anything."
That actually might go a long way toward making people feel safe about
saying "no".  Whaddya think?

   By the way, my messages to crypto...@googlegroups.com don't go
through because I'm not part of the group.  Dunno if you want to forward
them or if I should join.

--
  Alan Eliasen
  eli...@mindspring.com
  http://futureboy.us/

[Alan Eliasen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/30/2014 01:07 AM, Karl Koscher wrote:
> My understanding is that computers are discouraged at *any* key
> signing party.
>
> Here's one way of running a large key signing party:
> http://keysigning.org/methods/sassaman-efficient

Thanks! I considered that method, but I'm not sure it would be
appropriate for a free-form cat-herding conference like DEFCON. It
has the disadvantages of 1.) people having to know that they're going
to attend the keysigning party well in advance and 2.) making us keep
an "attendance list" of people who are there. For the same reasons
that DEFCON only takes anonymous cash at the door, I'd rather not hold
nor hand out an official attendance list.

So it'll probably be much more ad-hoc, and fitting the schedules of
people who may wander in and out, or hear about it at the last minute.

I'll post more of my ideas on the organization and direction that
we can give to the participants in the next day or so.

- --

Alan Eliasen
eli...@mindspring.com
http://futureboy.us/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: See Alan's GPG guide at https://futureboy.us/pgp.html
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlPZXcYACgkQ5IGEtbBWdrEbbwCgrtq9KUSVNMybKcPdRU/CgCm7
xzEAn2RDAUFvSzLzoGg3eWj6di1UsBId
=/Fs5
-----END PGP SIGNATURE-----

[Tony Arcieri]

On Wed, Jul 30, 2014 at 2:04 PM, Alan Eliasen <eli...@mindspring.com> wrote:

   Thanks!  I considered that method, but I'm not sure it would be
appropriate for a free-form cat-herding conference like DEFCON.  It
has the disadvantages of 1.) people having to know that they're going
to attend the keysigning party well in advance and 2.) making us keep
an "attendance list" of people who are there.  For the same reasons
that DEFCON only takes anonymous cash at the door, I'd rather not hold
nor hand out an official attendance list.

Yeah, I think it'd be kind of silly to exclude people because they didn't register in advance.

I think it'd be great if we could find a mobile app that exchanges public keys with something like QR codes, but I can't find one with a cursory googling :(

Another approach that might work: nametags that people can write their name and key fingerprint on

--
Tony Arcieri

[Alan Eliasen]

On 07/30/2014 03:04 PM, Alan Eliasen wrote:
> I'll post more of my ideas on the organization and direction that

> we can give to the keysigning participants in the next day or so.

I added a part to my GPG tutorial that explains how to attend a
keysigning party. Please take a look and give me suggestions:

https://futureboy.us/pgp.html#KeysigningParty

I think we should be pushing people toward this link as a good way to
get prepared. I've been pushing it on Twitter and Darknet stuff. It
should probably go in the Defcon forums, too. I'm going to print it on
my fingerprint sheets, too.

It doesn't really say how a keysigning party is going to be *run*
directly, but I'm going to have references to it in the fingerprints of
my GPG key that I hand out, showing the steps and responsibilities that
people should take after a keysigning party.

(I also added a table of contents and a section on how to upgrade to
a new keypair when you or others generate a newer or stronger one.)

I'll also have some DarkNet operatives ( https://dcdark.net/ )
attending the keysigning party on Friday at least, and hopefully some
will also attend on Saturday and can help out. People will get DarkNet
points for exchanging fingerprints with DarkNet operatives (we're
printing secret codes for the DarkNet on our fingerprint sheets.)
Hopefully, this will help Darknet drive traffic to one or both
keysigning parties, and help us link all the participants to a strong
web of trust.

On another fun note, my order of 72 invisible ink pens with
ultraviolet reader lights arrived from China. I didn't think they would
arrive in time. I'm going to be giving these out to people who exchange
fingerprints with me correctly, just for fun and incentive. If I run
out, I might start handing out Defcoin.

I'm still planning on getting nametag/handle stickers for people who
want to wear them during the exchange. I'm also still thinking about
the idea of having red/yellow/green light stickers for the nametags that
help indicate if you're there and willing to exchange keys and show your
ID around, or to mark if you don't want to be asked.

Otherwise, I'll bring some blue painter's tape to let people obscure
sensitive parts of their photo IDs, and I'll possibly use the blue tape
to make a line on the ground for people to circulate around so they can
exchange keys in order and efficiently. There may even be a VIP box or
special sticker for notable people or people already well-connected to
the GPG "Strong Set" to get people connected to it rapidly.

Also, for the record, I've moved to a stronger 4096-bit RSA key from
my old 1024-bit DSA key. Migration statement is here, including
instructions on how to upgrade to my new key if you have my old one:

https://futureboy.us/gpgmigration.txt

The tl;dr of it all is that if you have my old key and will be
validating with me at con, just do this:

gpg --delete-keys B05676B1
gpg --recv-keys EC2392F2EDE74488680DA3CF5F2B4756ED873D23

[Gareth Llewellyn]

I think it'd be great if we could find a mobile app that exchanges public keys with something like QR codes, but I can't find one with a cursory googling :(

https://play.google.com/store/apps/details?id=org.thialfihar.android.apg allows sharing of keys via QR and NFC for Android

[Alan Eliasen]

A major problem with sharing public keys via QR codes is that many public keys easily get so big that no QR code reader I've seen on android can even scan them. If you have an embedded photo, or tons of signatures, or a lot of subkeys, or even a lot of changes to your key, all bets are off (when you make a change to your public key it usually just *appends* the change to your key so your key gets huge rapidly.)

Also, I'm not sure that I trust APG. It was totally dead for years with no updates or bugfixes, and suddenly a new version showed up that requires a lot of unnecessary and scary permissions.
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

[Gareth Llewellyn]

A major problem with sharing public keys via QR codes is that many public keys easily get so big that no QR code reader I've seen on android can even scan them.   If you have an embedded photo, or tons of signatures, or a lot of subkeys, or even a lot of changes to your key, all bets are off (when you make a change to your public key it usually just *appends* the change to your key so your key gets huge rapidly.)

Also, I'm not sure that I trust APG.   It was totally dead for years with no updates or bugfixes, and suddenly a new version showed up that requires a lot of unnecessary and scary permissions.

True, *if* I were to use it I'd only be adding my public key to it and then do the keysigning offline with my laptop.

With key sizes in mind the app can choose to just share the fingerprint via NFC/QR and it then the app appears to pulls the full key down from a keyserver: https://github.com/thialfihar/apg/blob/master/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/ImportKeysQrCodeFragment.java#L107 (obviously of no help if the key one is sharing isn't published)

Anyhow, was just helping with the googling :)