On Thu, 29 Jun 2000, John Young wrote:
> Which raises the question of whether secret key generation
> of all systems that ask for user input also uniquely identify
> the user in ways that the user is not aware, and is being
> logged for retrieval from a special hiding place in the program.
It doesn't even have to be that secret. A while ago I noticed
that my PGP KeyIDs tended to have the 3-letter string "BED" in
them - I had generated a few keys for testing and personal purposes.
I didn't understand how KeyIDs were generated, so I posted to
alt.security.pgp asking if my typing pattern during the key generation
phase was responsible.
Colin Plumb was nice enough to post and show that if everything was
working as advertised, then the chances of that were slim. That post is in
deja, in case anyone wants.
I can imagine a hacked copy of key generation software which uses typing
patterns to create a short (8-10 bits?) ID string, then embeds it inside
the public key. If there is a parameter to be generated directly, like e
in RSA or a prime modulus, fix some of the bits when performing random
number generation. If you're generating a composite modulus, you might
have to search through a few moduli, but could embed short messages in
them without too much pain (I think this is part of Anderson's observation
on the Digital Signature Algorithm - you can pick "random" values to have
meaning).
This is important because when you go and create your spiffy new key to
run BlackNet or whatever, you normally expect that it can't be linked to
you unless you place your name in the UserID...and you might use the
same program to generate your plain vanilla true name key. Suddenly the
two become linkable and you have no idea, even though the KeyIDs are
public. I'd bet that you can adapt existing work on subliminal channels to
create such a marker that the user has no hope of ever proving exists,
even to himself.
of course, I don't think PGP actually *has* this flaw, and any attempt to
add it in the source would be discovered. My point is that user's IDs do
not need to be kept in any special secret hiding places. They can be
hidden in plain sight.
-dmolnar
