Silk Road forums

Discussion => Security => Topic started by: calcium on December 02, 2011, 04:18 am

Title: 4 suggestions to improve Silk Road security, for admin, sellers, & buyers
Post by: calcium on December 02, 2011, 04:18 am
[Reposted from http://dkn255hz262ypmii.onion/index.php?topic=6235.msg54303#msg54303]

This is going to get a little bit technical. I'm a noob on the forum (and just executed my first successful purchase recently), but I do have significant expertise in the areas I'm going to discuss.

Obviously I'm not going to prove that statement, because I like keeping my anonymity, but other experts should be able to tell from what I say.

tl;dr, here are four points of advice I STRONGLY suggest the community adopts:

1. Sign each others' keys once you have some proof that it belongs to the person it's claimed by, and do so at the appropriate level of validation. This helps build a "Web of Trust", where while I may not know for sure that e.g. Holland is really PGP 4654CBBA, I *do* know reasonably that LexieSadie is PGP A7C82017. So if LexieSadie can prove to themselves that Holland's key is legit, there's a chain - I trust LexieSadie a little bit, she trusts Holland, therefore I can trust Holland.

This goes for sellers, buyers, and Silk Road admin. SIGN EACH OTHERS' KEYS — but ONLY when you have proof that they belong to the entity claimed. (E.g. proof for Silk Road admin could be that the key was the one used at the launch of site, has been consistently used in communication w/ sellers, etc.)

When your key is signed by someone, get the revised public key from them, import it yourself, and post the updated version everywhere you normally have it, and say you've done so. Then other people can import it, see the new signatures, and trust you more if they trust those signatures. It also makes merging multiple signatures easier.

2. SELLERS: Include a small message printout in your envelopes, signed with the PGP key you posted on your seller account. It doesn't need to say anything substantive, but it MUST include the current date (e.g. "Thanks! Shipped 1 Dec 2011").

It doesn't give anything of value away if it's compromised by the feds (having a signature only tells them what ID it was signed with, not the full info of the key). But it DOES definitively prove to your recipient that the person who packed the envelope is the person who owns that key.

If they get a slip with an implausibly old ship date, that's a red flag for compromise.

3. SR Admin: There must be a PGP signed statement of the current legit URL, along with your PGP key with all current signatures, on SR's front page AT ALL TIMES, as well as on ALL former URLs. The key ID itself MUST NOT CHANGE, but more signatures = more trustworthy, if it's signed by someone that a user themselves has validated.

Merely putting a message on there saying "be sure you have the right URL", without any way to *prove* it's the right URL, is useless. The only proof is your PGP signature of a statement saying what the right URL is.

4. NEVER EVER EVER EVER set a key's trust to 'ultimate' unless it's YOURS. Set it to 'marginal' if you have some evidence that they're who they say they are AND are trustworthy themselves; set it to 'full' if you know for sure they're who they are and that you would trust keys that they sign. PGP has two separate things for this:

TRUST (unknown, never, marginal, full, ultimate) dictates whether you trust OTHER keys that this key has signed. Hopefully you only do this if you've personally validated it. (Remember that PGP trust propagates, so if you trust A and A trusts B [whom you've never heard of], it'll figure out how much you should trust B)
SIGNATURES (0/uncategorized, 1/casual, 2/personal, 3/high) tell to others how much YOU have validated that the key belongs to who it says it belongs to. - see http://aperiodic.net/phil/pgp/policy.html
Title: Re: 4 suggestions to improve Silk Road security, for admin, sellers, & buyers
Post by: calcium on December 02, 2011, 04:19 am
Now for the details...

Have you ever MET "Silk Road"? No. All you know is that you have *a* public key whose name part says "Silk Road", which was used to sign the OP of this thread. Maybe, like me, you got that public key from earlier in the thread when some other anonymous user posted "a" public key.

But unless you have some way to definitively prove that that key belongs to the entity you call "Silk Road", it could just be anyone.

Here's a demonstration:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

mQENBE7XgZMBCADPcZOWleapwp5JX+CiDR5+1cWq5Xf/RgwBH7tU2jjVkjpiiXCs
nYcoeqUJ5IWfrBf+U6XKXRyA9jmHxmz/FoZq+yTIXxOq/09RvFBMpyBqiZYZ4CFb
vq6YCis9izml0tW7JRrlevCevvGJnP++YTw/tNh1sw043W48fA05ubNQO6m8Ei+I
Dh7wLiGPKQ8i/lVwThjkEyPdkODrlp94hm9OS6xqvS89Geirm+f4b33lTMNmux9X
PFSvekmV2y/ysRd1kOXwN647iyTAX1V5SG5fEPaAOl324etDaNI+uM76xcFAxTy1
7DXhhjHAi79Ekz9FtTITg3gcmsKwzMOxswiFABEBAAG0JFNpbGsgUm9hZCA8c3Rh
ZmZAc2lsa3JvYWRtYXJrZXQub3JnPokBOAQTAQIAIgUCTteBkwIbLwYLCQgHAwIG
FQgCCQoLBBYCAwECHgECF4AACgkQRmK/fh2St5aO0wf/RG1GGDwv1PzbKTQT03O1
Wz4cZOZE4llXrL99Bj8EcrrsrakY/Djks+IsMin1YW1S1ggPwUy7WN0zZU2NkVoE
Lwm4NcSmn2T/vbo+qsp/frsQ4G6EyzNnUsTerWsv/yaAje05+0Y9etvRIBi2Dve1
IKTac0v2nAqQyicrZCLBFx+FrPUJuK9lbKyTqjEnSpqM8qVSVGbQAbnbzpg3AGXi
11SmZup5L0uFiGp1Hq8EEJxIJAyj5mMbsVpEhaimPR9qeMui6vXxsiahF8rKWehf
8/U909cqNylfq2uA8tK9MWMQsIZAbvCz+yIcjetmWXBZHIRjJGioEO59Sl0ujgU1
v7kBDQRO14GTAQgAwsYFQAtmPWAs3+8wOFeTWg6YUycniOK1Htdj18rKvTD7+1A9
XiZTElsvITUbPENIwSam+VAMruM1TOUFd1MsFNrmycfmxOXA271o3eqW3a2J1Irl
3zH78sE1UV5v9oY0snOSSscHa70B2AB93XYZu6rthR1K67lRJqISrGKQQaPYm+Zl
wZFTwp2VANn/h/8mZszhP5t72e6GnmyG9ULhjtd/zKKqljkKMzJqE8x/LiX1RYfn
NrfsAqJJ+bMwUgHPbeADRs17KRxilP2NF9v69H0GcjBre8bxVDp1qsFoTRUHi5cl
qRNWusApR4kazq4D3XGwIfotvsDnOytQeogdKwARAQABiQI+BBgBAgAJBQJO14GT
AhsuASkJEEZiv34dkreWwF0gBBkBAgAGBQJO14GTAAoJEI/OqxbZnNhTDKcIALlf
2lqJWEWRKHg4lJqKZlnnRaIzjlLASnjKJh/CCGamZU/mnumHOgvq2KphonTvq2Pa
WkLiELCoRVyd9HTQpyTtVkKHf6Ryp5Yg8jLCbAX+/EfM486O8Y0jkgQCS9G1Dv2d
t13MgnN4qlDaJyLutEDcLXZEXUFRZI4X29GFQo9CWLd/0LZhamycY7eotLhTXIzU
urOUf2RbhP8dOhy+2k2OI5rceH6FqT+A1GpCmygoFHbxeKNNumIdE7wK6lGfssOj
ZlmqdZGF41QR6ere0wGdH/MLSsZHekuGAWm/6pUF12vYw8SjKqz+gkc4FXGmV+Dp
3UDm2f1R4NGIMnoBqTaq5wf7ByOqRmxbXn2Phr3jvuOb3jH0HAE6zNTifSh17WYW
EZdPiKJkw+ZG0+FpZyPK2x1fXH6jjgglq2Ht4Vo8Xw73PKhvbKU6RNe0aCTkn19H
QFB/j/G0MJ4gCpLpPQ8XWeINC2LfA+kVYAqcdmoDrlw4bzbvPRFR5zp71V/9iSBI
klAidBeEuRxAs3VUzm1gUVnZRykr92PCxnACWH1z/8hOTg0P3N7INO21fsOcxAr3
TioFdjcC/rDTFMWphrnIclj1b0WDPEdksTWs+9VNuWlFMK1Pf6NUVyT41235+4mN
/mJDd/ynvxqgtIw9Un0jD57q2L+FAbjP8skxMzOPxBPYeg==
=/fjb
-----END PGP PUBLIC KEY BLOCK-----


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

lol silk road moved to http://phish.u.com. Everything's ok, see, this message is signed with a "Silk Road" GPG key!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

iQEcBAEBAgAGBQJO14JIAAoJEI/OqxbZnNhTGSoIAIwnluim3pr9sLESRu0KXQtc
aWAblAP0OJY9vuyAWT9Wo0R0E2dcgRpvKugJf252a8o3ISCmBp7TSnn1pcICHIq2
mQfdM3HtacrM7CclAYRcBYABYbwBAKpCu/OVznifQicVzHT8gRgRhQqnkwMgOUAR
AlzK7zJDT1t/OaU9cxRByDYHAOn4SeYGgvnG1FX5rQii5apqbZMtqg28jByQ2ene
Xy58D5XxHYg9orAlM++TlwQ/7mp8N/CVZYFKCV4lSq5PSUuw1WXbYToIeKs/g4xZ
tKJ8OaArhG6FWU+p7pwlpjWxbf3OzEp6F9+sB9LsKlpNZZCo+TqfbfRKfhJNUvo=
=DtdP
-----END PGP SIGNATURE-----

... and that's why you need validation. A key is just a key. You have to have some other means of proving whom it belongs to. (Note that I didn't bother faking the creation date on that key, or any of a number of other things that I could have done to very closely mimic key ID # 67B7FA25, but I'm lazy. Trust me, I could do it. The only thing I can't do is make a new key with the exact same ID and fingerprint, or replicate others' signatures.)


I would suggest a few potential remedies:

1. Sellers: if you have had previous (long-term) GPG exchange with "the real Silk Road", such that you're 100% convinced the owner of that key is the admin of ianxz6zefk72ulzz.onion, validate that key and SIGN IT with the key you use for customers.

Likewise, Silk Road, sign the keys of registered sellers you know are legit.

This way, noobs like me who only know a couple sellers' GPG keys, and know them as legit because we actually got our shit IRL, but weren't around in the early days to get SR's pubkey from a legit source (sorry, this isn't a legit source), can then in turn trust that key.

Since we don't want to expose these keys to public key servers, the exchange has to happen manually.


Here's an example.

This is LexieSadie's PGP key as published on her last listings:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

mQENBE5u9HcBCADU/e5i+tdp8iohkmb9WSc41A2tR5sE4RwO7gMi3J0oEulzyojB
4ClJV9/N/ob8j/DhNw77b1iSIl2QrRvrgS2MrTPBB58ocFfp1tezgFaJ1FLLRAYY
C3Xra4h/XNLYdQD4wbprUPxZNjS323Rw4os3ZNc4EI+CFDAYnbZcKOGh2CISzIq2
IsWZf7Bdwf7dPGYDrVsGu5hjm6EoLzCtMBj/0/OWOb9XzoKq9JJXOCK/VG0Z/fwF
UB8SqRc9avGm7RdKMqM+T9iqyIhxCmtBcbGirpYtfjr8hpMMauJllheqHlHjSWr8
5wxdZIZQYi/SP5XVl68G2tRnctM9aeVdiEn1ABEBAAG0GUxleGlTYWRpZSA8ZmFr
ZUBmYWtlLmNvbT6JATgEEwECACIFAk5u9HcCGwMGCwkIBwMCBhUIAgkKCwQWAgMB
Ah4BAheAAAoJEOftwSKnyCAXEukH/Rwe4ESfRI7awzOkrgIMNVJoueOprhzuek8I
7YxaXPm4ChkVE/wY7yoqUFk6fkZehPyUAcILQmwfSpdwiApSgkUfH9FahdOHoK0U
aSM2xsUuiifAJJN0nin/ftOjZdtugRmfks/hSa+QUbwsGDVPFJRXMRQUyVTeYxam
YCAHg8gNuHUnCEAfgine4ZiO0un5aAOkxExmQKe5uLzAQazC7WH5/odKmr+d7IM9
wSEKnFZQmgLcl9URfhlkWWFFLNOV55aOwlwtl8JDrkQjujn6rHH5+Zisu70Wg6hH
8zsNt9pPYZXpYP2/ZSEPLwV4chI0rfavnidQEIr9u//1Tn/8NgK5AQ0ETm70dwEI
AN2AGonXB+y4lmedPaTNoYHtDTTgJfl9zVaYrUH5+fWMoOcKiV4tbgK9RYgKClQX
ioLN9gIEhpmSPR9LIgELfIWbPO9sM1tvvcEMOtGBjv4Ndlh3m7c1RX6nbiYLjGss
1AR7l0kp40X0rrgplTOQ8q3AhsYd2LBigueiWiYhdFjrjdc0K7r0hUJvcEAWom3L
TgxJna7Uq0KnxoSTQEH8jmsyqlccKaNIfJjbNgJicbDg8uA8qlS8xTql7yjlA777
YPzH/GeqQ9wl+nY65pinq2TqK4ZEynS9bPMSXlOSw5JGZQws+pd4PsYEk6ix/ONM
j5AYpWlq/Q/+CR+pJaXPGycAEQEAAYkBHwQYAQIACQUCTm70dwIbDAAKCRDn7cEi
p8ggF2CLCACS0JE12FWRVfRXq4ii1SRdea5nBeUJZrWK55F5/pFEBPUoWczZa/ra
YfT7vQXimnO7YG2C1QxzwB5wB2kur7teMvQo/D2gzRf3G/bByAqMU2ClKrEYBAj+
WF6sWtULbRzb7sECKWs1UWgX019PtE/bdzsABWAnxEC1wX+czMAAl3JrI3Rd/hTh
1+mVVn18gDnt2mcOMBpHHTKZE2gXy0vzIo8iPpwlrIh05CvMgSCoE33MdbG33RU8
+c7zOw3lrdTJ8So/2O36+0vSypbCzuJVAa2DpDkrRoiok8QQx8963durh51ibtT4
ABbV3I/AtoBqLi+89AkoeI0XtMM09cY1
=nQB4
-----END PGP PUBLIC KEY BLOCK-----


Now, I've had a successful transaction with LexieSadie, encrypted to that, so I have *weak* confirmation that the above key represents the actual human who handled my weed so brilliantly.

Why "weak"? Simple: someone else could run a phishing site, replace all PGP keys with fake ones (like I faked SR above), and then just run a silent MITM attack where they pass any messages back and forth.

But hey, it's something. Since "LexieSadie" isn't a human per se, it's a pseudonym that a human (or group) uses to do business, there's only so much you can do to validate that.

So, I went into GPG Keychain Access, and signed her key with that of the buyer account I used with LexieSadie. I set the verification level to 'casual', given the above.

Here's the revised key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

mQENBE5u9HcBCADU/e5i+tdp8iohkmb9WSc41A2tR5sE4RwO7gMi3J0oEulzyojB
4ClJV9/N/ob8j/DhNw77b1iSIl2QrRvrgS2MrTPBB58ocFfp1tezgFaJ1FLLRAYY
C3Xra4h/XNLYdQD4wbprUPxZNjS323Rw4os3ZNc4EI+CFDAYnbZcKOGh2CISzIq2
IsWZf7Bdwf7dPGYDrVsGu5hjm6EoLzCtMBj/0/OWOb9XzoKq9JJXOCK/VG0Z/fwF
UB8SqRc9avGm7RdKMqM+T9iqyIhxCmtBcbGirpYtfjr8hpMMauJllheqHlHjSWr8
5wxdZIZQYi/SP5XVl68G2tRnctM9aeVdiEn1ABEBAAG0GUxleGlTYWRpZSA8ZmFr
ZUBmYWtlLmNvbT6JATgEEwECACIFAk5u9HcCGwMGCwkIBwMCBhUIAgkKCwQWAgMB
Ah4BAheAAAoJEOftwSKnyCAXEukH/Rwe4ESfRI7awzOkrgIMNVJoueOprhzuek8I
7YxaXPm4ChkVE/wY7yoqUFk6fkZehPyUAcILQmwfSpdwiApSgkUfH9FahdOHoK0U
aSM2xsUuiifAJJN0nin/ftOjZdtugRmfks/hSa+QUbwsGDVPFJRXMRQUyVTeYxam
YCAHg8gNuHUnCEAfgine4ZiO0un5aAOkxExmQKe5uLzAQazC7WH5/odKmr+d7IM9
wSEKnFZQmgLcl9URfhlkWWFFLNOV55aOwlwtl8JDrkQjujn6rHH5+Zisu70Wg6hH
8zsNt9pPYZXpYP2/ZSEPLwV4chI0rfavnidQEIr9u//1Tn/8NgKJAhwEEgECAAYF
Ak7XhWAACgkQBXxJQf+3Q3dvmw//d5dGDojxkgG+RARncr02BNUBNKs+JiOg1syq
tXSBnpPuNVvGtJVfX9A1PErpHLUTL58mPDXW27gqvZ4/QW2g+quNqlD/jwYdocoo
Eyk7FqIqyf32kSaSCKnUrSbnFzYQrYsZL9gZyBdkcOULroFkN7b2Mv+MXm2/I7yi
uBsw8Usf7Z2H0WropX5fY/BCrPAGZU0R+m/kJJFxkG2DKfXoE5xRPBzV9Tzm/xgz
avvD7RJ6PPpBKgy1G9nQa6Brhs0KGb+r1unXexz5Fo85srlJX9A0eCqqiIFfiwtK
P8GBjFqjovqb3E6y7fLtyfMlP3dwQ+GT2GZ6lHMeKX32Xt0XmGO7z/JCjQI325wt
EpN9naSmJw4JbTrtM6t8oaru0/bIOhH5tgm26VZIGulefT4KSayumtDfVUu2Ffri
+31CpLfAZ46yL0rINn2K9NonosBrGqiPzxy/BuiwOrGYsU77hsw8ju2T/cHoFXnX
uKqhSXst894l4b3q6ydEXnJXWl7vqMkiQvRDdh/Dq2o/0QIQNoOACAp8WEwo1axo
OYRBFEDybW9LjQSXHc/j2GrjWSeVcrA2TDmsJ5JR1ZAd4i11iLB53bqGL864zeii
QitLK1H6TSsgcyBTTPP0QHRhM7FFg8tn5PkFJJv9D3bhH88OiX2qXAGb4WsaMflK
iDNZ0L+5AQ0ETm70dwEIAN2AGonXB+y4lmedPaTNoYHtDTTgJfl9zVaYrUH5+fWM
oOcKiV4tbgK9RYgKClQXioLN9gIEhpmSPR9LIgELfIWbPO9sM1tvvcEMOtGBjv4N
dlh3m7c1RX6nbiYLjGss1AR7l0kp40X0rrgplTOQ8q3AhsYd2LBigueiWiYhdFjr
jdc0K7r0hUJvcEAWom3LTgxJna7Uq0KnxoSTQEH8jmsyqlccKaNIfJjbNgJicbDg
8uA8qlS8xTql7yjlA777YPzH/GeqQ9wl+nY65pinq2TqK4ZEynS9bPMSXlOSw5JG
ZQws+pd4PsYEk6ix/ONMj5AYpWlq/Q/+CR+pJaXPGycAEQEAAYkBHwQYAQIACQUC
Tm70dwIbDAAKCRDn7cEip8ggF2CLCACS0JE12FWRVfRXq4ii1SRdea5nBeUJZrWK
55F5/pFEBPUoWczZa/raYfT7vQXimnO7YG2C1QxzwB5wB2kur7teMvQo/D2gzRf3
G/bByAqMU2ClKrEYBAj+WF6sWtULbRzb7sECKWs1UWgX019PtE/bdzsABWAnxEC1
wX+czMAAl3JrI3Rd/hTh1+mVVn18gDnt2mcOMBpHHTKZE2gXy0vzIo8iPpwlrIh0
5CvMgSCoE33MdbG33RU8+c7zOw3lrdTJ8So/2O36+0vSypbCzuJVAa2DpDkrRoio
k8QQx8963durh51ibtT4ABbV3I/AtoBqLi+89AkoeI0XtMM09cY1
=ex2Z
-----END PGP PUBLIC KEY BLOCK-----

Try importing it. You'll see that it is indeed the same key as the previous one, it just has a new signature for the primary UserID.

LexieSadie could also sign *my* public key as someone she has successfully completed as a transaction with. I could then use that revised public key in new communications with sellers, who'd see definitive proof that the person they know as LexieSadie has some trust in me, and use that as part of their decisionmaking for whether to trust me as a buyer.

I should underscore here that you should NOT "early sign" a key. You should only do it when you have some level of proof that the person is who they say they are.


2. So, what's the maximum amount of proof that a given PGP key is "real"? This is a question of what the likely attack scenarios are. Let's go through them.


SR Admin:

a) Site has an SQL injection exploit or similar vulnerability that allowed an attacker to completely dump its database, allowing them to put up a new hidden service (say, silkroadvb5piz3r.onion) with all that info intact.

Limitation: they would not have access to SR's private PGP keys, unless they're a total idiot and storing them on the server rather than somewhere independent and safe.

b) Site has a MITM attack, aka the usual phishing method. Attacker puts up a new hidden service (say, silkroadtherealthign.onion). Since they don't have the DB, what they do is just proxy all requests to the real site. This adds a delay, but since we're dealing with Tor, delays are not suspicious. The phisher's site could then steal all transparent info (eg passwords) and all database info (by scraping what users see).

Limitations: same as above, plus the added delay.

c) SR has been compromised IRL by the police, who have forced them to hand over their PGP private keys and passwords, database, hidden service ID/secret keys, etc, in return for more lenient sentencing and the ability to get lots of info about drug smugglers (aka all you lovely sellers). They continue operating the site exactly as usual. They can sign with SR's PGP key and do everything else they did.

Limitations: unless they have SR's active cooperation, they might make mistakes replicating their writing style. Also, if there were any out-of-band secrets passed that they *didn't* manage to capture (ie they weren't on whatever machines they compromised, and SR the human didn't blab about them), then they wouldn't know those secrets.


Ways to prove the PGP is legit against a & b: post a signed message on the front page of every legit SR URL ever (current and previous), saying "The correct SR URL is blahblahblah.onion". Also list SR's public key with all current signatures. The key will change regularly as new signatures are added, but its ID, fingerprint, etc core properties will not change.

Ways to protect against c: If compromise is suspected, someone who has an out-of-band secret (eg communicated via some other Tor service the feds didn't know about and/or weren't able to get records of) can challenge the SR admin to decrypt a PGP message signed with that as a symmetric key.

For example, suppose SR and I had chatted on another Tor service. They validated with the same PGP key as now, and said eg "My granduncle has a mole on his left eyelid." I note down this information privately and date it.

Now suppose sometime later, I suspect SR has been fully compromised and is now actually the feds. The feds don't know this secret, since it wasn't in any of the logs they got, and SR didn't mention it to them.

What I can do is post the following challenge publicly:

"If you are the real SR: remember the conversation we had? Decrypt this message using the key "[relative]-[distinguishing mark]-[location]", no spaces." (I.e. "granduncle-mole-lefteyelid")

I create a signed message like so (gpg -a --clearsign -s -u FFB74377):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whoever decrypted this was Silk Road as of 2010-4-23.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

iQIcBAEBAgAGBQJO1468AAoJEDuHYd3NEX2Ndt0P/j2uRzBJsl6nzCR1iOp3dcP7
AHqpGfyARTdG2DPQ80zWxCI7NDH+rTFO2mBn7Mkg0iuewBv0nJVHNLVAKk6L8tHX
8J0xUXm6zB9GdM175euPWBsn3Sv8CgBVf3hfOo9ZWLblwJa/a+Ll6/hB+Ft11lqu
JolFYcdOiQZwHuMyruMLDWBkrgiibxDAPUJC2AyIs9dBFJHZPVm/GiorNLIFQXHV
mQqg+kxdrZfhqnfdEUTdwTQ87dUQI+hA+ozKaPoVmIUKx8/j3TXlsPt8bEV783aA
rFJUkFlZZK2AZoiFDgMCOHODOiEu/AQKa3kfJg1AbcMPuW/UDABXdV/GBBdvVryf
yhlCx6SWuTGBWLdDLOvZHrjqnn54BuTZ71jnq0ErqdLoej6K/GomLnmwzKqXMVvF
SsUz4/HVIPbKzLh4iqFX9Ql5ZQj1XrFo8kjHV8HDoN1AeHx7CmUwNWOGLN4fSAr/
xhvwSUhwX9B8jSCNQsIQ5CjgY2zgiIvwdJn6ZWHkOxr0fIciwLcrpZWBebFSmWKS
wP9fqsF7suGHqDX+GVaDZUspfBE/IBxVGEqwyDq/W8OP/VgQw0GMBL0k4DOO3Mvu
AmATrIKzHK7L0aXw54n7C3+kbzC8gVEc9hxOb65cE0a+pXC+tLywUdpCNMu5em6r
vHuMC6yHRA+qWtE3r0FT
=uWwr
-----END PGP SIGNATURE-----

This message itself can be proven legit by anyone who trusts key FFB74377.

I don't post *that* message, of course. Instead, I post this (generated using gpg -a -c, then entering "granduncle-mole-lefteyelid" as the passphrase, and the above signed statement as the plaintext):

-----BEGIN PGP MESSAGE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

jA0EAwMCoM7npvatKoykyem2SM6OkS/82kN2cfn9ZCsSSPA9SRY90RBLDoCtt/5D
UTMVL99VukoZU21qsUhZmfX4I0BlF4WcYwy/C3H/tAfJ2piVUumkPVqO8vLtitF1
L+5Ce5ahK6NQAT/a2IaFUjW7Me80goHnaTBrSxS0rWOlRjqUKH/U1I75VuySlkIR
R7Aa8jVLB8h2+8ugG7ke+tN85KQI84tQYF59DIQP8qj9rcuZKAGy3FMv/YFK3rpH
uo+t6vlxNhgc8v7zg7c+xDDior1v5KXvDXsUs5ztun0RtXtm20uBNkDfeBC/aqIE
5v0v6n4iA7ZuMbxKi5gfT1oqiTHKHPOqTJTuRyJmc6hxj95a8KH1Ij7e5Aa5fELM
leYn6oP1tBM8M+Vt1a7gBamnVVX9MLovGxsvNeqpai6ro002bjDLcEVBpaGva6r6
D0pR22IeFLIklnmypjlamt4Itu70R/VptTovVKk8wtYK3YBglQAeX2iEPf1gxx0P
G2p5ti2kaXZp7ZX4iDi2qvg5n621/ELBmUrmDKCfxBAZg8fFi2F7ENDzcruDjgfs
kStZp2shZXpMG84awFPyXvE8mg5+l7xl87l34NC20uSnYa8bNv566LfQswsoWdHm
xIHc3EcFN8lCKl2PhurXeQvy3vvEVEeNh95noxU4+mZBLR0CFaqjxI/aClvW12RC
7sA9lUlDmH8V8YAFBsVefR2D/pf5NQ/dSI+w9NqKbO9XHqRUh0AShzgIJe+gpMtk
djd6tY08LLidtZ33t0QigJ5E37U0o6sE2mcZYvcVb9VLRfTg4G6Rc+prc4jcKrRA
PIpnKK1uB6jL7RIi0R4z59AIIuLd1ujzkzEbM+T6X7gfT8MkQhp2I//8GcJvqCrb
t6du3tMd6WzW7KLyDRBGLyIe6d3xGvZ6F79rfGUw7uVuVmt7ffyjVmB6L/PYmpSj
RF2sPEsuBoliZGSeZuEPwqKu4pEJPwiKzxqfn+8DETBCBxP0vJvcBNb4v65k9aQX
rnzPu/mmbwA+Lbd4mQyO2A==
=u5NU
-----END PGP MESSAGE-----

Now, whoever can decrypt that block knows the passphrase. Since the passphrase is based (hopefully) on a secret that only I and SR share, that proves that they are in fact SR (as of the date I received the secret). They can prove this easily by decrypting it and posting the previous, clearsigned statement. Try it for yourself.


Sellers:

a) Cops or phishers are performing a MITM attack. They post their own PGP key, pretending it's the seller's. When the buyer sends them their info, they decrypt it and send it to the real seller (with a new key pretending to be the buyer, just like mine above pretending to be SR), and vice versa. In other words, they just MITM the PGP conversation.

Limitation: they don't actually have the seller nailed IRL; they only have either compromised their SR account or the SR site itself. So they can't control what the seller does IRL.

b) Cops have completely compromised the seller IRL. They continue operating their business as usual to get more info before prosecutions. They have the seller's real PGP key and secret, samples of their packaging, everything.

Limitations: they may not have access to the seller's supply chain (unless the seller ratted 'em out), so once they run out of the seller's stockpile, they'll have to start using product they get from elsewhere, and buyers might notice this. They might not replicate the seller's communication style well (this is more subjective). And the same thing as above about secrets.


There's an easy, definitive defense against (a): the seller includes a small message printout in their package, signed with the PGP key you posted on their seller account. It doesn't need to say anything substantive, but it MUST include the current date (e.g. "Thanks! Shipped 1 Dec 2011"). This proves that the person who packed the product (who is the "real" seller when it comes down to it) owns the PGP key that was published.

If they get a slip with an implausibly old ship date, that's a red flag for compromise.

*Weak* (non-definitive) proof that the seller owns the PGP key is receiving product without that slip. This only proves that the message encoded to that PGP key got to the seller and was acted on — it doesn't rule out a MITM attack like in (a).

(b) can only be defended against by being (subjectively) suspicious of a change in product or communication style, or using the shared-secret method above.


Buyers:

This one is hard, in that the only thing you get from buyers is payment. You have no way to prove that they're a real buyer and not a cop, that they actually received the envelope you sent (vs it going to some police warehouse and the buyer pretending it's all good), etc.

There are however a couple methods.

a) Successfully receiving payment from a buyer proves only that they are able to pay. This is a weak proof of their identity, but it's at least something.

b) Sellers can include a UNIQUE serial number slip on the inside of each package. Buyer then sends you signed a message saying "I received a package with serial number 12381238". This proves at least that they have some control over the receipt of the package, and that the package was not intercepted en route by the postal inspectors and then sent on its way. It doesn't prove that the buyer themselves isn't a cop, of course.

To be really secure, this requires using packaging that's truly tamper-evident AND hard for the PIs to duplicate. That's relatively difficult; you have to have some source of bags or stickers that the PIs don't.

This is a moderate proof of their identity.

I'm not sure how to authenticate the identity of a buyer any better than that.


So there you go: an expert's advice for how to really prove you're you when we're all anonymous.

Do with it what you will.
Title: Re: 4 suggestions to improve Silk Road security, for admin, sellers, & buyers
Post by: DrBenway on December 02, 2011, 04:30 am
+1. Since this is not a massive thread, I don't need to quote your post this time. :)