Yes, this implementation uses the user id as a salt to prevent lookup tables from being built.
Yes, this implementation uses aggressive KDF settings to deter this sort of attack.
People are still really bad at choosing passwords and passphrases. They often pick phrases from obscure, but public, sources, thinking they're clever.
When the "let's derive asymmetric keys from a passphrase" idea was applied to cryptocurrencies the results were catastrophically bad. I gave a talk at DEFCON about this four years ago:
There are some marginally valid use cases for keys that can be memorized, but for those cases, tools should offer opinionated passphrase generation tools that make it impractical to pick a bad passphrase. A simple way to do this would be to require that e.g. the first x bits (10 to 16 probably?) of sha256(passphrase) are zero, and bundle a tool that takes in a wordlist, an output passphrase strength, and user provided entropy (to be combined with system entropy for users who don't trust the system csprng), and spit out a compliant diceware-style passphrase.
Can't wait for the next time someone clogs up the SKS system and tells us that GPG is terrible and the PGP ecosystem is essentially in a state of eternal trashfire, only to be told by the GPG wizards that everything is fine and working as intended, it will be fixed anyway by that one guy that volunteered on the mailing list to do it, they assure us.
Man, where would we be without the people that defend GPG? Possibly in a world with easy-to-use mail cryptography solutions but who wants that?
Otherwise this was a very interesting blogpost, I should probably upgrade my GPG keys at some point, considering they primar keys have been floating unencrypted into various public spaces.
Haha, actually this problem has been fixed for some time. Now subkeys need to be cross signed by primary key so yep you can share them but only with the key owner's private key.
For more details see: https://gnupg.org/faq/subkey-cross-certify.html
e-fail is good example of a presentation failure. It has very little to do with PGP or GPG itself, but instead failures to adequately separate the output.
You have a few choices for key distribution.
1. A walled garden like keybase.
2. A distributed trust model like the web of trust.
3. A bunch of web servers with no proof the key has not been tampered with.
All of them have benefits and flaws.
I work in an industry which uses PGP unfortunately, and a bunch of implementations. It's very difficult to use modern, secure cryptography with PGP. There are so many different options and backwards compatibility hazards when dealing with whatever other PGP implementations exist. There are many bad options you can choose in PGP, and lots of software gets it wrong. Old ciphers like IDEA and CAST5 are used. Old school RSA padding. The MDC tags are still Sha1 I think.
Matt Green wrote about some of this in 2014; I don't think much has changed. Section "The OpenPGP format and defaults suck" https://blog.cryptographyengineering.com/2014/08/13/whats-ma...
I get the feeling, in all these discussions, that people with strong negative feelings about Efail never read the paper (accepted at Usenix Security, one of the top academic venues for vulnerability research, and Black Hat USA, the top industry venue), but instead just took the GnuPG team's word about it. That's a mistake.
5. Adding a fingerprint to all e-mails you send out (people online you never met/meet only know you by your online behavior anyway) so cross-checking a few mailing list archives the user posted to in the last few years should be enough. This is most useful if you are subscribed and can be thus sure that the archive was not manipulated.
IMHO, Web Key Directory is a better option here. It has all benefits of DNS but none of the drawbacks (DNS has plain text queries etc.)
Both DNS and WKD are real-time, and modifiable by an attacker. There's no trail of trust/history. It may be good for discovery, but trusting the key requires more.
I guess that it's better to have multiple independent ways to validate ownership of a key after you discover it. Cross-check various methods that require different levels of access, to see if something is fishy.
Anyway, I'm off to implement wkd. :)
It seems like everyone is trying to find a way to make a global trust network (keybase, LinkedIn, etc.), when all you need most of the time are small circles of trust (dev groups, activism organizations, etc.).
I think the decentralized nature of WoT is actually a better way of structuring things, since it makes mass surveillance much more difficult.
We were looking for a solution like this but with more flexibility and power. Using our library you can generate PGP keys using any key derivation mechanism for a large variety of key types!
Here's two sentences picked from a batch of 32 for a 120 bit security factor that I think the average person could memorize with a few minutes of effort:
know why rod signifies eight nodes
middle crude tissue clearly said Sultan