Posts: 16
Threads: 0
Joined: Sep 2013
Reputation:
0
Silk Road 2.0 emerges
11-11-2013, 12:20 AM
Does giving users the ability to use their own PGP encryption key for authentication enhance the security of the site or more clearly tie individuals using it to the site?
Posts: 16
Threads: 0
Joined: Sep 2013
Reputation:
0
Silk Road 2.0 emerges
11-11-2013, 02:35 AM
The above question could go both ways. For one, because of the PGP keys it’s harder for it to be a honey pot, assuming users are generating their own PGP keys and keeping the private key to themselves. In such a scheme people would advertise their public key (on the site), the site could help them send messages to other people. But decoding and verifying the message would require a third party application to be used (so that the site does not get the private key).
However the benefits of such a scheme are quite nice: No one on the site could read private messages besides the intended recipient; The recipient could verify the sender; Hence you don’t actually have to trust the site, assuming people can verify their keys through a third party (like torchat).
This doesn’t pose much of a threat of tying users to the site assuming it’s users take the proper precautions. For starters they should use an operating systems like TAILs to prevent the operating system from storing information. Then they need to store the key in a secure way. The best way would be to remember it (it’s only about 80 English words (13 bits per word, 1024 bit key). I’ve remembered less, word perfect, in a week of practice). Short of that, a very secure RSA key (4096 bits) is small enough to be hidden using stenography (and still encrypted of course), or be hidden in a True Crypt deniable partition without being obvious.
Both of these methods assume you use encryption for everyday tasks. If you have a terabyte of encrypted data (say custom re-encoded pirated movies, not criminal unless you are selling them) and you hide 4096 bits somewhere in it… good luck to anybody trying to find that.