PGP Never Gonna Give You Up

(Summary: Cryptographically signing messages with my long-term PGP keys is too important to give up. Doing this on my Android telephone is easier than I thought. You should strengthen your secret key encryption if you’re also going to do this.)

Recently, Filippo Valsorda, cryptography expert and TLS guy at Cloudflare, wrote that he was giving up on PGP, or at least on long term PGP keys.

I agree with many of his points, especially the complexity of managing those keys, lack of forward secrecy (if someone were to steal my keys, they could decrypt all past conversations, unlike for example Signal) and accessibility (how do you verify a message with a baby on your left arm and your telephone in your right?). More generally, it makes a great deal of sense to make your security a moving target, as one of the Ars Technica commenters astutely summarised Filippo’s ideas.

Cryptographic signatures FTW

However, in spite of these factors, I am not yet ready to give up my PGP long-term keys.

Why is that?

Well, one of the most important uses of my long-term PGP keys is to cryptographically sign messages that can be verified by people in my network as having come from my hands.

For example, when I change my phone or re-flash its firmware (this has happened 3 or 4 times over the past two months because Android), I send PGP-signed messages to my main Signal correspondents with our new safety numbers.

With all of these correspondents I have in the past either done some sort of in-person formal PGP signing procedure, or I make use of the web of trust, or I rely on keybase. My business cards even have my key fingerprint on them (yes, I’m one of those nerds).

At their ends, the recipients of my messages are able to determine with an extremely high degree of confidence that I wrote the exact message they opened.

Accessible PGP on your smartphone with OpenKeychain

In terms of accessibility, the post did make me curious enough to experiment with a mobile PGP solution, as I also did have to agree that I’ve in the past often had to wait until I was behind one of my own laptops or workstations to PGP-verify a message.

As my one friend explained on Signal:

It’s tricky to verify a message with a baby in your left hand and a telephone in your right!

OpenKeychain to the rescue!

Strengthen your secret key encryption

Seeing that I was planning on carrying my long-term private keys around on my telephone (BlackBerry PRIV, FDE encryption active FWIW), I had to double-check the security of the secret key encryption.

It turns out that PGP encrypts each of your secret keys with a hash of the passphrase you supply. My passphrase is significantly longer than the average, and consists of random characters (uppercase, lowercase, numbers, symbols). Passphrase length and complexity is by far the most important factor determining the safety of your encrypted secret key.

However, I had the default SHA-1 hash (ouch) with only 64k iterations. Iterating the hash is called key stretching: the passphrase is hashed, that result is hashed, and so on, for very many times, so that the testing of each passphrase takes more time, complicating brute-force cracking approaches.

Inspired by the writings of Chris Wellons who keeps his encrypted secret keys on a public website (!!!), I reconfigured my private key encryption to use 1 million iterations of the SHA-512 hash, and to use AES-256 for the encryption itself:

gpg --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 1000000 --edit-key 384435C7E77A4564

After typing that command, enter passwd at the prompt, then follow the prompts. You will have to enter your passphrase, and then enter your new passphrase twice.

You can then check that this operation is successful by using the command gpg --list-packets secring.gpg. My output looks as follows. Most important is that algo is 9 (AES-256), hash is 10 (SHA-512) and protect count in my case is just over 1 million.

:secret key packet:
     version 4, algo 1, created 1376407300, expires 0
     skey[0]: [4096 bits]
     skey[1]: [17 bits]
     iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: blabla
     protect count: 1015808 (159)
     protect IV:
     encrypted stuff follows
     keyid: 384435C7E77A4564

SHA-512 is the slowest hash which PGP offers (see these oclHashcat benchmarks for example), which means that each iteration of a brute-force password cracking attempt will take a bit longer / eat more GPU watts, which is exactly what we want. You can increase the protect count for as long as the delay on your smartphone is still tolerable.

However, remember that a stronger and longer passphrase is much better! (so we do both)

Other than that, remember that Android security is far from good, so do as much as you can to keep your phone safe (keep up with OS updates, stay away from unofficial app markets, and so on).

Use your keys with OpenKeychain

I was pleasantly surprised to learn that I could directly import both my secring.pgp and pubring.gpg files from my ~/.gnupg directory. Right after selecting secring.pgp for import, the UI looked like this:

You can see the old 1024 bit key I made in 2000 to use for my Debian activities, and the 4096 bit key I currently use.

After importing your secret and public keyring, you are able to encrypt, decrypt, sign and verify any files or clipboard contents on your Android phone:

So if I receive something like this via Signal:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Never gonna give you up, never gonna let you down
Never gonna run around and desert you
Never gonna make you cry, never gonna say goodbye
Never gonna tell a lie and hurt you
-----BEGIN PGP SIGNATURE-----

iQFEBAEBCgAuJxxTdGVmYW4gdmFuIGRlciBXYWx0IDxzdGVmYW5Ac3VuLmFjLnph
PgUCWE2aUQAKCRDl/rykoDTdZZgvB/9Yi76C9o7xIgQ/d85WbnKDjNosp5uXzgHm
A2y+cxZDLVNLTMrlCTXOMRulaJMvb3Ocsvi+/gQVUF49fT74EXlZpZvvdTzhQfa2
VvQPjZmf/9PNzB3pgUtEDBwyLC21C6dqU+y7mPk91Aw1m8cKBQUSHmQxa7F/dCFc
DCuWOcXjNt5vLQ2Q8mQBMpHaG9J5+4/0k/GEHAVcm55fzb7o2hJyEVb3EoYy8Pls
khIwJpZVdwyY4FPoLXW3iJYanC5qoOoS81YLCyLEyin0jH56ve05uHbF0XcaNY4h
NupkN2D+Dt4X2m2FXieM27eG/Ty9hVx7n7B3pT4P9KqeFDX8hQ/q
=c7j9
-----END PGP SIGNATURE-----

I long-press, copy the message and then select “read from clipboard” from OpenKeychain’s Encrypt/Decrypt screen, which, if everything checks out, shows me the following message:

I can now rest assured that this specific buddy of mine is never gonna give me up and is never gonna let me down.

Cryptographically signing a message is equally easy, except that you’ll have to enter that long passphrase of yours. OpenKeychain will then make the signed and optionally encrypted text text available for sharing to any app, or for copying and pasting:

Easy peasy, and tested under all sorts of usually-PGP-unfriendly conditions!

Conclusion

Maintaining PGP long-term keys certainly has its issues, but the possibility of cryptographically signing any message so that recipients can establish with high confidence that it originated from you is too important to give up.

With an app like OpenKeychain and sufficiently strong passphrase hashing and secret key encryption, you are able to use your keys with ease from your telephone.

Granted, you are trading in some security for this convenience. However, given the choice between discarding my PGP keys completely, vs. taking these steps, I’ll hold on to my keys for a little while longer.

In order to mitigate the potential damage of one of my long-term keys being compromised, I have resolved to generate and start using a new private key as soon as I run through my current batch of business cards, and to continue rotating like this in the future.

Let me know in the comments what you think. Do you know of a better alternative for remotely verifying the identity and messages of your correspondents?

Android security in 2016 is a mess.

Summary

Your phone probably contains banking, payment and personal information that can be remotely stolen via numerous known and unknown bugs in the Android software. This is attractive to criminals.

Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no incentive to keep your phone’s software up to date with Google’s fixes. Your Android phone is probably out of date and therefore a gaping security hole through which attackers can steal your stuff from the safety of their own laptops.

Read on for more.

Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.
Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.

An illustration: MediaTek / BLU phones are uploading your data.

You might recently have read about the incident with the popular BLU phones sold by Amazon in the US. It turned out that these phones were regularly sending bunches of personal information to servers in China: text messages, call logs, contact lists and so forth. After more investigation, it came to light that this was happening via a low-level piece of software called ADUPS.

When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google’s checks. Nice one MediaTek!

This is a painful example of the fact that the software on your phone, although based on Google’s software, is customised by the phone vendor. The further frustrating effect of this is that when Google releases security patches to Android (which they do regularly), there is very little incentive for the phone vendor to spend money on updating phones they have already sold.

What about A-list phone makers?

I bought my LG G3 in 2014 here in South Africa. It was LG’s flagship in that year, and sold extremely well. LG is a well-known smartphone OEM.

However, only because I took steps to flash the official KDZ image (V30a-ZAF-XX), which consumers would normally not do, am I now running Android 6. However, my security patch level is 2016-03, meaning there are 6 months of security updates I don’t have. (You can check your Android security patch level by going to Settings | General | About Phone | Software info.)

Before you think six months lag is not too bad, here’s a nice example vulnerability from the November 1 Android security bulletin:

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

In short, your phone could be hacked wide open from afar through a single innocent-looking email, MMS or web-page.

My friend’s South African LG G3 is still stuck on Android 5.0 (V20n-ZAF-XX). Most probably this is being blocked due to his carrier (MTN). In any case, 5.0 does not even show the security patch level, so we have no idea how many months of security fixes this phone is missing.

(LG seems to be tracking Google’s security updates quite well, but somehow these updates are not reaching phones.)

A scary little aside

I just tried Check Point Labs’ QuadRooter Scanner app on my “updated” LG G3, and this is what I saw:

LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.
LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.

So my manually updated LG G3 is still very much vulnerable to QuadRooter. In theory, my phone could be (or already has been) rooted and pillaged by any old innocent-looking app, although I keep mostly to the official Play Market, so the risk is slightly mitigated.

At this stage, even as a relatively knowledgeable user, there’s not much I can do to patch my phone against this vulnerability.

Google’s leniency cuts both ways: More than a billion Android users, but most of them vulnerable.

It’s fantastic that Google’s openness and leniency with Android has helped to make smartphone technology accessible to more than a billion users (probably closer to 2 billion taking into account Chinese Android phones not connected to Google services, see Ben Evans’s post). However, this same leniency allows manufacturers to be irresponsible about keeping their customers safe.

The fundamental problem here is that there are a great deal of Android phone vendors who make phones from absolute entry-level to top-of-the-line flagships, who have very little incentive to spend money on post-sale security updates.

Once you’ve paid for the phone, you’re not important enough anymore to have a secure(ish) telephone.

What can we do?

Buy an iPhone. No really.

I’ve been using Android since the HTC Desire Z. I love Android, because I love Linux which I have been using since 1993.

However, if money is no object, my only sound advice can be to buy an iPhone. Apple is still shipping security updates, albeit on iOS 9, for the iPhone 4s which was released in 2011 (5 years ago). The iPhone 5 is still being kept up to date with iOS 10.

Furthermore, in terms of phone encryption, iOS 4, released 6 years ago, was already more advanced than than Android 7 Nougat, released in August of this year. In short, already then Apple made better choices in how exactly different files are encrypted, whilst Android implemented full disk encryption, which for the smartphone usecase is not the right choice. In Nougat, Android has finally also changed to file-based, but they’re missing important parts of the puzzle. The phone encryption blog post I link to is insightful, please take a look.

Stick with Android Pixel or Nexus.

If you prefer sticking with Android, the best choice is getting an official Google device, which means either a Nexus or a new Pixel. Google’s policy for Pixel and Nexus security states that they will ship security updates either for three years after device introduction, or for 1.5 years after the device was last officially sold from the Google Store, whichever is longer.

Unfortunately, iPhones are really expensive, and Google’s new Pixel devices are also aiming for the higher-end market. The previous generation Nexus phones offer a more mid-range but very temporary reprieve.

In other words, most normal consumers on a budget, i.e. the largest part of the Android user base, actually of the smartphone-using world, are stuck with insecure, vulnerable phones. This is not cool.

Consider installing a custom ROM.

Installing a custom ROM such as Cyanogenmod brings with it another set of issues with regard to the phone being rooted, and with regard to driver-level support of proprietary hardware. In any case, this is not something your average consumer will have access to, but Android gurus can certainly apply.

Efforts like CopperheadOS (hardened Android) are certainly promising, but it will be quite a while before they are accessible to the largest group of Android users.

Update: David Metcalfe pointed out in the comments that you can buy a secure Android phone from Copperhead.  If you are in the US or Canada, and you have some budget, you could buy the LG Nexus 5x or the Huawei Nexus 6P with CopperheadOS pre-installed. It’s great that this is available, but due to price and geography not really accessible to most Android users.

Keep manufacturers honest.

Ideally, Google starts taking a much harder line with manufacturers who put Android on their phones. They could for example maintain and publish a list of phone models that are kept up to date with the latest security fixes, and a list of those that aren’t.

I was happy to see that at least Huawei has a pretty good record in terms of keeping their Android phones up to date (although the results were probably skewed as they counted the Huawei-produced Nexus 6P phones, and these formed the majority of the test set, doh). This factor will play a role in the next smartphone that I buy.

Do you know of any (other) manufacturers of more affordable Android phones who are committed to keeping their users safe? Please let me know in the comments!

Addendum: Android phones with acceptable security update records

Blackberry PRIV, DTEK50 and DTEK60

lobste.rs user jabberwock tipped me off to the fact that Blackberry’s Android phones get monthly security updates. Read more at CrackBerry and here in the BlackBerry Android security bulletin for November: It looks like these phones receive monthly updates (when not blocked by the carrier, sigh) and have already received the November 2016 update.

Here is the original blog post where BlackBerry explained their security patching policies for the PRIV.

Z Launcher: A breath of fresh air in the world of Android.

Most Android launchers are  small variations on the same concept: One or more screens of widgets and icons (sometimes grouped) which can be used to start various different apps. It’s usually up to the user to place these icons on the screen, much like we’ve been doing for ages on our computer desktops.

If you too are in the mood for a more innovative take on the launcher, you could do much worse than installing Nokia’s (yes, they live!) free Z Launcher app.

It looks and works like this:

On the left is the default start screen. It shows a list of the apps I’ve most recently started, with the most used ones at the top (you can see that I was quite busy using Signal at that point).

If you would like to start some other app which is not on the current short list, or view or call a contact, simply scribble the first letter of the app or contact on the screen! In my case, I scribbled a “g” (the “p” screenshot is from the Z Launcher play store page, because I was not able to screenshot it on my own phone), at which point it listed apps and contacts with the letter “g”. Again all of the “g” apps are listed in order of how much I’d interacted with them at that point.

Swiping to the right gives you a traditional widget area (here I have a weather (yr.no is the best, even here in South Africa) and a calendar widget), and swiping to the right gives you a traditional searchable list of all of your apps.

Z Launcher continuously learns about the apps and other items you interact with the most, and will always show you the ones that you interact with the most at the top. Over the past week of testing, this has saved me a significant amount of time finding and starting the phone functions I was looking for.

For saving me time, and doing it in an aesthetically pleasing way: 5 stars for you Z Launcher!

The Next Level. [Weekly Head Voices #22]

Due to the sleep- and concentration disrupting side-effects of a recent fantastic and life-changing event, I have skipped two editions of the Weekly Head Voices.  You’re going to have to bear with me, as it might happen again more than once in the coming months, whilst the ramification of aforementioned event matures some more and finally decides that those funny hairy creatures often occupying the same spaces that she does do deserve some rest.  Sometimes.

This edition of the Weekly Head Voices is almost 100% backyard philosophy, and more specifically is concerned with the meta-physical state some (language NSFW), in a brilliant exercise in post-modernistic satire, call The Next Level.  Let’s take a gentle start.

First have a look at this mobile phone:

The phone is not only glaring at a Rubik’s Cube, but IT’S PHYSICALLY SOLVING THE THING without even breaking a sweat, or begging for a battery recharge.  This phone has clearly reached the Next Level (of phones).

Then check out this robot:

Yes people, the robot is able to move by HAPPILY BALANCING ON A BALL, even recovering from a shove by its future human slave. That’s pure robot hardcore, and definitely a robot that’s reached the Next Level.

Humans have a next level too. Because we currently seem to be by far the dominant life-form on our sensory horizons, striving for this is a slightly more complex endeavour than being able to balance on a ball like that robot.  So how can we strive for the next level?

For a start, take a look at this list of cognitive biases on wikipedia. In essence, most humans are basically walking meat bags filled with misunderstandings, and convinced that they’re not. Related to this, and funny in a tragic kind of way, is the Dunning-Kruger effect, which boils down to the fact that people who are incompetent, are by nature even less capable of recognising their own incompetence (vaccine / main-stream health denialists and climate change denialists are textbook cases of this). In any case, one would be taking a really big step up the ladder to the next level if one were to memorise the list of cognitive biases above, and were to work really hard every day at trying to compensate for some of these effects in oneself.

Generalising this idea, I think a really great life philosophy is simply to strive every day to be better at something than you were the day before: Cycle a bit faster, remember better, think and see more clearly, be kinder. If one were to keep this up throughout one’s life, one will probably end up in a Very Good Place (philosophically that is).

Something else that one can try to practise in one’s journey to the mythical next level is meditation.  A friend recently posted the following Google TechTalk by Philippe Goldin on the neuroscience behind mindfulness meditation.  It’s 50 minutes long, so feel free to watch it after you finish reading this post:

I wasn’t aware that what I was doing in essence comes down to mindfulness meditation.  In contrast to concentration meditation, where the goal is focusing on the same thing (a mantra, an object) the whole time, mindfulness is about opening the mind and letting the now flow in, appreciating and mentally tasting it without judging.  Although alternative health sites already claim the world (as with all things alternative health, you should ignore these without hesitation), science is cautiously optimistic about the effects of mindfulness, in spite of the sub-standard quality of many of the studies.  There do seem to be definite personal benefits, and personally I am of the opinion that any form of regular meditation or focused self-reflection is an important catalyst in striving for the next level.

The same phenomenon currently disrupting my sleep and concentration, is very much related to this whole discussion, and probably caused it. Whilst it has justifiably been remarked that the act of procreation certainly doesn’t require a rocket scientist (on the contrary, sometimes), helping to sculpt the initial result into a potentially next level human being is an exquisite form of art that requires decennia for the completion of a single piece.

Thank you for stopping by to hear me ramble on, and please turn this into a real discussion by leaving a comment!

Weekly Head Voices #6: Heroic Wave, Brainy Mice, Don’t shoot the Messenger.

Week 40 of 2009 brought with it the following noteworthy tidbits:

Gadgets:
Public opinion concerning the HTC Hero is generally quite positive, although the extent to which the most recent firmware update has remedied the often-reported laggy touch-screen response leaves me suspicious:

It does have a capacitative touch screen (the best kind), but is apparently still not as responsive as the iphone.  It’s almost as if the finger swiping is seen as a suggestion instead of an actual command.  Now before all you fanboys go “I told you so”, please remember that Android devices actually multi-task an arbitrary number of processes, whilst Apple has determined that fanboys are only allowed one at a time, with some recent small exceptions. I think I might just wait this one out. At least until next week.

When I first heard about Google Wave, I was considering to let this one fad pass me by, so I didn’t go to any effort to get in on the invite frenzy. However, after seeing this short (7 minute) explanatory video:

… I am now regretting my laissez faire attitude. What completely convinced me, was the part where they show how you can organize BBQs using this fantastic new technology. WHY DIDN’T THEY SAY SO IN THE FIRST PLACE!

Slightly more seriously, Wave enables you to combine multiple different forms of internet communication in one stream, called a wave (doh), that can be played back and forth in time and to which other Wave users can be added as subscribers, thus enabling them to take part in the stream by adding more emails, comments on other emails, real-time chats, documents, and anything else one might fancy throwing into the conversation. One is also able to link the wave bi-directionally to other information sources such as blogs, so that for example comments on a linked blog are automatically added to the wave, at the correct point in time.

It’s pretty exciting to see where all of this is going.

Science:
On Wednesday I opposed an M.Sc. thesis that explored the relationship between DTI-based and resting state fMRI-based neural connectivity. DTI, or diffusion tensor imaging, is an MRI-based technique that is able to image neural fibre bundles in the human brain: Very loosely put, this is in fact imaging the brain’s connective wiring, i.e. the structural connectivity. With resting state fMRI, it is hypothesised that one can derive functional connectivity, i.e. fish out the regions that show such high time-activity correlation that there is a high probability that they are working together and hence are probably connectivity. Of course one would like to see these two being in agreement.

In recent literature this has been demonstrated, but in this M.Sc. project no correlation was found. Unfortunately in science, it’s far harder to convince someone of the latter than of the former. Whatever the case may be, this raises interesting questions: Is there no correlation? Are the techniques not sensitive enough? Also in the back of my head throughout the very solid defense was the recent work on finding fMRI activity in the brain of a dead salmon. :)

On Thursday, I was involved in a meeting with hardcore scientists. How do I know they were hardcore? Well, they do things with mice. Over the past years I have seen a terribly high correlation between scientific hardcoreness, judging by number of publications in journals such as Science and Nature, and Doing Stuff With Mice, Especially Genetically Modified Mice. Although correlation of course does not imply causation, I have decided to acquire some of above-mentioned mice. Perhaps their running around in my office with electrodes sticking out everwhere will also lead to Great Things.

Retail therapy:
Even when you don’t really need it, retail therapy is just fantastic. On my way to get coffee beans for the espresso machine at work, I, completely by chance of course, ran into this lovely little Samsonite messenger bag (in black of course) and just had to get it for my baby netbook. It’s going to Atlantic City next week after all!

Which reminds me, I will probably liveblog (haha I used it in a sentence) from IEEE Visualization 2010 next week, which means that I am optionally excused from Weekly Head Voices duty. Ok?