Anonymous Servers - How long is a signature valid?

Author

How long is a signature valid?

Igenlode

2005-04-10, 2:45 am

I've discovered why none of my posts have been making it out recently;
email at this end has been piling up unsent since the 6th! No wonder
nothing ever made it to the nymserver...

But this raises another question; how many of these messages will get
dropped through being too old when they finally make it? How long does
the nym software hold a PGP signature to be valid (and the mail2news
gateways the posting-date on the message?)?
--
Igenlode <Igenlode_W@nym.alias.net> Lurker Extraordinaire

The moment you stop being polite, you lose credibility in what you say.

BiKiKii Admin

2005-04-10, 2:45 am

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 08 Apr 2005, Igenlode wrote:
>How long does the nym software hold a PGP signature to be valid?
>

7 days +/- 1 day

>mail2news gateways the posting-date on the message?
>

?

Ciao!

BiKiKii

-----BEGIN PGP SIGNATURE-----
Version: N/A

iQEVAwUBQli0kfRwi/QFFzi5AQFIOgf/UgyDP76mJmb9+bft7elobx/hRpqLVaie
6a+OVGGS1EPO2zD8XTpe2i/ S6jmZlYhdeGqqcUEh9k3N6j0WbSXR8uSBkNELR5N
l
ZOyhfMkGy+3QAsv2MNS5bZjZKXLtX8oGdK0b42di
fyD/vbgisKlBDFZXUwZ5el0z
a2CpFI313vX1oQrt7J+K7+W8qr93flSqm6MJLqxx
+GLX4rfjt0bC9Om2hA6VFl/H
S+CInhLT2t3zssvqNXZhmBhzZXKO1sQHLts2DHdG
3Zr4k7mg4FDlYX2w/0OQ2sDC
wCNnCQJiAy76o0S4iaZJlqd7YSGZ0/D4F4zAymAhH+I+9bKsSwP53Q==
=85Nt
-----END PGP SIGNATURE-----

Thomas J. Boschloo

2005-04-10, 5:46 pm

-----BEGIN PGP SIGNED MESSAGE-----

BiKiKii Admin wrote:
> On Fri, 08 Apr 2005, Igenlode wrote:
>
>
>
> 7 days +/- 1 day

Isn't the traffic in mixmaster 7 +/- 3 days? (where the 3 day random
addition is to defeat traffic analysis?).

I don't there there is a limit inside the commandline versions of PGP on
how long a signature is valid, so my guess would be that it doesn't
matter for the nym server code either. There is no exit code or command
line option to check for the date. And in version 2.6x of PGP the
validity date of the PGP key isn't even being set!

Having said that, this is a possible security leak because the traffic
processed by the nym server can also be correlated with the computer
systems that inserted the traffic into the network. Same for PGP
encrypted reply block and CPunk traffic..

Thomas
- --
"Nothing is true. Everything is permitted" - W.S. Burroughs, Naked Lunch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQB5AwUBQlkYOQEP2l8iXKAJAQGZLwMgqHP6ENj1
jACVVwJRjYuKX0/kb56F/hVt
T24UQhcsHSeVpV8HtDWUJInCjl2CP5/FSqbxJLfYnuKG290yihrKg8G72D9pC4HM
EtOY++nFo4qDQNPqWR0tui35evw6yD0JZwJP+g==

=AnkQ
-----END PGP SIGNATURE-----

Thomas J. Boschloo

2005-04-10, 5:46 pm

-----BEGIN PGP SIGNED MESSAGE-----

BiKiKii Admin wrote:
> On Fri, 08 Apr 2005, Igenlode wrote:
>
>
>
> 7 days +/- 1 day

I should have know better than to try to correct a Bikikii Admin post, I
downloaded the nymserver code from
ftp://ftp.zedz.net/pub/crypto/remai...m.alias.net.txt
and there seems to be a replay cache that has code like this:

##
($err =~ /^Signature made (\d{4})\/(\d{2})\/(\d{2}) /m) || return (-1);
my $sigday = &sumtime ($1 - 1900, $2 - 1, $3 + 0);
my $today = &sumtime ((gmtime)[5,4,3]);
($today >= $sigday + $SIGDAYS) && return (1);
($sigday > $today + 1)
&& &fatal (65, "Invalid date on PGP signature\n");
##

So posts with PGP signatures older than 7 days are dropped:
my $SIGDAYS = 7; # Number of days a digital signature is good for

Thomas
- --
"Nothing is true. Everything is permitted" - W.S. Burroughs, Naked Lunch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQB5AwUBQlkmvAEP2l8iXKAJAQGqAQMeKvyowBo2
RmpkHVPqdUWPcjWxE4CEPaJV
0NftwoREeCCw/7p7+EeIxhHRy/uttBbFvaivHHS80YBlKZ9yBWnLiR7BqhX+CM49
lggTBJm4gcOIdjtWigJNEtNIsVIqaHURmtQIVw==

=6D3Q
-----END PGP SIGNATURE-----

Thomas J. Boschloo

2005-04-10, 5:46 pm

-----BEGIN PGP SIGNED MESSAGE-----

Igenlode wrote:
> I've discovered why none of my posts have been making it out recently;
> email at this end has been piling up unsent since the 6th! No wonder
> nothing ever made it to the nymserver...
>
> But this raises another question; how many of these messages will get
> dropped through being too old when they finally make it? How long does
> the nym software hold a PGP signature to be valid (and the mail2news
> gateways the posting-date on the message?)?

I think that with e-mail, the mail server will keep re-sending for a
couple of weeks. And newsservers will reject (new) messages if they are
too old! The mail2news software probably does dup detection in some
fashion, but it is too much work to sieve through the code for me right
now. And every (cpunk) remailer will reject messages that are too old,
probably about 7 days if they run Mixmaster 2.9+, but that amount might
be reduced by up to 3 days IIRC. All this because dup detection is very
important to prevent flooding attacks.

OTOH, it is pretty easy to find out where a nym goes by sending lots of
messages to it that will all follow the routes inside the same
reply-block. But I need not tell you this as you probably already know.

I understand the code of the nym server better now, it looks for the line:
Signature made 2005/04/10 12:34 GMT using 800-bit key, key ID 225CA009
and parses it into a couple of variables.

In GPG it looks like:
gpg: Signature made 04/10/05 12:34:56 using RSA key ID 225CA009
Which suggests the script would have to be modified for it to work with
GnuPG.. All very easy to fix though IMHO.

hth,
Thomas
- --
"Nothing is true. Everything is permitted" - W.S. Burroughs, Naked Lunch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQB5AwUBQllZ1gEP2l8iXKAJAQHTygMaAsEcHJvX
aJQV1gQPBGJ/nFU6onKClg10
EnomDT4Ca70D/ vVrEDCegi3mi1tnxuXIhkt8CyjCEa8nZOUr7oRUh
y+G5tsRzpOK
XM1+wI5Y3g7bInhvOv3qitbPBmIT2lltD/fLRw==
=deqG
-----END PGP SIGNATURE-----