Hanno's blog

Having used my PGP key 3DBD3B20 for almost eight years, it's finally time for a new one: 4F9F43A9. The old primary key was a 1024 bit DSA key, which had two drawbacks:
1. 1024 bit keys for DLP or factoring based algorithms are considered insecure.
2. It's impossible to set the used hash algorithm to anything beyond SHA-1.

My new key has 4096 bits key size (2048 bit is the default of GnuPG since 2.0.13 and should be fairly enough, but I wanted some extra security) and the default hash algorithm preference is SHA-256. I had to make a couple of decisions for my name in the key:
1. I'm usually called Hanno, but my real/official name is Johannes.
2. My surname has a special character (ö) in it, which can be represented as oe.

In my previous keys, I've mixed this. I decided against this for the new key, because both my inofficial prename Hanno and my umlaut-converted surname Boeck are part of my mail adress, so people should still be able to find my key if they're searching for that.

Another decision was the time I wanted my key to be valid. I've decided to give it an expiration date, but a fairly long one: 10 years from now.

I've signed my new key with my old key, so if you've signed my old one, you should be able to verify the new one. I leave it up to you if you decide to sign my new key or if you want to re-new the signing procedure. I'll start from scratch and won't sign any keys I've signed with the old key automatically with the new one. If you want to key-sign with me, you may find me on the 27C3 within the next days.

My old key will be valid for a while, at some time in the future I'll probably revoke it.

Update: I just found out that having a key without SHA-1 is trickier than I thought. The self-signatures were still SHA-1. I could re-do the self-signatures and revoke the old ones, but that'd clutter the key with a lot of useless cruft and as the new key wasn't around long and didn't get any signatures I couldn't get easily again, I decided to start over again: The new key is BBB51E42 and the other one will be revoked.
I'll write another blog entry to document how you can create your own SHA-256 only key.

Prologue of this story: A very long time ago (2004 to be exact), I decided to create a new PGP / GnuPG key with 4096 bits (due to this talk). However, shortly after that, I had a hardware failure of my hard disc. The home was a dm-crypt partition with xfs. I was able to restore most data, but it seemed the key was lost. I continued to use my old key I had in a backup and the 4096 key was bitrotting on keyservers. And that always annoyed me. In the meantime, I found all private keys of old DOS (2.6.3i) and Windows (5.0) PGP keys I had created in the past and revoked them, but this 4096 key was still there.

I still have the hard disc in question and a couple of dumps I created during the data rescue back then. Today, I decided that I'll have to try restoring that key again. My strategy was not trying to do anything on the filesystem, but only operate within the image. Very likely the data must be there somewhere.



I found a place where I was rather sure that this must be the key. But exporting that piece with dd didn't succeed - looking a bit more at it, it seemed that the beginning was in shape, but at some place there were zeros. I don't know if this is due to the corruption or the fact that the filesystem didn't store the data sequentially at that place - but it didn't matter. I had a look at the file format of PGP keys in RFC 4880. Public keys and private keys are stored pretty similar. Only the beginning (the real "key") part differs, the userid / signatures / rest part is equal. So I was able to extract the private key block (starting with 0x95) with the rest (I just used the place where the first cleartext userid started with my name "Johannes"). What should I say? It worked like a charm. I was able to import my old private key and was able to revoke it. Key 147C5A9F is no longer valid. Great!

P. S.: Next step will be finally creating a new 4096 bit RSA key and abandoning my still-in-use 1024 bit DSA key for good.

Yesterday I was at a talk at the FSFE Berlin about free software and GSM. It was an interesting talk and discussion.
Probably most of you know that GSM is the protocol that keeps the large majority of mobile phones running. In the past, only a handful of companies worked with the protocol and according to the talk, even most mobile phone companies don't know much of the internal details, as they usually buy ready-made chips.
Three free software projects work on GSM, OpenBTS and OpenBSC on the server side and OsmocomBB on the client side. What I didn't know yet and think is really remarkable: The Island State of Niue installed a GSM-network based on OpenBTS. The island found no commercial operator, so they installed a free software based and community supported GSM network.

Afterwards, we had a longer discussion about security and privacy implications of GSM. To sum it up, GSM is horribly broken on the security side. It offers no authentication between phones and cells. Also, it's encryption has been broken in the early 90s. There is not much progress in protocol improvements although this is known for a very long time. It's also well known that so-called IMSI-cachers are sold illegally for a few thousand dollars. The only reason GSM is still working at all is basically that those possibilities still cost a few thousands. But cheaper hardware and improvement in free GSM software makes it more likely that those possibilities will have a greater impact in the future (this is only a brief summary and I'm not really in that topic, see Wikipedia for some starting points for more info).

There was a bit of discussion about the question how realistic it is that some "normal user" is threatened by this due to the price of a few thousand dollars for the equipment. I didn't bring this up in the discussion any more, but I remember having seen a talk by a guy from Intel that the tendency is to design generic chips for various protocols that can be GSM, Bluetooth or WLAN purely by software control. Thinking about that, this raises the question of protocol security even more, as it might already be possible to use mainstream computer hardware to do mobile phone wiretapping by just replacing the firmware of a wireless lan card. It almost certainly will be possible within some years.

Another topic that was raised was frequency regulation. Even with free software you wouldn't be able to operate your own GSM network, because you couldn't afford buying a frequency (although it seems to be possible to get a testing license for a limited space, e. g. for technical workshops - the 27C3 will have a GSM test network). I mentioned that there's a chapter in the book "Code" from Lawrence Lessig (available in an updated version here, chapter is "The Regulators of Speech: Distribution" and starts on page 270 in the PDF). The thoughts from Lessing are that frequency regulation was neccessary in the beginning of radio technology, but today, it would be easily possible to design protocols that don't need regulation - they could be auto-regulating, e. g. with a prefix in front of every data package (the way wireless lan works). But the problem with that is that today, frequency usage generates large income for the state - that's completely against the original idea of it, as it's primarily purpose was to keep technology usable.

Recently, Nintendo released a new game called "Donkey Kong Country Returns" - I thought I'd take that as an opportunity to tell you a bit about it and it's main figure, Donkey Kong.

What's interesting about this is that it's a revival of a revival - the original game is almost as old as I am (from 1981, so I can't tell you about the "good old times" here). It was released on an arcade machine and later ported to several consoles. You played Mario in the game (yes, this was also the very first time Mario appeared in a video game) and had to rescue the princess from a big evil Gorilla. Not very creative, but who cares about game stories anyway, right? You had to jump over barrels to get to the gorilla.

I think the first time I saw the game was this one. It is from the Game and Watch series, mobile devices that had just one game built in. The Game and Watch games had no real display, they were only able to switch some elements on and of. For that limitation, the games had surprising complexity (another one I really liked is the Super Mario Bros. 3 wrist band game). Still, it is far away (or let's say rather different) from the original game.

The second time I saw a Donkey Kong game was a (probably inofficial) remake in DOS. To be honest, it wasn't very good, but I had not many games at that time, so I played it a lot. You had to go up to the princess and after that, the gorilla threw something over the screen and you had to go down again, but now with fires and more holes. Sadly, I can't provide it to you as I didn't find it online (maybe I have it on an old CD, I'll have to look for that).

The very first time I played the "real" Donkey Kong was much later - 1992 Nintendo released the first two Donkey Kong games together as "Donkey Kong Classics" on the NES. There was also an advanced version for the Gameboy which featured the original Donkey Kong levels and about 100 more levels afterwards (I played through all of them).

1994 was the "first revival" - Nintendo released Donkey Kong Country on the Super Nintendo, a game which had impressive graphics and was a technical breakthrough at that time. It has not much in common with the original game beside the character and the fact that barrels still play an important role. A nice gimmick: It had a character called "Cranky Kong", who was said to be the "original Donkey Kong" from the old game. He was always grumbling that todays games are far to easy.

Now Nintendo is doing the second revival - interesting enough, it doesn't really use much of the possibilities the Wii offers. It is a classic jump and run game, very much like Donkey Kong Country (Nintendo just recently released "New Super Mario Bros", quite similar also a classic Mario jump and run). I like that. Though I played the game a bit and I must say I'm not highly impressed (at least yet). I'd rate it a nice game, but not a great game. But I also have to say that the old Donkey Kong Country is not on my all-time-favorite video games list. Maybe I'll tell you more when I played it longer.

What else? No blog about retro gaming without some links to really cool stuff:
A house with Donkey Kong design (does anyone know where this is?
Donkey Kong in Lego
(have more? post links in the comments)