Alicornutopia

I think there are two big reasons why OpenSSL-compatible RSA is a better tool for the job than PGP is. I think part of your twitching at using OpenSSL instead of GPG is that (because you haven’t been following the thread, and because you actually know enough about cryptography to write that) you don’t understand what “the job” is. If you knew that, I doubt you would have advised PGP, although I expect you still wouldn’t have liked the OpenSSL option.

First, “whatever [we] need it for here” is proving that we wrote something at one time without revealing what it is until later. The right tool for the job is hashing¹. PGP, OpenSSL, Truecrypt, one-time pads, etc. are all the wrong tool for the job. Anything that doesn’t contain “SHA” in it is probably the wrong tool for the job². You can tell they are the wrong tools for the job because we are explicitly forbidden for game reasons from actual private communication of the type encryption is usually meant to help with, and because the action of disclosing the message and proving it was written earlier is “sharing the private key”. All of the InfoSec nerd in me is twitching at using encryption at all for this, and there isn’t any left over for twitching at using the wrong type of encryption (although, as I explain below, I don’t think this actually is the wrong type).

So why did I tell Shoal that OpenSSL was the right tool for the job? Because almost everybody on the thread has been using OpenSSL-compatible RSA, and we were linked to a website which does RSA encryption and decryption with OpenSSL as a backend. If they use the OpenSSL command-line tool because they don’t like the website, everybody else will be able to verify Shoal’s messages if they don’t trust me. If I had advised Shoal to use gpg, or sha512sum, or practically anything else, then fewer people on the thread would have been able to follow through on his claims when later revealing the information.

Finally, I agree that GPG is almost certainly a better tool for sending encrypted and/or signed messages than the OpenSSL command line tool. After all, as the GPG man page says (third sentence of the DESCRIPTION section), “gpg features complete key management and all bells and whistles you can expect from a decent OpenPGP implementation”. However, all those bells and whistles³ make it harder to misuse in the way we want to. For example, keyrings aren’t particularly helpful in our case, and it seems to be impossible to use GPG without them. On the other hand, the OpenSSL command line tool, if most people were even using it, would be hard to get the hang of but easy to use in whatever way we wanted after that; after all, OpenSSL bills itself as not just SSL but “a full-strength general purpose cryptography library”. Since we’re doing something nonstandard, the more general library is better.

¹ There is a downside to hashing: you need to record the plaintext exactly. I’m listing this as a downside here relative to the others, where you still need the private key exactly, because it’s easier to think “Oh, I forgot a comma. I’ll just fix that” when something is in English instead of base64-encoded random data. Hashing also requires manual management of salt to avoid known-plaintext attacks, whereas that is handled automatically by OpenSSL and GPG.
² Yes, other cryptographic hashing algorithms exist. The best-known ones are MD5 and various SHAs, though, and it is possible to generate collisions in MD5 with arbitrary prefixes, making it worthless in this case.
³ Despite making good Effulgence puns

Here's what I did on night 2.

I do believe this is in the wrong thread in the other direction, so I won’t link to it in the index yet. I’ll still be checking to make sure what you do post matches.

oh, the names are too similar to tell them apart, but you're right; this one only has 9 pages. i'll go post that in the other place.

Is it possible to rename threads? Perhaps this one could be called something like "Effulgence Mafia Meta Discussion Thread".

Kind of. Alicorn could change the subject of the first post, which will change how it's listed in the index, but we'd still see “Re: Mafia: Effulgent Edition” for at least the already-existing posts. This has been done before, with at least the Spoilerland Elcenia thread.

DanielH: It sounds like what you want is a (PGP or similar) detached cleartext signature? Those have all the desirable properties (reveal that you wrote something without revealing the something directly, requires only sharing the public half of the key-pair for verification of the signed data, and resist collisions and similar attacks (assuming you use a decent hash function with your signing algorithm). Not immune to determining the not-yet-revealed value by guessing the plaintext and trying to verify the signature against it, but you can easily fix that (if it's a concern) by having people put something random at the bottom of their messages. It does require the original message verbatim, as all hash-based things will. I'll grant that it requires keyrings, which is awkward, but if you're using RSA don't you need some way to store people's public keys anyhow? In any case, I disagree that it's complicated: That's it (once you've generated a private key). a for Base64 ("ASCII armored"), b for detached signature (no, I have no idea why). Put a filename next if you want it to create filename.asc containing the detached signature, or use < filename if you want it to produce the signature on the console, or just as-is and then type your message and send an EOF (will print signature on the console). Post the signature when needed. Anybody with your public key can verify it against any text you later claim it was generated from; no need to share secret values with anybody.

EDIT: Alicorn, thank you for moving the comment to the appropriate thread, and my apologies for the misplaced post. I think I just did a direct quickreply, but I really should have put it in the meta/discussion thread.

Two questions:

1. Given that we are assuming nobody is logging into other people's accounts, what's the advantage of this over just plain hashing? If we couldn't trust that somebody claiming to be, say, PlainDealingVillain, really was that person, then detached signatures would be better.
2. Is this easy to do online? Shoal, michaelblume, and I could probably have figured out everything after the code snippet just from the sentence “If you give it a filename as an argument, it will read the message from that file and write the signature to filename.asc; otherwise it will read from standard input and write to standard output”. However, I would estimate that no more than half of the other people on the thread would know what to do with those seven characters beyond “probably type them somewhere, and probably not subtract the product of a and b from the product of g² and p”, or know how to “send an EOF” (I do on POSIX, but I'm not even sure if it's possible to just send an EOF on Windows; doesn't ^Z also add a character to the file?). This is far greater technical knowledge than the general population, of course, but still less than would be necessary to use your technique instead of the “Go to this website, type some stuff, click the button, save this piece of gibberish somewhere safe and post this other one” technique.

DanielH wrote:probably not subtract the product of a and b from the product of g² and p

I have been giggling about this for a solid minute now.

On crypto: I believe the principle I'm using (if I'm telling the truth) is called a one-time pad? Although technically they're more like two-time pads.