/tech/ - Technology

 Reply
 Click or drag files here to upload
>>

Feederiken: Vanity PGP Fingerprints

/tech/ No. 2571
Last 350 Reply >>2572 >>2851

I've been experimenting with trying to produce vanity PGP fingerprint for a couple days now and I thought I'd share the results.

Usage

The cool thing is it takes only a few seconds to get a FEED key. The script is at https://pastebin.com/4p4iagS1. Grab https://ammonite.io, run the script and import results.asc into your PGP client. If you want to go further, edit the script. In particular, a key with 8 custom digits instead of 4 can be produced in 5 to 10 hours on a reasonably decent computer. (I have an i7-2600 @3.4GHz) Pretty much anything longer is not worth it if not unfeasible due to the exponential time complexity.

Security considerations

>imagine caring about your overengineered tripcode

The program generates Ed25519 keys. These are in principle on par with jumbo RSA keys security-wise and likely to replace them in the future. They are however way quicker to generate, which is why I picked them. To my knowledge, the program uses the PGP libraries correctly and doesn't introduce any weaknesses to the keys.

Possible improvements

  • CLI parameters, less hardcoding
  • Auto-detect the number of CPU threads (shouldn't be that hard right?)
  • Performance: framework overhead is probably minimal I think. Varying the timestamp rather than the key like trollwot does might yield an improvement.
>>
No. 2605

>>2572

Thanks for the tip, I learned something today.

Looks like w/ scallion for example, I could get around a 10 MHz hashrate[1], whereas I'm stuck at 64 kHZ with the program in OP. Unfortunately, my iGPU isn't supported in OpenCL. I might be able to borrow a GPU and break the GHz barrier though. I could get a 12 digits w/ that.

Looking at CPU hashing, the program in the OP spends about 66% of the time generating key material and only 33% hashing them, so if I use the lower bits of the timestamp to perturb the hash, I should be able to suss out a 50% speed increase. I should also compare with a C implementation to measure framework and JVM overhead.

Finally, I should note that Shallot and its derivative use the RSA exponent parameter to perturb the hash. There's no equivalent in EdDSA.

[1] https://github.com/lachesis/scallion

>>
No. 2850
>>2895

Progress has been made. There's now a command-line interface. It's also significantly faster since I stopped bottlenecking on the RNG. I'll be looking at distributed computing and GPU hashing next. Both provide interesting concurrency problems.

https://github.com/feederiken/feederiken

>>
>>
No. 2883
>>2893

More feeding has been performed. I squashed a bug and started working on both distributed operation and GPU acceleration. Distributed computation should be ready first. I'm also looking into dropping jars soon(TM).

>>
>>
>>
No. 2897
>>2906

>server side PGP verification
>the fucking GUI can be spoofed, because of their copout attempt at demarcating user text from GUI markings
>using a fucking U+F00C PRIVATE USE BULLSHIT ๏€Œ , instead of just putting a fucking PNG or some shit like a white man
>the U+FOOC bullshit serving NO FUCKING PURPOSE, other than to make the spoofing vuln possible (I mean a homoglyph or 90% match would have been good enough anyway but this is just the icing on the cake)
>PHP IN 2020 LOL
>succesfully manages to cargo cult the retard shit from GPG: >but it can make no assurance as to who posted it.

proof that neckbeards are subhumans
proof that webshotters are subhumans
DAY OF THE SEAL SOON

>>
No. 2906
>>2912

>>2897

It's not spoofing shit, it shows up as a blank square on my end. Does it not on yours? If you look at the CSS, to get the check you need class="fas fa-check", good luck spoofing that. And this is not a recent patch either, check github[1]. And with regards to how it renders on a compliant browser, Archive.today[2] doesn't lie.

[1] https://github.com/infinity-next/infinity-next/blob/bbd5ab81e700505c4bc01531cd2da004e711eebb/resources/views/content/board/post.blade.php#L78
[2] https://archive.today/PGao8

>>
No. 2912
>>2916

>>2906

I don't speak webshotter, but it appears the shit inserts a U+F00C before the "verified by server" message: .fa-check:before{content:"\F00C"}. From looking in another browser, it looks like we're doing that not a thing bullshit webshotter fad where you load in a custom font to display pictures for the private use codepoints. Aside from tickling the autism of webshotters, this feature is completely pointless and anyone who uses it is a tool. Also Unicrap has plenty of checkmarks. โœ“ โœ” โœ”๏ธ โœ… โœ…๏ธŽ

>conforming browser

Yes, congratulations, the "feature" works if you run maximum jewniggercock.

โœ” Message signed and validated by the server, but it can make no assurance as to who posted it. View raw message. View publickey.

>>
>>
No. 2916
>>2918

>>2912

Yes it is a custom font. I think there are performance reasons to do that.

>unicode checkmarks

Those can be inputted by users. FontAwesome ticks cannot, hence it's better in that way.

>exotistic web browser

Sucks to be you, but the way it's done now is standard compliant and works for most users. (Basically you're like a nigger complaining that most products are optimized for use by White men) Also note that you can still tell forgeries from authentic signed posts on your thingo, and that the ultimate confirmation comes from not trusting the server and checking the raw message yourself to begin with. Now go complain on >>>/9/ or on GitHub.

>>
No. 2918

>>2916

every single thing you said is predictably retarded

>Yes it is a custom font. I think there are performance reasons to do that.

There are not. Also remember a real solution would involve drawing some boxes or shit. Like pic related, as opposed to some harebrained webshotter bullshit based on indentation and a glyph.

>Those can be inputted by users. FontAwesome ticks cannot, hence it's better in that way.

Imagine being so autistic that you see a spoof like >>2913 in some random thread and immediately can tell that this checkmark is different than a "FontAwesome" tick.

>Sucks to be you, but the way it's done now is standard compliant and works for most users.

How does it "work"? Nigger what the fuck is wrong with your brain. Since they can see the custom checkmark (ahem I mean FontAwesome tick), I can just write the Unicode version which looks barely any different: โœ”๏ธ

>most products are optimized for use by White men

A fucking """conforming""" web browser is not white man technology.

>the ultimate confirmation comes from not trusting the server and checking the raw message yourself to begin with

That doesn't change the fact that this shitty server side check is worse than nothing, does it? Attack improved again. Now it would be good to find a way to unbold text instead of double bold. I'm sure Unicrap has something like that too.

โœ”๏ธ Message signed and validated by the server, but it can make no assurance as to who posted it. View raw message. View publickey.

>>
No. 2921

Distributed operation is that close, I just need to figure one thing out.

>>2889

That has nothing to do with vanity fingerprints, it has to do with the PGP WoT being impractical. You can use PGP without the WoT though, especially if it's just to trip on 9chan.

>>
No. 2927

This right here is the first key generated using distributed operation. It's still in a feature branch because it's wonky due to framework weirdness, but it's done.

I have to work on other stuff for a while, but I'll come back eventually. Being able to combine distributed operation and GPU acceleration would be so sweet though.

>>
>>
No. 2994

>>2990

Here you go, hopefully it helps save the White race.

-----BEGIN PGP PRIVATE KEY BLOCK-----

lFgEXwLyVxYJKwYBBAHaRw8BAQdAjJGC1GX6nsNEBh9wffERrhPJ1ZUCC55xpdj7
VFcdBCkAAQCMJmfyOV6b+T6oKsQla8DWa1yNYjcnvlsBPm8bz9rMXQ75tAlBbm9u
eW1vdXOIXgQTFggABgUCXwMLSgAKCRBzfsbpQoUHGjWeAQCzbkwfcwjkTr0rhrWL
jxfN5yIgTEpDgPi27of5z9Z4ggEAsWQHT9zV8nmOUrDJtD3uIZtp68Ur4CaiFpm0
uyGi/AU=
=0qnz
-----END PGP PRIVATE KEY BLOCK-----