Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Monday August 15 2016, @01:45PM   Printer-friendly
from the keys-to-the-kingdom dept.

Enrico Zini wrote:

There are currently at least 3 ways to refer to a GPG key: short key ID (last 8 hex digits of fingerprint), long key ID (last 16 hex digits) and full fingerprint. The short key ID used to be popular, and since 5 years it is known that it is computationally easy to generate a GnuPG key with an arbitrary short key id.

LWN.net wrote in June 3, 2016:

Gunnar Wolf urges developers to stop using "short" PGP key IDs as soon as possible. The impetus for the advice originates with Debian's Enrico Zini, who recently found two keys sharing the same short ID in the wild.

After contacted the owner, it turned out that one of the keys is a fake. In addition, labelled same names, emails, and even signatures created by more fake keys. Weeks later, more developers found their fake "mirror" keys on the keyserver, including the PGP Global Directory Verification Key. Gunnar Wolf wrote:

We don't know who is behind this, or what his purpose is. We just know this looks very evil. [...] In short, that cutting a fingerprint in order to get a (32- or 64-bit) short key ID is the worst of all worlds, and we should rather target either always showing full fingerprints, or not showing it at all (and leaving all the crypto-checking bits to be done by the software, as comparing 160-bit strings is not natural for us humans).

Now, a fake key (fake: 0x6211aa3b00411886, real: 0x79be3e4300411886) of Linus Torvalds was found in the wild, scroll the page and you'll see two. It looked like that every single key from the Linux kernel community have been forged successfully, another example is Greg Kroah-Hartman (fake:0x27365dea6092693e, real: 0x38dbbdc86092693e). LWN reader "rmayr" commented:

so it seems somebody is actually constructing a database of fake keypairs with "well-known" short IDs. Something is going on here...


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by Anonymous Coward on Monday August 15 2016, @03:14PM

    by Anonymous Coward on Monday August 15 2016, @03:14PM (#388205)

    Calm down, put it down, walk slowly backwards away from the crack pipe.

    Starting Score:    0  points
    Moderation   +3  
       Insightful=1, Informative=1, Touché=1, Total=3
    Extra 'Informative' Modifier   0  

    Total Score:   3  
  • (Score: 1, Funny) by kurenai.tsubasa on Monday August 15 2016, @03:32PM

    by kurenai.tsubasa (5227) on Monday August 15 2016, @03:32PM (#388213) Journal

    Yeah, you're probably right. Doesn't really have anything to do with me personally, and one of the advantages of being just done with feminism is that it eliminates a lot of social attack surface. I'll keep on using Linux or a BSD no matter how much of a sexually harassing misogynerd that makes me.

    Nobody cares what OS a burger flipper runs at home.

    The only correct response to “I wanna be a programmer!” is “You should talk to a guidance counselor at $local_community_college or $local_university.” Just end it there. If somebody calls you on the carpet for being a sexist who doesn't think women should program computers, better to get that out of the way sooner rather than after investing a whole bunch of effort.

    Not all cisfemales are dangerous. Imagine a bowl of jelly beans. Now imagine 10% of them are poisoned. Do you think you'd be eager to eat a big handful?

    • (Score: 0) by Anonymous Coward on Monday August 15 2016, @04:58PM

      by Anonymous Coward on Monday August 15 2016, @04:58PM (#388266)

      Don't worry, the men in white coats are on their way. When they knock on your door, please go quietly, they'll take you to a place where you can be happier!

      • (Score: 0) by Anonymous Coward on Monday August 15 2016, @09:02PM

        by Anonymous Coward on Monday August 15 2016, @09:02PM (#388387)

        take you to... a nice padded Microsoft-sponsored think-tank in North Korea, where you can join other drones in creating more false keys.

      • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @03:38AM

        by Anonymous Coward on Tuesday August 16 2016, @03:38AM (#388535)

        The men in white coats are mikeusa too.
        He isn't what he claims to be.

    • (Score: 2) by Scruffy Beard 2 on Monday August 15 2016, @05:03PM

      by Scruffy Beard 2 (6030) on Monday August 15 2016, @05:03PM (#388269)

      Your post modded as troll reminds me of the time I assumed that every computer problem I came across was due to Digital Restrictions Management: until proven otherwise.

      Sometimes, never attributing malice to what can be adequately explained by incompetence, goes a long way.

      That is not to say that malice does not exist. Only that you may be wasting your time looking for malice where there is none.