Stories
Slash Boxes
Comments

SoylentNews is people

PGP Short-ID Collision Attacks Continued, Now Targeted Linus Torvalds

posted by takyon on Monday August 15 2016, @01:45PM   Printer-friendly
from the keys-to-the-kingdom dept.

An Anonymous Coward writes:

Enrico Zini wrote:

There are currently at least 3 ways to refer to a GPG key: short key ID (last 8 hex digits of fingerprint), long key ID (last 16 hex digits) and full fingerprint. The short key ID used to be popular, and since 5 years it is known that it is computationally easy to generate a GnuPG key with an arbitrary short key id.

LWN.net wrote in June 3, 2016:

Gunnar Wolf urges developers to stop using "short" PGP key IDs as soon as possible. The impetus for the advice originates with Debian's Enrico Zini, who recently found two keys sharing the same short ID in the wild.

After contacted the owner, it turned out that one of the keys is a fake. In addition, labelled same names, emails, and even signatures created by more fake keys. Weeks later, more developers found their fake "mirror" keys on the keyserver, including the PGP Global Directory Verification Key. Gunnar Wolf wrote:

We don't know who is behind this, or what his purpose is. We just know this looks very evil. [...] In short, that cutting a fingerprint in order to get a (32- or 64-bit) short key ID is the worst of all worlds, and we should rather target either always showing full fingerprints, or not showing it at all (and leaving all the crypto-checking bits to be done by the software, as comparing 160-bit strings is not natural for us humans).

Now, a fake key (fake: 0x6211aa3b00411886, real: 0x79be3e4300411886) of Linus Torvalds was found in the wild, scroll the page and you'll see two. It looked like that every single key from the Linux kernel community have been forged successfully, another example is Greg Kroah-Hartman (fake:0x27365dea6092693e, real: 0x38dbbdc86092693e). LWN reader "rmayr" commented:

so it seems somebody is actually constructing a database of fake keypairs with "well-known" short IDs. Something is going on here...

Original Submission

 
This discussion has been archived. No new comments can be posted.
PGP Short-ID Collision Attacks Continued, Now Targeted Linus Torvalds | Log In/Create an Account | Top | 29 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by takyon on Monday August 15 2016, @02:28PM

    by takyon (881) <{takyon} {at} {soylentnews.org}> on Monday August 15 2016, @02:28PM (#388185) Journal

    Can this be used to spread bad code, or just impersonate Torvalds and others with sweary rants?

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Interesting) by Scruffy Beard 2 on Monday August 15 2016, @02:35PM

    by Scruffy Beard 2 (6030) on Monday August 15 2016, @02:35PM (#388189)

    These are partial collisions.

    The problem is that gpg is loath to even show either the longer short keys, or the entire fingerprints.

    So with many duplicate "short" keys in the wild, the user has no good way to know which key they are being asked to trust. I have had people not tell me their full key fingerprint because they did not even know it (merely linking to their "long" short key on keybase.io).

    • (Score: 4, Informative) by frojack on Monday August 15 2016, @04:14PM

      by frojack (1554) Subscriber Badge on Monday August 15 2016, @04:14PM (#388241) Journal

      So with many duplicate "short" keys in the wild, the user has no good way to know which key they are being asked to trust.

      That's why you don't TRUST keys you get indirectly.

      Nobody trusts short IDs anyway. Short keys are nothing but a handle to import full keys, You merely use those to import the full key, Then you see who signed those full keys, (fetch the missing keys of those who signed it) and see if you can find some signers you recognize.

      You still don't trust it. You sure as hell don't sign it yourself.

      Maybe you decide to trust it at some level if it has signers that you previously trusted, buy when you do this you know you are living dangerously.
       

      --
      No, you are mistaken. I've always had this sig.

  • (Score: 3, Insightful) by FatPhil on Monday August 15 2016, @03:03PM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday August 15 2016, @03:03PM (#388202) Homepage
    Nothing *cryptographic* will be fooled. Only people and software that think that a short hash is an identity will be fooled. Which should be nobody. Collisions on an 8-hex only need tens of thousands of ids due to the birthday paradox, which means that just naturally there is a decent probability of collisions just within linux kernel developers already (though most likely just amongst the relatively unimportant masses like myself, rather than high profile ones who actually need the crypto aspect - my patches were accepted on technical merit, not because of my identity).

    All the cryptographic stuff - such as signing a label on the repo - uses the full key, not a truncated hash of it.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    • (Score: 4, Informative) by Capt. Obvious on Monday August 15 2016, @04:22PM

      by Capt. Obvious (6089) on Monday August 15 2016, @04:22PM (#388242)

      The birthday matching math (I wouldn't call it a paradox) only applies if we don't care which two members intersect. As soon as you assign one of those to a known value, (e..g Linus's key) it aligns with normal intuition./p?

      • (Score: 2) by FatPhil on Tuesday August 16 2016, @07:38AM

        by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday August 16 2016, @07:38AM (#388602) Homepage
        Erm, did you skip my parenthetical comment where I say exactly the same thing?

        Anything counter-intuitive is paradoxical. The intuitive way of thinking leads you down a different path (and is thus "para") from the right way of thinking (the "dox").
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

        • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @08:48AM

          by Anonymous Coward on Tuesday August 16 2016, @08:48AM (#388618)

          Did you miss who you were replying to?