Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Monday August 15 2016, @01:45PM   Printer-friendly
from the keys-to-the-kingdom dept.

Enrico Zini wrote:

There are currently at least 3 ways to refer to a GPG key: short key ID (last 8 hex digits of fingerprint), long key ID (last 16 hex digits) and full fingerprint. The short key ID used to be popular, and since 5 years it is known that it is computationally easy to generate a GnuPG key with an arbitrary short key id.

LWN.net wrote in June 3, 2016:

Gunnar Wolf urges developers to stop using "short" PGP key IDs as soon as possible. The impetus for the advice originates with Debian's Enrico Zini, who recently found two keys sharing the same short ID in the wild.

After contacted the owner, it turned out that one of the keys is a fake. In addition, labelled same names, emails, and even signatures created by more fake keys. Weeks later, more developers found their fake "mirror" keys on the keyserver, including the PGP Global Directory Verification Key. Gunnar Wolf wrote:

We don't know who is behind this, or what his purpose is. We just know this looks very evil. [...] In short, that cutting a fingerprint in order to get a (32- or 64-bit) short key ID is the worst of all worlds, and we should rather target either always showing full fingerprints, or not showing it at all (and leaving all the crypto-checking bits to be done by the software, as comparing 160-bit strings is not natural for us humans).

Now, a fake key (fake: 0x6211aa3b00411886, real: 0x79be3e4300411886) of Linus Torvalds was found in the wild, scroll the page and you'll see two. It looked like that every single key from the Linux kernel community have been forged successfully, another example is Greg Kroah-Hartman (fake:0x27365dea6092693e, real: 0x38dbbdc86092693e). LWN reader "rmayr" commented:

so it seems somebody is actually constructing a database of fake keypairs with "well-known" short IDs. Something is going on here...


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday August 15 2016, @06:40PM

    by Anonymous Coward on Monday August 15 2016, @06:40PM (#388320)

    First of all, and this is irritating, the l should look different than the I. On some systems they insist on making them look exactly identical. The O should look different than the 0 or even the o. You can put a line through the number and maybe a dot in the middle of the lowercase variation for fast comparison.

    They could be placed on top of each other like so

    Test-1234-ASDF
    TesT-1324-ADSF

    By looking at them in this manner it's much easier to find differences.

    Maybe they should also be monospaced so I know which letter on top corresponds to which letter on the bottom.

    Also why can't you have the best of both worlds. You can have each character correspond to a specific color, especially characters that kinda look alike. Limit characters to characters that don't look alike, I thought that was the whole point of having hexadecimal limit what characters are used, for easier visual identification.

    Also you can include an identicon next to the each line as a hash of the hash. Or maybe two, one at the right and one at the left.

    Alternatively have multiple visual identicons per signature and place them on top of each other for easy comparison.

    Identicon1(signature1) - Identicon2(signature1) - Identicon3(signature1)
    Identicon1(signature2) - Identicon2(signature2) - identicon3(signature2)

    If things are placed right next to each other they're much easier to visually compare.

  • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @09:32AM

    by Anonymous Coward on Tuesday August 16 2016, @09:32AM (#388625)

    Or you could just print out "Keys match" in green text or "Keys don't match" in red. :)

    But I have to say I personally like it when people overengineer.