Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Monday August 15 2016, @01:45PM   Printer-friendly
from the keys-to-the-kingdom dept.

Enrico Zini wrote:

There are currently at least 3 ways to refer to a GPG key: short key ID (last 8 hex digits of fingerprint), long key ID (last 16 hex digits) and full fingerprint. The short key ID used to be popular, and since 5 years it is known that it is computationally easy to generate a GnuPG key with an arbitrary short key id.

LWN.net wrote in June 3, 2016:

Gunnar Wolf urges developers to stop using "short" PGP key IDs as soon as possible. The impetus for the advice originates with Debian's Enrico Zini, who recently found two keys sharing the same short ID in the wild.

After contacted the owner, it turned out that one of the keys is a fake. In addition, labelled same names, emails, and even signatures created by more fake keys. Weeks later, more developers found their fake "mirror" keys on the keyserver, including the PGP Global Directory Verification Key. Gunnar Wolf wrote:

We don't know who is behind this, or what his purpose is. We just know this looks very evil. [...] In short, that cutting a fingerprint in order to get a (32- or 64-bit) short key ID is the worst of all worlds, and we should rather target either always showing full fingerprints, or not showing it at all (and leaving all the crypto-checking bits to be done by the software, as comparing 160-bit strings is not natural for us humans).

Now, a fake key (fake: 0x6211aa3b00411886, real: 0x79be3e4300411886) of Linus Torvalds was found in the wild, scroll the page and you'll see two. It looked like that every single key from the Linux kernel community have been forged successfully, another example is Greg Kroah-Hartman (fake:0x27365dea6092693e, real: 0x38dbbdc86092693e). LWN reader "rmayr" commented:

so it seems somebody is actually constructing a database of fake keypairs with "well-known" short IDs. Something is going on here...


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @09:23AM

    by Anonymous Coward on Tuesday August 16 2016, @09:23AM (#388624)

    Unless you are drunk, or your intent is just to vandalize and troll the living shit out of the site, or you are doing an art-project or somesuch, let me make a following note:

    Spontaneous out-of-nowhere posting of long offtopic drivels to websites is not a sign of excellent mental health.