oss-sec mailing list archives
Re: Travis CI MITM RCE
From: zugtprgfwprz () spornkuller de
Date: Fri, 31 Aug 2018 22:25:50 +0200
On 31.08.2018 14:18, vines () riseup net wrote:
I agree about the "key ID" part, but not about the "fingerprint" part. Pinning a cryptographic hash over a public key isn't a security antipattern by any strech of the imagination. Sure, you could argue that the SHA-1 used by GPG isn't state-of-the-art anymore, but we're not talking about collision attacks, but second preimage attacks. Far worse for the attacker.True, yes, harder to brute-force a identical private key, than a key with an identical fingerprint.
Hmm, not so sure. Let's say we're talking about RSA-4096, then we have a security level of around 144 bit. Bruteforcing a second preimage SHA-1 (pretending it's an ideal hash function for a second) would have complexity of around 159 bit. I.e., even for RSA-4096, it would be easier to create the *identical* private key by factoring the modulus (thus obviously creating a keypair with the identical fingerprint) than just randomly generating keypairs and checking their private key hash. I.e., my point was that for a given key that's uploaded with a fixed fingerprint, we're not talking about 2^(b/2) collision complexity, but 2^(b-1) second preimage complexity.
However, if someone hadn't considered the possibility of a SHA1 collision attack, and a signature verification fails, despite the fingerprint they see matching, what % of GPG users would skip signature verification? Perhaps due to confusion/self-doubt/inexperience/other. Admittedly, this could be stepping into the realm of social engineering.
I think the attacker model that Daniel referred to was that someone states "my key's fingerprint is XYZ" and someone downloading a forged, same-fingerprint key from the keyserver. Cheers, Joe -- "A PC without Windows is like a chocolate cake without mustard."
Current thread:
- Travis CI MITM RCE Jakub Wilk (Aug 25)
- Re: Travis CI MITM RCE Phil Pennock (Aug 26)
- Re: Travis CI MITM RCE Jeremy Stanley (Aug 26)
- Re: Travis CI MITM RCE Daniel Kahn Gillmor (Aug 28)
- Re: Travis CI MITM RCE zugtprgfwprz (Aug 30)
- Re: Travis CI MITM RCE vines (Aug 31)
- Re: Travis CI MITM RCE zugtprgfwprz (Sep 01)
- Re: Travis CI MITM RCE Daniel Kahn Gillmor (Aug 31)
- Re: Travis CI MITM RCE zugtprgfwprz (Sep 01)
- Re: Travis CI MITM RCE Phil Pennock (Aug 26)