Vulnerability Development mailing list archives

Re: PGP Signed Messages

From: "Kurt Seifried" <bugtraq () seifried org>
Date: Tue, 16 Oct 2001 14:51:39 -0600

In the case of the old (PGP 2.6.2) key format, yes, PGP key ids are easily
spoofable (the key id was the low 32 bits of the modulus). However, the
newer format (used for all(?) DSA/Elgamal and some RSA keys) uses the low
32 bits of the fingerprint, which is a cryptographic hash of the entire
key.  Thus one must generate about 2^31 keys to find a single one which
matches the key id (by the usual birthday paradox attack on a hash
function). Lets say you can generate and test 100 keys per second (my 1

Ghz

Athlon can generate 1 key in about 10 seconds with gnupg 1.0.6). In that
case, assuming my math isn't wrong, it would take you about 250 days to
forge a key id. Certainly possible, but quite a bit of work.


Yeah but once you have that store of forged keys.... Data storage is cheap.
I just bought a new 1gig athlon system for $600 (so I now have 3 at home..).
Key generation can be optimized (or just done arbitrarily, it's not like I'm
to worried about the actual strength of the key!). It's not a lot of work.
Plus there are many many interesting key ID's in use (i.e. vendor keys....).
I've often thought about this, what happens if someone creates a ton of fake
keys with the same properties (i.e. email/etc) and inter signs them to
replicate the legitimate keys and then uploads them all and injects them
into the internet through other means as well?

I'm fairly certain that having the entire fingerprint on hand gives you
pretty much full certainty that the key is legit.


Yup, the chances of finding a collision with MD5 are tiny, with SHA1 darn
near impossible.

BTW, the GPG for pine plugins automatically verify signatures, and

displays

the GPG output, ie either "Good signature from ... " or "BAD signature

from

..." every time you open the mail. The problems you mention are real, but

problem of 1) bad mail client support, and 2) overly trusting people, not
the PGP format itself.


This is true but it's a lot like the SSH clients that do NOT warn you that a
server key has changed. Notice that most crypto problems are not in the
algorithm/etc but in the implementation and user interface.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/

Current thread:

PGP Signed Messages [Segmen] (Oct 15)
- RE: PGP Signed Messages Ben Setnick (Oct 15)
- Re: PGP Signed Messages prime evil (Oct 15)
- Re: PGP Signed Messages Kurt Seifried (Oct 15)
  - Re: PGP Signed Messages Stephen Waters (Oct 15)
  - Re: PGP Signed Messages Phil Cracknell (Oct 16)
  - Re: PGP Signed Messages Jack Lloyd (Oct 16)
    - Re: PGP Signed Messages Kurt Seifried (Oct 17)
- Re: PGP Signed Messages White Vampire (Oct 15)
- Re: PGP Signed Messages Wraith Slayer (Oct 15)
- Re: PGP Signed Messages Dennis V. Kudin (Oct 17)
- <Possible follow-ups>
- Re: PGP Signed Messages [Segmen] (Oct 15)
- Re: PGP Signed Messages Peter Gutmann (Oct 17)