|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: PGP Signatures security BUG!
From: Eric Murray (ericm
LNE.COM)Date: Wed Mar 08 2000 - 10:50:45 CST
- Next message: Sheshep ankh Dubhe: "[ Hackerslab bug_paper ] Linux printtool get printer password"
- Previous message: Steve VanDevender: "Re: lynx - someone is deaf and blind ;)"
- In reply to: Povl H. Pedersen: "PGP Signatures security BUG!"
- Next in thread: Salzman, Noah: "Re: PGP Signatures security BUG!"
- Reply: Eric Murray: "Re: PGP Signatures security BUG!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Mar 07, 2000 at 03:29:00PM +0100, Povl H. Pedersen wrote:
> THE PROBLEM
>
> The problem is, that the PGP servers expects all key IDs to be unique
> numbers, and does not expect 2 users to have the same keyID. And with
> the current amount of users, we are starting to get multiple users
> with the same keyID.
This problem has been known for a long time. It's called
the 'deadbeef attack'. It's discussed in the PGP FAQ:
(http://www.pgp.net/pgpnet/pgp-faq/faq-04.html)
"The key ID
It is possible to create a key with a chosen key ID. Paul Leyland
<pclsable.ox.ac.uk> explains:
A PGP key ID is just the bottom 64 bits of the public modulus (but
only the bottom 32 bits are displayed with pgp -kv). It is easy to
select two primes which when multiplied together have a specific
set of low-order bits.
This makes it possible to create a fake key with the same key ID as an
existing one. The fingerprint will still be different, though.
By the way, this attack is sometimes referred to as a DEADBEEF attack.
This term originates from an example key with key ID 0xDEADBEEF which
was created to demonstrate that this was possible. "
> EXPLOIT
>
> It is possible to generate false signatures, and John Smith can send
> new e-mails in the name of Mike Evans to users who does not have
> Mike Evans' key in their keyring, and when they do a lookup, they
> will find Mike Evans' key.
That's why you're not supposed to depend on the keyid alone
to authenticate PGP keys. See the FAQ.
> It will take a long time to generate a new key with a specific
> fingerprint, but nonetheless, this 'overwriting' and hiding of other
> users IDs in the public PGP servers is bad.
Yep. The deadbeef attack has been known for years, the servers
really should use all of the modulus as the database index and return
all matches on keyid.
-- Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
- Next message: Sheshep ankh Dubhe: "[ Hackerslab bug_paper ] Linux printtool get printer password"
- Previous message: Steve VanDevender: "Re: lynx - someone is deaf and blind ;)"
- In reply to: Povl H. Pedersen: "PGP Signatures security BUG!"
- Next in thread: Salzman, Noah: "Re: PGP Signatures security BUG!"
- Reply: Eric Murray: "Re: PGP Signatures security BUG!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]