Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

PGP admins: Kill short keys now, or Alice will become Chuck

$
0
0

PGP admins: Kill short keys now, or Alice will become Chuck

The issue of short PGP IDs is back on the agenda, with unknown scammers spoofing identities like Linus Torvalds and Tor core developer Isis Agora Lovecruft.

Short keys are just what the name describes: instead of someone passing their whole PGP key to someone else to get a message going, people would memorise the last eight hex characters of their full fingerprint.

Hence, as explained back in March by Debian dev Gunner Wolf, Alice might give Bob the short key (Wolf's is C1DB 921F), and Bob would search a key repository to find Alice's full fingerprint.

The problem: we've known for about five years that short keys are prone to collisions; and in 2012, the Evil32 project published a 32-bit colliding key for the whole PGP Web of Trust.

Colliding short keys can be used for an impersonation attack: Chuck's last 32 bits collide with Alice's, so by publishing a fake short key, he can convince Bob to use it for messages instead of the real one.

What seems to have happened is that short key impersonation is escalating: as well as Linus, this post to the linux Kernel Mailing List identifies Greg Kroah-Hartman “and other kernel devs” as being impersonated in the MIT key server:

Search Result of 0x00411886: https://pgp.mit.edu/pks/lookup?search=0x00411886&op=index

Fake Linus Torvalds: 0F6A 1465 32D8 69AE E438 F74B 6211 AA3B [0041 1886] Real Linus Torvalds: ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 [0041 1886]

Search Result of 0x6092693E: https://pgp.mit.edu/pks/lookup?search=0x6092693E&op=index

Fake Greg Kroah-Hartman: 497C 48CE 16B9 26E9 3F49 6301 2736 5DEA [6092 693E] Real Greg Kroah-Hartman: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 [6092 693E]

A responder to Lovecruft's Tweet reckons the fakes uploaded to the MIT keyserver number 20,000:

@isislovecruft @ncardozo you and about 20k others. The https://t.co/qJK8g5kP8Z set has been uploaded to the keyservers.

― Jeroen van der Ham (@1sand0s) August 16, 2016

Evil32's Eric Swanson has posted at Hackernews that he's generated revocation certificates for all of the fake keys.

And for any sysadmin configuring a PGP system: turn short keys off. Convenience is never better than security.


Viewing all articles
Browse latest Browse all 12749

Trending Articles