IETF Logo Mail Archive

Re: [openpgp] Followup on fingerprints

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 31 July 2015 18:31 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C1EB1B3443 for <openpgp@ietfa.amsl.com>; Fri, 31 Jul 2015 11:31:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bdhN-JXLg642 for <openpgp@ietfa.amsl.com>; Fri, 31 Jul 2015 11:31:13 -0700 (PDT)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com [IPv6:2a00:1450:4010:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF3871B3434 for <openpgp@ietf.org>; Fri, 31 Jul 2015 11:31:12 -0700 (PDT)
Received: by lbqc9 with SMTP id c9so25802079lbq.1 for <openpgp@ietf.org>; Fri, 31 Jul 2015 11:31:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Juv16e10VChUXdU0UANVyXLFHRyWYGu1QQBA+X/R85w=; b=nBdJYbrtAlkH0bH70gk4J6pj0E+z+CpaZiLffzIim2CHxFOi29V5D5NdUGhSkhS1IN NZWuQp+B70fGbwJFujzxtARUPVCvhmYoCA2m8oLlBSrdd2xk1jgBX8RDzX+HRaPwKoiH VX81KX+4j+q3t6IRFTnmRmzUvm8ANrYpaSuGRxVREvdLLW63wfNgVHYeFPtD77rlAaUi h4BfA+RMtQ3GCji6rVYxAVBNlWqoPHC7BPvwbH1Zj5xOQI/FGxwFmS5fy3byLj6gOp6x b+QypjornjFNYeYgPxS9qGLx6jNamKSA8ZhWE12vVNxjbAAGS76qoBEylLj5rF6R2CP4 gaRw==
MIME-Version: 1.0
X-Received: by 10.152.2.2 with SMTP id 2mr4638800laq.58.1438367471414; Fri, 31 Jul 2015 11:31:11 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Fri, 31 Jul 2015 11:31:11 -0700 (PDT)
In-Reply-To: <sjm61503182.fsf@securerf.ihtfp.org>
References: <CAMm+LwgTcn8CY+Zk-f9gzXQtMJezG97T+kx2=C7PR5g7zFer_A@mail.gmail.com> <87twsn2wcz.fsf@vigenere.g10code.de> <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com> <87zj2ecmv8.fsf@alice.fifthhorseman.net> <CAMm+LwgKmcTes=V7uS3MjCQixWCo-i7PY=VE7eCHSqt3Ho3OSg@mail.gmail.com> <87a8udd4u6.fsf@alice.fifthhorseman.net> <sjm61503182.fsf@securerf.ihtfp.org>
Date: Fri, 31 Jul 2015 14:31:11 -0400
X-Google-Sender-Auth: LarZs7mbT3Jfq6rXFIMdAzXGiIw
Message-ID: <CAMm+LwgEVySpfL-iN2uzX-4tu7R+isDkHE9D8uAeLTxxd4VxqQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Derek Atkins <derek@ihtfp.com>
Content-Type: multipart/alternative; boundary="089e013c647030b5a1051c3006a9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/-RwcZG5LX0B7KdiPihhPGTRLue8>
Cc: IETF OpenPGP <openpgp@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2015 18:31:14 -0000

On Fri, Jul 31, 2015 at 9:28 AM, Derek Atkins <derek@ihtfp.com> wrote:

> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
>
> >> At this point, any attempt to hold Mallet accountable is going to have
> to
> >> rely on a human examining the logs and working out that Mallet must have
> >> generated the malicious pair of keys. There is going to be no way to
> unwind
> >> the thing automatically.
>
> Why?  M1 and M2 are completely different fingerprints, unless you're
> assuming that the x's are the same.  If the x's are the same that means
> that Mallet has performed a 2^50 level attack to get 100 bits to match!
> How long and how much energy does Mallet have to do this?  It's
> certainly not something s/he is going to do over a long weekend!


Not with RSA keys. With ECC keys, different matter entirely.


> > Are there any other attacks we should be aware of due to failures of
> > collision resistance in the fingerprint?
>
> I'll note that this attack isn't due to a failure of collision
> resistance in the fingerprint.  It's an attack due to the application
> (on top of OpenPGP) truncating the fingerprint and throwing away extra
> data.
>

Which is makes this a Security Consideration. If people build 'stuff' on
top of OpenPGP as a foundation then they have to understand what the
foundation is designed to support.

I think a 25 character / 125 bit fingerprint is going to be fine. BUT there
are two issues I don't want to come up. One is someone builds something
that depends on the fingerprints being collision resistant and blames it on
the spec. The second is that some yahoo works this out again in five years
time and writes a paper claiming to have 'broken' the spec.

v2.23.0 | Report a Bug | By Email