[openpgp] Fingerprint length and application
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 10 October 2016 18:38 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB561129739 for <openpgp@ietfa.amsl.com>; Mon, 10 Oct 2016 11:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dHU_G3LbSzeX for <openpgp@ietfa.amsl.com>; Mon, 10 Oct 2016 11:38:43 -0700 (PDT)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DAA7129750 for <openpgp@ietf.org>; Mon, 10 Oct 2016 11:38:43 -0700 (PDT)
Received: by mail-qt0-x22a.google.com with SMTP id s49so62615561qta.0 for <openpgp@ietf.org>; Mon, 10 Oct 2016 11:38:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to; bh=ctJAEA+VJaPkATPJPGDq2LUk5OvubO2vzc9pJm5dJcA=; b=wHiar77Mn7p+ashP+MZTpWkX6hwjRdNuILirwJwSW8sbr7iRssWsqAg6ruiOLAfrX2 iko2XzZ3YnNR1Oc9K3cOEgO7kHjf9L1J9l302IRaK1WRzLjxcJT3JgUmQzIfW6pC3yuE 19ZZWBsNajA7bI29zOyHzVrSp5K0rdAJjMyxLDyKsXyAVPN/WVMu9ENvIrXqa8bXGQ0c eNX8Tqna9zULbf8S2JfAP7xvsqIak9mDu41kLg723bgK1HHs4YMJ9HA5mJT4bpzwYN7s uHEH9kzyi6oxrzVEdYzu4wHYYjHq5/e59UruCUqgZdN6AkD8yiRHkT5GW/sxswi/3E+o Xk9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=ctJAEA+VJaPkATPJPGDq2LUk5OvubO2vzc9pJm5dJcA=; b=HGEFa7Geq/EGUoX76XTvGQ2YuJs2w9JPO4FPGT8vBOrsU/8dkcDEP/C8Pv2q04iQkE KDbEc1/nsa03CtkcHruRo51YC8/NOBaXh3ilPt3sq/vnQFUeVkvRw4TMMmQylY9tBkkV aXdtyyGjhakPcZv6accrvitABVykCpW2AEEJ2CCweSfSZqyrEcmU3wSqNJM8WO8bVWsC jY+wTA4hZLFjLPqfLCjKKNNPeGSDV+PU69riWIHnlVZfHog7YDYcwHf6Sed1wzUG5cxM RYT4bgwuvUUdcqdPbnt5XIX3F+wTIjaLeekbHc6Ag8ecClgeqlUiFhfN5h2umWlKGAoJ hUqQ==
X-Gm-Message-State: AA6/9RmrpTZ+CYUHcNIUxtOtSPuDj47DfPeShaTWjzb2+adhtquQu49zlhdgK1iBm7Uxj//LClIy75cnb/uAsA==
X-Received: by 10.194.191.162 with SMTP id gz2mr31754323wjc.182.1476124722215; Mon, 10 Oct 2016 11:38:42 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.194.227.170 with HTTP; Mon, 10 Oct 2016 11:38:41 -0700 (PDT)
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 10 Oct 2016 14:38:41 -0400
X-Google-Sender-Auth: WRmhrNWafKfX9IOaj0iFCLA7VIU
Message-ID: <CAMm+LwgSMHvrH4x5473mm0_j=_4vyyMdE2Yep+CLkZjfr4ZNgQ@mail.gmail.com>
To: IETF OpenPGP <openpgp@ietf.org>
Content-Type: multipart/alternative; boundary="047d7bb70adcb642a3053e87119e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/DlIlL4FSRpzwV9bucBXsi2H1HxI>
Subject: [openpgp] Fingerprint length and application
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 18:38:59 -0000
At the last couple of WG F2F meetings DKG asserted that we should make sure that a given public key MUST have exactly one fingerprint representation. This troubled me because while I don't necessarily disagree with the statement, I can't come up for a justification for it. I now think I have a solid justification. The main use for fingerprints in OpenPGP is to establish direct trust. The shortest fingerprint that is safe to use has a work factor of 96 bits and has 20 characters: MB2GK-6DUF5-YGYYL-JNY5E With the compression scheme I have developed (and I am working on the IPR implications of) we can generate a 15 character fingerprint with the same 96 bit work factor: MIWIY-LTMFTG-CZTRO Which requires us to generate 2^25 keypairs Now that 96 bits gives us a work factor of 2^96 against a second pre-image attack but only 2^48 against a collision attack. So consider two common uses of fingerprints: Case 1: OpenPGP key Case 2: PKIX trust root These appear to be similar but they are totally different in the first case it is quite possible for Alice to generate two OpenPGP keys that both have the same fingerprint. And this does allow her to do some mischief. She can sign a document such that it will be accepted by some parties and rejected by others depending on which public key she presents to a party that trusts the fingerprint. This is a concern but it is not one that creates a large opportunity for malice. The second is a much bigger concern as PKIX certificates contain use constraints. And so the risk of collision is much greater. Let us say that example.com has a self signed private root that has a name constraint so that it is only trusted to sign certs for *.example.com. A malicious party might create a pair of root certs such that one has the constraint and the other does not. They then present the certificate with the constraint in and the user accepts it for the limited purpose of trusting certs for example.com. Then the attacker sends out trust paths with the second root for bank.com etc. So extraneous data does make a difference. It provides a salt that reduces the cost of performing any collision type attack. But that isn't actually an advantage for ECC keys as they are quite cheap to make and require only an addition operation to modify. If the key is e^p, it is easy to generate e^(p+1), e^(p+2)... till the desired criteria is met. This can be used for work factor hardening as well. But it makes a much bigger difference in applications like PKIX where the fingerprint is being taken not of just a public key but a public key and associated policy statement. In short, don't do that. Only use short fingerprints for actual public keys, not policy statements or data.
- [openpgp] Fingerprint length and application Phillip Hallam-Baker