[openpgp] Ring signatures and subkeys

Vincent Yu <v@v-yu.com> Fri, 14 March 2014 18:36 UTC

Return-Path: <v@v-yu.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 752361A019E for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 11:36:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id EWTxpFXHK3CB for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 11:35:58 -0700 (PDT)
Received: from smtp5.hushmail.com (smtp5.hushmail.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1C3341A0185 for <openpgp@ietf.org>; Fri, 14 Mar 2014 11:35:58 -0700 (PDT)
Received: from smtp5.hushmail.com (localhost []) by smtp5.hushmail.com (Postfix) with SMTP id 4239A60187 for <openpgp@ietf.org>; Fri, 14 Mar 2014 18:35:51 +0000 (UTC)
Received: from smtp.hushmail.com (w7.hushmail.com []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp5.hushmail.com (Postfix) with ESMTPS for <openpgp@ietf.org>; Fri, 14 Mar 2014 18:35:51 +0000 (UTC)
Message-ID: <cf0c87b4c4923fd4fc4cc8579b7d5f12@smtp.hushmail.com>
Date: Fri, 14 Mar 2014 14:35:47 -0400
From: Vincent Yu <v@v-yu.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: openpgp@ietf.org
X-Enigmail-Version: 1.6
OpenPGP: id=d28d7c4078b3742a; url=https://v-yu.com/pubkeys/openpgp.asc
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="xq7pPR1KamSIrcgOV4ragnkE37A09Ood2"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/II2rt35PMAJsS__25k9fyLZmW-g
Subject: [openpgp] Ring signatures and subkeys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 18:36:00 -0000

Thank you for your comments, dkg and Werner. Both of you brought up good 
points about the use of subkeys with ring signatures, so I am starting a 
new thread to discuss them.

At its heart, a ring signature knows very little about the nature of the 
keys that are fed to it. It knows nothing about the relation between 
primary keys and subkeys. It also knows nothing about the ring signing 
capabilities of its possible signers. Given that ring signatures are 
unable to take such considerations into account, I think it would be a 
mistake to try to encode or to enforce which subkeys can be used for 
ring signatures.

To be more concrete, when a recipient of ring signature can dictate 
which subkey must be used for ring signatures, there are certain attacks 
on non-transferability that the recipient can execute against senders.

Suppose that Alice has been talking to Bob, and has been using ring 
signatures to provide non-transferable authenticity. Bob expects to 
receive from Alice some juicy message that he wants to share with Eve, 
and he wants to prove to Eve that Alice signed the message. He can 
attack Alice's non-transferability as follows: cooperate with Eve to 
create a bait by having Eve create a subkey that Bob claims as his new 
subkey (key binding signatures can be computed both ways without 
requiring Eve to reveal her bait's private key). Bob deploys this bait 
by getting its public key into Alice's keyring. This can be done in many 
ways; for instance, if Alice synchronizes regularly with key servers, 
then Bob can inconspicuously put the bait on a key server. If Alice's 
software creates new ring signatures to Bob using only the bait, then 
Bob can prove to Eve that Alice signed the new messages (because Eve 
knows that Bob does not have the bait's private key). Among all this, 
Alice never realizes that Bob has destroyed the non-transferability of 
her ring signatures.

The attack outlined above is a specific instance of a class of attacks 
that exploit the fact that users can have public subkeys for which they 
provably do not possess the private key. My biggest worry about such 
attacks is that they are incredibly easy to execute in the current 
framework with key server synchronization being good practice, and the 
typical victim might never realize that the attack has occurred.

On 03/14/2014 10:37 AM, Daniel Kahn Gillmor wrote:
> Vincent's original spec says:
>>> It is common for an OpenPGP key bundle to contain multiple keys that
>>> are capable of producing signatures. For instance, this is the case
>>> when the primary certification key and a subkey both have their signing
>>> flags set (see Section of RFC 4880). When a user wishes to
>>> create a ring signature that includes a key ID in a bundle that
>>> contains other keys capable of signing, it would make sense to include
>>> all signing-capable keys in the ring signature.
> But I'm not convinced by this last conclusion.  Why include all the
> signing-capable keys?  I have a primary signing-capable key and a subkey
> that is also signing-capable.  When i sign this message, i will only
> sign it with one of them.  What is the rationale for including all the
> keys?  It seems like it just makes the signature creation take longer,
> and i don't see the benefit.  presumably the signing keys are likely to
> be all controlled by the same person, right?

You are right that my recommendation there results in signatures that 
are potentially larger and take more time to generate and verify.

I intended that to be a recommendation for a safer default that can be 
overridden by users who know what they are doing. The main alternative 
default that I considered is to use either the newest or the oldest 
signing subkey, which falls too easily to the outlined attack.

However, I now realize that even with my recommendation in place, the 
attack is still easy if Bob's primary certification key does not have 
the signing flag set: he simply needs to revoke all signing-capable 
subkeys and execute the attack as before. With this in mind, I 
tentatively suggest that ring signatures should (again, as an 
overridable default) include the primary certification key, even if its 
signing flag is not set. All primary keys are intrinsically 
signing-capable, so there should be no issue implementing this. I'm 
unsure about this and would be interested in everyone's comments.

On 03/14/2014 12:46 PM, Werner Koch wrote:
> On Fri, 14 Mar 2014 14:55, v@v-yu.com said:
>> A major consideration in the proposed scheme is to make sure that it
>> is separable; i.e., that different types of existing keys can be used
>> together without a dedicated setup. In the current scheme, signers are
> Old implementations won't be able to handle ring signatures at all.  To
> use existing keys, users can simply use dedicated subkeys.
>> able to produce a ring signature without any cooperation or setup from
>> the other possible signers (as long as they each have an RSA, DSA, or
> You better need some setup from the other possible signers: They should
> be able to create ring signatures.  If you look at a ring signature and
> you can figure out that only key has been created with a software
> version capable of handling ring signatures it would be easy to single
> out who actually did the signature.  Unfortunately we can't completely
> hide all hints on the software version used.  For example analyzing
> signed mails from mailing list archives should allow to guess which
> software version is used.

I think there is a large security / usability trade-off here. On the one 
hand, the non-transferability "guarantee" of a ring signature is indeed 
much greater if everyone involved had a dedicated key for which they 
explicitly claim to have ring signing capabilities. On the other hand, 
that requires significant setup on both ends and I don't see it becoming 
general practice. When a protocol requires cooperation from both sides, 
it's hard for it to gain any ground at all, especially when the 
alternative (basic signing) is already well-established. But when it 
requires only one side to cooperate, users who want it can use it 
whenever they want.

My hope is that one day creating a ring signature requires no more from 
Alice than updating to the latest version of GnuPG and running:

     gpg2 --clearsign --ring-signature --recipient Bob

Bob will not be able to verify the signature if he does not have an 
implementation that supports ring signatures, but at the very least 
Alice can still create a ring signature without requiring Bob to set 
things up.