IETF Logo Mail Archive

Re: [openpgp] Followup on fingerprints

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 July 2015 04:04 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F4961B2ACB for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 21:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDlgflSDVNFz for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 21:04:12 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id D3EC51B2AC4 for <openpgp@ietf.org>; Wed, 29 Jul 2015 21:04:12 -0700 (PDT)
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 2FACAF984 for <openpgp@ietf.org>; Thu, 30 Jul 2015 00:04:12 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 035DB202BD; Thu, 30 Jul 2015 06:04:11 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: IETF OpenPGP <openpgp@ietf.org>
In-Reply-To: <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com>
References: <CAMm+LwgTcn8CY+Zk-f9gzXQtMJezG97T+kx2=C7PR5g7zFer_A@mail.gmail.com> <87twsn2wcz.fsf@vigenere.g10code.de> <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Thu, 30 Jul 2015 00:04:11 -0400
Message-ID: <87zj2ecmv8.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/Lu_Lf9N6Sc8EyV6GPcz7a-In81w>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 04:04:14 -0000

On Wed 2015-07-29 10:31:22 -0400, Phillip Hallam-Baker wrote:
> OK one thing from the meeting I forgot to mention, the security
> considerations have to address the use of a birthday attack by someone
> generating keys.

I'll echo Vincent here and ask what specific attack you're concerned
about.

My current understanding of OpenPGP fingerprints is that we do not need
collision resistance as a property of the fingerprint mechanism.

We've discussed the possibility of birthday attacks against fingerprints
by someone generating keys before, and i've yet to hear a concrete
description of any attack that this permits.  If there is such an
attack, then we need to be really concerned about it now, since the
current fingerprinting mechanism (SHA-1) is likely subject to a birthday
attack by a motivated and well-financed attacker.

> If we are doing ECC, it is quite practical for someone to generate 2^50
> keys and then pick the two that match in the first 100 bits. This can then
> be used for attacks, particularly if the keys are not enrolled in some sort
> of blockchain.

if we want to discuss append-only logs of key material, i'd be happy to
see that discussion happen formally in a separate thread, or over in the
certificate transparency WG where that sort of thing is already under
way.  I think dragging blockchains into a discussion on OpenPGP
fingerprint mechanisms is a distraction.

> The other bit I left out is the idea of compression. The idea here being
> that the person generating the key looks for a fingerprint that has 0s for
> the first n bits. Then the fingerprint starts with a version number that
> says 'the first 32 bits are 0s' or whatever.
 [...]
> My preference is to just truncate and use the inferred length. That allows
> us to minimize the amount of data we need to put in front of the user
> without compromising security.

These two proposals seem incompatible to me.  If you give me a
fingerprint that is shorter than the expected length, and both
mechanisms are available, how am i supposed to know whether you've given
me a truncated fingerprint or a "compressed" fingerprint?

> Lets say that in 2020 Alice meets Bob and they exchange their fingerprints
> via a 150 bit QR code. Alice's smartphone goes to the mesh and pulls the
> corresponding profile which has Bob's key and full 512 bit fingerprint. The
> phone then stores the big fingerprint for Bob in her contacts directory.

Wouldn't the phone just store the key itself instead of the fingerprint?
Why does the fingerprint matter in this scenario after the initial
introduction?

         --dkg

v2.23.0 | Report a Bug | By Email