IETF Logo Mail Archive

Re: [openpgp] Mining protection in fingerprint schemes

Bryan Ford <brynosaurus@gmail.com> Thu, 07 April 2016 15:09 UTC

Return-Path: <brynosaurus@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D74A12D51A for <openpgp@ietfa.amsl.com>; Thu, 7 Apr 2016 08:09:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f2B35M_MmLBs for <openpgp@ietfa.amsl.com>; Thu, 7 Apr 2016 08:09:40 -0700 (PDT)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76A1A12D9A4 for <openpgp@ietf.org>; Thu, 7 Apr 2016 07:56:35 -0700 (PDT)
Received: by mail-qk0-x231.google.com with SMTP id i4so31692738qkc.3 for <openpgp@ietf.org>; Thu, 07 Apr 2016 07:56:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=pAQzivj/LzJyBOr9Ajk5xm0STk+/qPzYfTdnbG9BPt8=; b=giMXrRDQr9QOjmwmUKPvqIkhLN4NzpABtNFUsZCi7FYT0nm+hRW8ZgisF4AJJkkJZC YBBxvsLHiHJXoNU+gc9d7vmlW4vyWsbZpFtkNVLf0zMHZMX4BQiOVMLttDIcZjYpU1zV eorrRJRKlTQP/7Fr3ntecZgfrEFcEp8loR1Va9+yLhK4/oq56EyaL0Gvsyj6LGyOvDHG O3yxWvkvDSE5bi9J0FqdA3abYOA06bjnmcdE7q2D6a8FenjzOgoFvTRH3NFCpoMF4Xoq CgBerMXKy4NeKlGtxqKi9fOP623mmlTZKIchBwOwhv2/mijsZZUGikVILydrvCUkgpbe o2XQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=pAQzivj/LzJyBOr9Ajk5xm0STk+/qPzYfTdnbG9BPt8=; b=AVHUFjXxKZdlKPuGTJ4yUfHpw9igNrEeGJFV5vkXicMIz2JuETQ98efkg9ZUBURngV BhcD0cLCt/5Gg2dMOkwB7ChxHPvWu/HJ0+jWa9wWmhgaEUHjOmicWnhKrOBgHNkfS9rc RojhwI050pyNphwCt494H2IYX2QQN4hB1bxYx/s3dKgAPLGHe7+uDsGUlVuF7n2AfUYo FZ4kIpYeZKs6KWrP2waoIEGYsdyUIqAPwe5UoydZWGmxD31W6GZbxV7Fl1/8Qs1nPV8v sMJYl8z1tNE5fAA/o61cHf/uQHnPKOtxnSBWKCY4ebvGam+U3CLdrjlla3yDX0B2pMMW QA5A==
X-Gm-Message-State: AD7BkJJ4lWtQxX0r9RRITum+BpUCOOyNKm8df5dapXXahVVbtRKnUM/MzbWqR9OCTVo7Iw==
X-Received: by 10.55.77.4 with SMTP id a4mr4284572qkb.57.1460040994564; Thu, 07 Apr 2016 07:56:34 -0700 (PDT)
Received: from [192.168.1.194] ([201.177.50.160]) by smtp.gmail.com with ESMTPSA id y129sm3548635qka.33.2016.04.07.07.56.25 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 07 Apr 2016 07:56:33 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_3CAAC1A2-8CDE-4728-92B0-85563B3AE783"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <2AA5B912-0AE6-4722-8BC7-66E37559C0B1@callas.org>
Date: Thu, 07 Apr 2016 11:55:36 -0300
Message-Id: <D17B23A3-633F-4E4E-BC14-69ED6060F357@gmail.com>
References: <4C08CDDD-4C06-41AD-9797-7DD6F08ECD06@gmail.com> <2AA5B912-0AE6-4722-8BC7-66E37559C0B1@callas.org>
To: Jon Callas <jon@callas.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/X9WaPnaINfs-SgCxC8Tg2vX4j-I>
Cc: openpgp@ietf.org
Subject: Re: [openpgp] Mining protection in fingerprint schemes
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 15:09:45 -0000

> On Apr 6, 2016, at 7:39 PM, Jon Callas <jon@callas.org> wrote:
> 
> I don't get it. What problem are you trying to solve. Along with the previous note -- the fingerprint is in fact merely a hash of the key. It's a handle you can use in a database to identify the key with a fixed string. That's it.

The problem is that one of the most common uses of fingerprints in practice is to verify consistency.

A lot of the people I meet at conferences who use PGP at all tend to put their PGP key fingerprint on their business card.  People also put their PGP key fingerprints on their websites, etc.  Given the general unusability of the “web-of-trust” model as originally envisioned and the lack of any better form of effective PKI in the PGP ecosystem, this casual fingerprint verification often tends to be “the best we can do” in terms of actually ensuring that you have the key you think you have.

But when eyeball-verifying a fingerprint, how many people really look/compare beyond the first 10 digits or so?  Whether mentally or verbally, we’re all tempted just to say, “oh yeah, that’s the fingerprint that starts with …” and assume we’re done.

Which leaves a huge attack vulnerability, at least in principle (although I don’t know if it’s actually happened in practice).  Someone who wants to pass themselves off as me can simply spend a bit of time mining for a new PGP key whose fingerprint matches mine, or yours, in the first 10 digits or so, and perhaps the last few as well.  They post their key with my E-mail address on one or more PGP key servers, and people download it and assume it’s my key because it “looks like” the fingerprint on my business card or web site in the first and/or last digits, the only ones they actually look at.  They might not be able to fool everyone that way, but still it seems like a pretty serious concern.

The whole idea of providing some form of “mining-resistance” in a fingerprint scheme is to enable the key-owner to invest some effort at key-creation time, to ensure that any attacker who wants to try to mine for a key with a similar-looking fingerprint will have to invest a *lot* more time and effort, not just a little.

Does this make sense?

B

> 
> 	Jon
>

v2.23.0 | Report a Bug | By Email