IETF Logo Mail Archive

[openpgp] Fingerprints and their collisions resistance

Andrey Jivsov <openpgp@brainhub.org> Thu, 03 January 2013 07:18 UTC

Return-Path: <openpgp@brainhub.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2BBB21F892F for <openpgp@ietfa.amsl.com>; Wed, 2 Jan 2013 23:18:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.103
X-Spam-Level:
X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[AWL=0.334, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F6Z6m-SWJldq for <openpgp@ietfa.amsl.com>; Wed, 2 Jan 2013 23:18:48 -0800 (PST)
Received: from qmta01.emeryville.ca.mail.comcast.net (qmta01.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:16]) by ietfa.amsl.com (Postfix) with ESMTP id 518B221F88BC for <openpgp@ietf.org>; Wed, 2 Jan 2013 23:18:48 -0800 (PST)
Received: from omta19.emeryville.ca.mail.comcast.net ([76.96.30.76]) by qmta01.emeryville.ca.mail.comcast.net with comcast id jK161k0041eYJf8A1KJo6v; Thu, 03 Jan 2013 07:18:48 +0000
Received: from [192.168.1.8] ([69.181.162.123]) by omta19.emeryville.ca.mail.comcast.net with comcast id jKJm1k00S2g33ZR01KJnMH; Thu, 03 Jan 2013 07:18:47 +0000
Message-ID: <50E530D6.6020609@brainhub.org>
Date: Wed, 02 Jan 2013 23:18:46 -0800
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120605 Thunderbird/13.0
MIME-Version: 1.0
To: openpgp@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1357197528; bh=1+VBAQOCioXCw5RoAMKYxdW8YsUjFA0fvZ2Kb61Mp1M=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=GDftD6Yk0E8XtV8UGkjCKJ/+RUfgqa2iMjQwyQhEKfUBBoc5GJpmGs/aUEuwnnIyu aaxZIEWOtI0rJ8j/2yM1FIXw91cb+trwGkj2kMp3b41h2viAitTt3FEx6uTmLTLzN7 ujr4dI44l3Ae0AA+WH5mBIxUXPAILaauAB3r+eBTsRyb83OoF379cm1epx/gxF+fmj hu66Rymd9CXaBnRPjfLl5kaJmfmD33LKxpaXaWtiwklR6wpHOK6WrQNfV4E4/h8Eu7 WtKh2GdrV/qoF0vbfGpGYNyFFOCynCAlSPMcr4Ki9mc36jXUKdrM7L9Sr4ilzgCK7T rJK+SVv3uPuhQ==
Subject: [openpgp] Fingerprints and their collisions resistance
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2013 07:18:49 -0000

We exchanged a few emails on gnupg list about this this issue, which I 
think belongs here, the OpenPGP thread.

The issue is that fingerprint calculation method in OpenPGP is hardwired 
to use SHA-1. Some scenarios in which fingerprints are used  depend on 
hash function collision resistance.

It's easy to see the collision resistance requirement of fingerprints by 
making the comparison with document signatures.

Classical collision resistance requirement arises in a situation when 
the owner is free to create two documents that hash to the same hash 
value. The attacker then makes one document available for signing. As a 
result he has acquired an option to use the second document later and 
claim that it was the document that was originally signed.

When viewed as document, the keys fit this pattern. One possible 
exploitation of the hash collision is when the attacker can repudiate 
signatures or repudiate his ability to decrypt messages (because he can 
offer a wrong key with the same fingerprint as a proof supporting his 
inability to perform the private key operation).

Public keys offer a reasonable opportunity to place arbitrary bytes into 
fields that are hashed. For example, DSA P,Q,G, are primes. Every byte 
but the last one of a 2048 bit prime can be fixed, on average, due to 
the high density of primes. It suggests that the task of finding a 
collision with public keys is at least no more difficult than for ASCII 
documents.

Not all scenarios involving fingerprint depend on collision resistance. 
For example, the ability to substitute a designated revoker, which 
fingerprint is stored in a subpacket of a public key, is not assisted by 
compromised collision resistance of SHA-1.

As a remedy to the problem note that the collision resistance only 
arises when the original "document" is not available. Fortunately, keys 
are small, and therefore, the suggested enhancement to the RFC4880 to 
remedy the collision dependence of fingerprints on SHA-1 is to store the 
original key. Continuing the above example with non-repudiation, the 
non-repudiation claims will be made against the application logs (i.e. 
audit trails), thus it will be necessary to include complete keys in 
addition to fingerprints in logs that record protocol exchanges that are 
dependent on public key identification.

This concern will need to be communicated somehow to developers that are 
relying on RFC4880.

An alternative method is outlined next. We introduce a new hardwired 
fingerprint, for example, based on SHA-3. The above-mentioned 
application logs can simply state that "SHA-3 fingerprint is XXX" and 
not bother with storing the whole key (which is unfortunately allowed to 
change, for example, by acquiring new userIDs, making it hard to compare 
the revisions). Any subpacket that currently takes the fingerprint will 
be able to take the new SHA-3 fingerprint as well. Applications will be 
expected to calculate two fingeprints in parallel and perform a match 
with either of them. In addition, we might consider a features packet 
forcing or preferring SHA-3 fingeprint (similar to the MDC feature). 
KeyIDs in messages can also use 8 bytes of the new fingerprint.

Regarding compatibility, note that the fingerprint in the subpackets are 
not affected by collision weakness, so that there is no downgrade 
attack. Fingerprints that are sensitive to collision resistance are 
external features. In addition to mentioned application logs, consider 
the UI implication. When a key is looked up by its fingerprint on a key 
server, the UI can offer to search by SHA-1 or the new style fingerprint 
and this will work with any current key.

I will appreciate your comments on this feature. I don't expect this to 
be a task that needs an urgent resolution. In my mind this is something 
that we agree on, have a simple spec, and then take a few years to 
implement and deploy it in a least disruptive way.

If there is a more elegant/simpler solution? I would like to hear about it.

Thank you.

v2.23.0 | Report a Bug | By Email