[openpgp] Fingerprints and their collisions resistance
Andrey Jivsov <openpgp@brainhub.org> Thu, 03 January 2013 07:18 UTC
Return-Path: <openpgp@brainhub.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2BBB21F892F for <openpgp@ietfa.amsl.com>; Wed, 2 Jan 2013 23:18:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.103
X-Spam-Level:
X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[AWL=0.334, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F6Z6m-SWJldq for <openpgp@ietfa.amsl.com>; Wed, 2 Jan 2013 23:18:48 -0800 (PST)
Received: from qmta01.emeryville.ca.mail.comcast.net (qmta01.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:16]) by ietfa.amsl.com (Postfix) with ESMTP id 518B221F88BC for <openpgp@ietf.org>; Wed, 2 Jan 2013 23:18:48 -0800 (PST)
Received: from omta19.emeryville.ca.mail.comcast.net ([76.96.30.76]) by qmta01.emeryville.ca.mail.comcast.net with comcast id jK161k0041eYJf8A1KJo6v; Thu, 03 Jan 2013 07:18:48 +0000
Received: from [192.168.1.8] ([69.181.162.123]) by omta19.emeryville.ca.mail.comcast.net with comcast id jKJm1k00S2g33ZR01KJnMH; Thu, 03 Jan 2013 07:18:47 +0000
Message-ID: <50E530D6.6020609@brainhub.org>
Date: Wed, 02 Jan 2013 23:18:46 -0800
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120605 Thunderbird/13.0
MIME-Version: 1.0
To: openpgp@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1357197528; bh=1+VBAQOCioXCw5RoAMKYxdW8YsUjFA0fvZ2Kb61Mp1M=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=GDftD6Yk0E8XtV8UGkjCKJ/+RUfgqa2iMjQwyQhEKfUBBoc5GJpmGs/aUEuwnnIyu aaxZIEWOtI0rJ8j/2yM1FIXw91cb+trwGkj2kMp3b41h2viAitTt3FEx6uTmLTLzN7 ujr4dI44l3Ae0AA+WH5mBIxUXPAILaauAB3r+eBTsRyb83OoF379cm1epx/gxF+fmj hu66Rymd9CXaBnRPjfLl5kaJmfmD33LKxpaXaWtiwklR6wpHOK6WrQNfV4E4/h8Eu7 WtKh2GdrV/qoF0vbfGpGYNyFFOCynCAlSPMcr4Ki9mc36jXUKdrM7L9Sr4ilzgCK7T rJK+SVv3uPuhQ==
Subject: [openpgp] Fingerprints and their collisions resistance
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2013 07:18:49 -0000
We exchanged a few emails on gnupg list about this this issue, which I think belongs here, the OpenPGP thread. The issue is that fingerprint calculation method in OpenPGP is hardwired to use SHA-1. Some scenarios in which fingerprints are used depend on hash function collision resistance. It's easy to see the collision resistance requirement of fingerprints by making the comparison with document signatures. Classical collision resistance requirement arises in a situation when the owner is free to create two documents that hash to the same hash value. The attacker then makes one document available for signing. As a result he has acquired an option to use the second document later and claim that it was the document that was originally signed. When viewed as document, the keys fit this pattern. One possible exploitation of the hash collision is when the attacker can repudiate signatures or repudiate his ability to decrypt messages (because he can offer a wrong key with the same fingerprint as a proof supporting his inability to perform the private key operation). Public keys offer a reasonable opportunity to place arbitrary bytes into fields that are hashed. For example, DSA P,Q,G, are primes. Every byte but the last one of a 2048 bit prime can be fixed, on average, due to the high density of primes. It suggests that the task of finding a collision with public keys is at least no more difficult than for ASCII documents. Not all scenarios involving fingerprint depend on collision resistance. For example, the ability to substitute a designated revoker, which fingerprint is stored in a subpacket of a public key, is not assisted by compromised collision resistance of SHA-1. As a remedy to the problem note that the collision resistance only arises when the original "document" is not available. Fortunately, keys are small, and therefore, the suggested enhancement to the RFC4880 to remedy the collision dependence of fingerprints on SHA-1 is to store the original key. Continuing the above example with non-repudiation, the non-repudiation claims will be made against the application logs (i.e. audit trails), thus it will be necessary to include complete keys in addition to fingerprints in logs that record protocol exchanges that are dependent on public key identification. This concern will need to be communicated somehow to developers that are relying on RFC4880. An alternative method is outlined next. We introduce a new hardwired fingerprint, for example, based on SHA-3. The above-mentioned application logs can simply state that "SHA-3 fingerprint is XXX" and not bother with storing the whole key (which is unfortunately allowed to change, for example, by acquiring new userIDs, making it hard to compare the revisions). Any subpacket that currently takes the fingerprint will be able to take the new SHA-3 fingerprint as well. Applications will be expected to calculate two fingeprints in parallel and perform a match with either of them. In addition, we might consider a features packet forcing or preferring SHA-3 fingeprint (similar to the MDC feature). KeyIDs in messages can also use 8 bytes of the new fingerprint. Regarding compatibility, note that the fingerprint in the subpackets are not affected by collision weakness, so that there is no downgrade attack. Fingerprints that are sensitive to collision resistance are external features. In addition to mentioned application logs, consider the UI implication. When a key is looked up by its fingerprint on a key server, the UI can offer to search by SHA-1 or the new style fingerprint and this will work with any current key. I will appreciate your comments on this feature. I don't expect this to be a task that needs an urgent resolution. In my mind this is something that we agree on, have a simple spec, and then take a few years to implement and deploy it in a least disruptive way. If there is a more elegant/simpler solution? I would like to hear about it. Thank you.
- [openpgp] Fingerprints and their collisions resis… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… ianG
- Re: [openpgp] Fingerprints and their collisions r… Nicholas Cole
- Re: [openpgp] Fingerprints and their collisions r… Jon Callas
- Re: [openpgp] Fingerprints and their collisions r… Arturo 'Buanzo' Busleiman
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Tony Hansen
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Werner Koch
- Re: [openpgp] Fingerprints and their collisions r… Daniel Kahn Gillmor
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Daniel Kahn Gillmor
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… ianG
- Re: [openpgp] Fingerprints and their collisions r… ianG
- Re: [openpgp] Fingerprints and their collisions r… ianG
- Re: [openpgp] Fingerprints and their collisions r… Christian Aistleitner
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… jbar
- Re: [openpgp] Fingerprints and their collisions r… Christian Aistleitner
- Re: [openpgp] Fingerprints and their collisions r… Daniel Kahn Gillmor
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… ianG
- Re: [openpgp] Fingerprints and their collisions r… Jon Callas
- Re: [openpgp] Fingerprints and their collisions r… Werner Koch
- Re: [openpgp] Fingerprints and their collisions r… Daniel Kahn Gillmor
- Re: [openpgp] Fingerprints and their collisions r… Jon Callas
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Andrey Jivsov
- Re: [openpgp] Fingerprints and their collisions r… Werner Koch
- Re: [openpgp] Fingerprints and their collisions r… Werner Koch
- Re: [openpgp] Fingerprints and their collisions r… Bill Frantz
- Re: [openpgp] Fingerprints and their collisions r… Jon Callas
- Re: [openpgp] Fingerprints and their collisions r… Nicholas Cole
- Re: [openpgp] Fingerprints and their collisions r… ianG