IETF Logo Mail Archive

Re: [openpgp] Followup on fingerprints

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 04 August 2015 21:31 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD1911ACD91 for <openpgp@ietfa.amsl.com>; Tue, 4 Aug 2015 14:31:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-O1-Vku3Ets for <openpgp@ietfa.amsl.com>; Tue, 4 Aug 2015 14:31:00 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 6C5731ACD84 for <openpgp@ietf.org>; Tue, 4 Aug 2015 14:31:00 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id C144DF984; Tue, 4 Aug 2015 17:30:59 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 8AD392010F; Tue, 4 Aug 2015 23:30:49 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Nicholas Cole <nicholas.cole@gmail.com>, IETF OpenPGP <openpgp@ietf.org>
In-Reply-To: <CAAu18hez49oVhTwRLqv=3rifbg5q5+EqsSvBO0c-ezq+M_Qmyw@mail.gmail.com>
References: <87twsn2wcz.fsf@vigenere.g10code.de> <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com> <87zj2ecmv8.fsf@alice.fifthhorseman.net> <CAMm+LwgKmcTes=V7uS3MjCQixWCo-i7PY=VE7eCHSqt3Ho3OSg@mail.gmail.com> <87a8udd4u6.fsf@alice.fifthhorseman.net> <sjm61503182.fsf@securerf.ihtfp.org> <CAMm+LwgEVySpfL-iN2uzX-4tu7R+isDkHE9D8uAeLTxxd4VxqQ@mail.gmail.com> <sjmwpxc1kbv.fsf@securerf.ihtfp.org> <CAAS2fgR6LYck+km5Ze6S9z65ZgsR61d8md2CqojDaceZ0OrZrw@mail.gmail.com> <9c2c8c5df67c83925d7e3c21fe943483.squirrel@mail2.ihtfp.org> <20150803173231.GG3067@straylight.m.ringlet.net> <2439a89a6c4eb70044e144406a732482.squirrel@mail2.ihtfp.org> <87io8v7uqt.fsf@littlepip.fritz.box> <87h9of7p0e.fsf@littlepip.fritz.box> <87wpxbtuwk.fsf@vigenere.g10code.de> <CAAu18hez49oVhTwRLqv=3rifbg5q5+EqsSvBO0c-ezq+M_Qmyw@mail.gmail.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Tue, 04 Aug 2015 17:30:49 -0400
Message-ID: <87614u4u7q.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/fjIu1ctLZv9uwK6rRFqxKX2pFSU>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 21:31:01 -0000

On Tue 2015-08-04 04:05:03 -0400, Nicholas Cole wrote:
> I'm really struggling to follow what is going on with this whole
> discussion!  Fingerprints need to be robust enough that creating aritrary
> collisions is not feasible. That has always been central to OpenPGP.

Why must fingerprints be collision-resistant?  We've always said that
fingerprints need to be preimage-resistant -- that is, if i know your
fingerprint, i should not be able to forge a new key that has the same
fingerprint.

But collision-resistance is a different property: if the fingerprint
mechanism is not collision-resistant, then an attacker can create two
keys with the same fingerprint.  Why is this a threat?

> If that creates headaches for user interfaces then we will have to
> find ways to deal with that, but that is a separate discussion.

I agree with this.

> I thought that there were some well established, secure as far as anyone
> knows, hash algorithms. We've many years experience of the problems of
> including or not including various extra bits of information along with the
> key material itself, so doesn't the WG just need to pick one of the
> candidate algorithms and have done with it?

The current OpenPGP fingerprint mechanism (in RFC 4880) uses SHA-1,
which is a 160-bit digest.  SHA-1's collision resistance is believed to
be weaker than the 2^80 work factor that an ideal 160-bit digest should
have.  But that doesn't mean that it is necessarily "broken" for
OpenPGP, if there is no way to exploit a collision atack on fingerprints
in general.

That said, the general cryptographic advice on SHA-1 is "don't use it",
so while sticking with SHA-1 may not be a problem for this specific
case, it is a distraction from the cryptanalysis to have to have this
kind of discussion ("actually, maybe it's ok in this particular use")
whenever it comes up.

Our constraints in the WG here are also bound by UI concerns -- the
fingerprint mechanism is one used by humans, and humans have a limited
capacity to process and handle long high-entropy bitstrings (regardless
of their representation).  So we're really trying to navigate a
multidimensional design space here when we talk about what to do for
fingerprints.

I'll try to start a new thread that identifies those choices more
clearly, and ask people to weigh in on simpler questions about
fingerprints rather than having everything tangled up.

             --dkg

v2.23.0 | Report a Bug | By Email