Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures

Damien Goutte-Gattat <dgouttegattat@incenp.org> Fri, 24 January 2020 00:22 UTC

Return-Path: <dgouttegattat@incenp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6F86120041 for <openpgp@ietfa.amsl.com>; Thu, 23 Jan 2020 16:22:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=incenp.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CL44LL6mMjJy for <openpgp@ietfa.amsl.com>; Thu, 23 Jan 2020 16:22:32 -0800 (PST)
Received: from mail.incenp.org (mail.incenp.org [51.254.143.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31A0B120019 for <openpgp@ietf.org>; Thu, 23 Jan 2020 16:22:32 -0800 (PST)
Received: from localhost (dgouttegattat.plus.com [81.174.245.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.incenp.org (Postfix) with ESMTPSA id 7B22B201CA; Fri, 24 Jan 2020 01:22:28 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=incenp.org; s=201912; t=1579825348; bh=9zx50/bHmTZt59JLYVWkFUVcHq3a6iaYftNZRHjywFs=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Rpha8uD/UKiLmsO1w6WJ3nlYKyyytO2Q1zap7SgbpsVXZdcXocYxfWdnG9SzbvEp8 i0gTO/FisG1dz62ZpQ8ZiFFhEaBgEgzStb9gf3lLRnaHtf0wqRoU7J3WCU0L3kLNTE wFnys+UnW4878cOeDW+O3VxpMoA76ZBTXMRkIWPM=
Date: Fri, 24 Jan 2020 00:22:28 +0000
From: Damien Goutte-Gattat <dgouttegattat@incenp.org>
To: Kai Engert <kaie@kuix.de>
Cc: Marcus Brinkmann <marcus.brinkmann=40rub.de@dmarc.ietf.org>, openpgp@ietf.org
Message-ID: <20200124002228.ek7bcwlbghuoborr@dynein.local.incenp.org>
OpenPGP: id=4FA2082362FE73AD03B88830A8DC7067E25FBABB; url=https://incenp.org/srv/dgouttegattat.asc; preference=signencrypt
References: <d8321b24-8836-2702-6b01-242b4cab932f@rub.de> <e4dc8c25-2282-17a8-7e64-cee55f43be84@kuix.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4prwhd5shq5ie7sj"
Content-Disposition: inline
In-Reply-To: <e4dc8c25-2282-17a8-7e64-cee55f43be84@kuix.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/j1e2eVvEFAmDz--eSMK2onCfnV8>
Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 00:22:35 -0000

On Thu, Jan 23, 2020 at 11:56:39PM +0100, Kai Engert wrote:
>Does this mean, anyone can create a key pair that has the same 
>fingerprint as I have on my business card, by spending that amount of 
>money?

No.

What they have done is generate two keys in such a way that a SHA-1 
certification on one key is also a valid certification for the other 
key.

It means that someone can:

1) create a key A with *your* user ID;

2) create a key *B* with a different user ID;

3) have someone certify the key B with a SHA-1-based signature;

4) attach that signature to key *A* and your user ID.

At the end, that someone gets a key with your name and a 
cryptographically valid signature (or even several signatures, if the 
attacker repeats steps 3 and 4). She can thus impersonate you to anyone 
trusting the signer(s) involved at step 3.

What Marcus says the author *could* have done is to generate the two 
keys A and B in such a way that they also have the same fingerprint. 
They have not done so, as one can easily verify e.g. by running `gpg 
--list-packets` on the provided keys (they don’t even have the same 
short key ID). In the scenario outlined above, I am not sure the 
attacker would have anything to gain in having the two keys A and B 
sharing the same fingerprint anyway, which may explain why the authors 
did not try. They don’t even discuss that possibility.

In any case, the attack does *not* allow to generate a key with the same 
fingerprint as a pre-existing, un-related key.


Cheers,

- Damien