Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures

Damien Goutte-Gattat <> Fri, 24 January 2020 00:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B6F86120041 for <>; Thu, 23 Jan 2020 16:22:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CL44LL6mMjJy for <>; Thu, 23 Jan 2020 16:22:32 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 31A0B120019 for <>; Thu, 23 Jan 2020 16:22:32 -0800 (PST)
Received: from localhost ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPSA id 7B22B201CA; Fri, 24 Jan 2020 01:22:28 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=201912; t=1579825348; bh=9zx50/bHmTZt59JLYVWkFUVcHq3a6iaYftNZRHjywFs=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Rpha8uD/UKiLmsO1w6WJ3nlYKyyytO2Q1zap7SgbpsVXZdcXocYxfWdnG9SzbvEp8 i0gTO/FisG1dz62ZpQ8ZiFFhEaBgEgzStb9gf3lLRnaHtf0wqRoU7J3WCU0L3kLNTE wFnys+UnW4878cOeDW+O3VxpMoA76ZBTXMRkIWPM=
Date: Fri, 24 Jan 2020 00:22:28 +0000
From: Damien Goutte-Gattat <>
To: Kai Engert <>
Cc: Marcus Brinkmann <>,
Message-ID: <>
OpenPGP: id=4FA2082362FE73AD03B88830A8DC7067E25FBABB; url=; preference=signencrypt
References: <> <>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4prwhd5shq5ie7sj"
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jan 2020 00:22:35 -0000

On Thu, Jan 23, 2020 at 11:56:39PM +0100, Kai Engert wrote:
>Does this mean, anyone can create a key pair that has the same 
>fingerprint as I have on my business card, by spending that amount of 


What they have done is generate two keys in such a way that a SHA-1 
certification on one key is also a valid certification for the other 

It means that someone can:

1) create a key A with *your* user ID;

2) create a key *B* with a different user ID;

3) have someone certify the key B with a SHA-1-based signature;

4) attach that signature to key *A* and your user ID.

At the end, that someone gets a key with your name and a 
cryptographically valid signature (or even several signatures, if the 
attacker repeats steps 3 and 4). She can thus impersonate you to anyone 
trusting the signer(s) involved at step 3.

What Marcus says the author *could* have done is to generate the two 
keys A and B in such a way that they also have the same fingerprint. 
They have not done so, as one can easily verify e.g. by running `gpg 
--list-packets` on the provided keys (they don’t even have the same 
short key ID). In the scenario outlined above, I am not sure the 
attacker would have anything to gain in having the two keys A and B 
sharing the same fingerprint anyway, which may explain why the authors 
did not try. They don’t even discuss that possibility.

In any case, the attack does *not* allow to generate a key with the same 
fingerprint as a pre-existing, un-related key.


- Damien