IETF Logo Mail Archive

Re: [openpgp] Followup on fingerprints

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 04 August 2015 14:49 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F7321A0122 for <openpgp@ietfa.amsl.com>; Tue, 4 Aug 2015 07:49:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwDwQ9btufA3 for <openpgp@ietfa.amsl.com>; Tue, 4 Aug 2015 07:49:15 -0700 (PDT)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 361BA1A011B for <openpgp@ietf.org>; Tue, 4 Aug 2015 07:49:15 -0700 (PDT)
Received: by lbbud7 with SMTP id ud7so7461229lbb.3 for <openpgp@ietf.org>; Tue, 04 Aug 2015 07:49:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ZTtLbIXnBA/oTo2f715pyikMz3GU1qOEIZC8TsFtbHQ=; b=s3pJguXSjyW0TAixKkx07RRGz0zZKyD5Hi2kMaQz0oJdjLnFYKkxCbyV6WflC+x+5c qQjV6U4ZhrimwzPc4tRiIYup3FaiH9FRgQJKx3u84D73I1Qjk8o7Yvo7wrMxJfLZjVEB dvfwGYg9y94dvPJ6A4SJbXk1tzoLi62rCX21NKNjDHV8ag249O+CUEL/ZzdM2YHbWebE lGtRTADD2K2AXp2LU7Lem5q1MABXd4+WeRbIzBfXFWA+s+YIUsQSPiox51uCRDYClPp4 dJS2TExLjWvet0c1Z5hb2fXuY59dWwGNoO+UCmyYmANVr1VbD1NWeYM6Zptbq1CZZXuu rd1g==
MIME-Version: 1.0
X-Received: by 10.152.2.2 with SMTP id 2mr4060571laq.58.1438699753455; Tue, 04 Aug 2015 07:49:13 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Tue, 4 Aug 2015 07:49:13 -0700 (PDT)
In-Reply-To: <sjmoainyzev.fsf@securerf.ihtfp.org>
References: <CAMm+LwgTcn8CY+Zk-f9gzXQtMJezG97T+kx2=C7PR5g7zFer_A@mail.gmail.com> <87twsn2wcz.fsf@vigenere.g10code.de> <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com> <87zj2ecmv8.fsf@alice.fifthhorseman.net> <CAMm+LwgKmcTes=V7uS3MjCQixWCo-i7PY=VE7eCHSqt3Ho3OSg@mail.gmail.com> <87a8udd4u6.fsf@alice.fifthhorseman.net> <sjm61503182.fsf@securerf.ihtfp.org> <CAMm+LwgEVySpfL-iN2uzX-4tu7R+isDkHE9D8uAeLTxxd4VxqQ@mail.gmail.com> <sjmwpxc1kbv.fsf@securerf.ihtfp.org> <CAAS2fgR6LYck+km5Ze6S9z65ZgsR61d8md2CqojDaceZ0OrZrw@mail.gmail.com> <9c2c8c5df67c83925d7e3c21fe943483.squirrel@mail2.ihtfp.org> <CAMm+LwjJ3mdawz92obKRz3NRhbc4veJFgW-u9gvO6sudem=ABg@mail.gmail.com> <sjmoainyzev.fsf@securerf.ihtfp.org>
Date: Tue, 04 Aug 2015 10:49:13 -0400
X-Google-Sender-Auth: XjezFLtGuZPTHn2wDkirmJz5ciw
Message-ID: <CAMm+Lwgvt6sApNqNsfUZnmhGGEv4bfj+jFfg=-5cNYauSDzPtQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Derek Atkins <derek@ihtfp.com>
Content-Type: multipart/alternative; boundary="089e013c6470be4713051c7d637f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/trQgYq2X-yaIe6u_OXoxlSDMaik>
Cc: Gregory Maxwell <gmaxwell@gmail.com>, IETF OpenPGP <openpgp@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 14:49:17 -0000

On Tue, Aug 4, 2015 at 9:08 AM, Derek Atkins <derek@ihtfp.com> wrote:

> Phillip Hallam-Baker <phill@hallambaker.com> writes:
>
> >     Luckily my computations (which you unfortunately cut out) were based
> on 30
> >     million attempts per second, so my results (the attack taking over a
> year)
> >     is still correct!  Indeed, your numbers are still 3x slower than my
> >     computation estimates.
> >
> > Your original assertion was broken. I don't think it very likely that
> someone
> > is going to spend more than a machine year to generate a vanity key
> unless they
> > can get someone else to pay for the time.
>
> Phill, it was *your* proposal that I was talking to, Mallet creating
> keys M1 and M2 to attack some open source project using PGP Signatures.
>

That is not a vanity fingerprint, it is an attack. A vanity fingerprint
would be doing a brute force search for a key whose fingerprint begins
MINIO-Nxxxx-xxxxx-xxxxx-xxxxx

Spending a hundred computer years to insert malware into an open source
project is a much more probable attack.



> So thank you for acknowledging that your original assertion was broken!
> My point was that particular notion isn't viable; nobody is going to
> expend that much effort just to be able to spoof a broken source control
> system.  And moreover, a non-broken system (that uses the full
> fingerprint) is still out of reach even for stronger adversaries.


The moral here is to use a sufficiently long fingerprint. But the point is
that the fingerprint is indeed subject to birthday attack under rare
circumstances.



>
> > A hundred machine years for creating a key collision attack is completely
> > viable.
>
> It's only a hundred machine years for a 100-bit collision.  A 160-bit
> collision is much much further out!


Yes, but if you didn't have to worry about a birthday attack at all, 80
bits would be acceptable by that metric.

The point is that 80 bits is sufficient for a KeyID type use but a
fingerprint should be at least 160 bits. 100/125 and 256 offer some safety
margin.


>
> > Also when we are talking about PGP Key fingerprint, the fingerprint is
> over the
> > key binding and not just the key and so it is malleable.
>
> I don't see how that helps (today) with SHA1 or SHA2.


If you are doing RSA, it greatly reduces the cost of a collision attack as
you can avoid the need to generate new keypairs on each trial. But I don't
think that is important as we are going to ECC in the near future anyway.

v2.23.0 | Report a Bug | By Email