IETF Logo Mail Archive

Re: [openpgp] Fingerprints and their collisions resistance

Andrey Jivsov <openpgp@brainhub.org> Fri, 04 January 2013 00:02 UTC

Return-Path: <openpgp@brainhub.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2782221F8D34 for <openpgp@ietfa.amsl.com>; Thu, 3 Jan 2013 16:02:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.437
X-Spam-Level:
X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QubAkW2bhX7r for <openpgp@ietfa.amsl.com>; Thu, 3 Jan 2013 16:02:04 -0800 (PST)
Received: from qmta02.emeryville.ca.mail.comcast.net (qmta02.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:24]) by ietfa.amsl.com (Postfix) with ESMTP id ABF4021F8CFB for <openpgp@ietf.org>; Thu, 3 Jan 2013 16:02:04 -0800 (PST)
Received: from omta10.emeryville.ca.mail.comcast.net ([76.96.30.28]) by qmta02.emeryville.ca.mail.comcast.net with comcast id jahB1k0020cQ2SLA2c20al; Fri, 04 Jan 2013 00:02:00 +0000
Received: from [192.168.1.8] ([69.181.162.123]) by omta10.emeryville.ca.mail.comcast.net with comcast id jc1z1k0092g33ZR8Wc20Zl; Fri, 04 Jan 2013 00:02:00 +0000
Message-ID: <50E61BF7.4020905@brainhub.org>
Date: Thu, 03 Jan 2013 16:01:59 -0800
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120605 Thunderbird/13.0
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Priority: 5 (Lowest)
References: <50E530D6.6020609@brainhub.org> <50E5494E.6090905@iang.org> <50E60748.3040103@brainhub.org> <50E60F7A.8000001@fifthhorseman.net>
In-Reply-To: <50E60F7A.8000001@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1357257720; bh=XPIDKPz8wOUztMNcj3gEUydxtvPQD2QkP/me8lA/QPY=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=VSmAHRyaJUL0dn1bO9WEPeLz5AddjDQ9p7UotuPbmThuPMAzopah0pY4YCtwyRcK8 Wq5ayqykvTjvGSfcMjQtjmPVTuWbFW0ErcuOmrN88JVdWnF7HdlNIMAeGk9jcABuSt fsGdSx0+zMjZrrUsAkSNGz43dKyJfH8q0yFrgDwyVS7c14gElporGuNqFVXxUPwsIA uN0zqwUBf+jwJ/ZkjGh1qODG9GLwUK1P/PG1fy+n23b0Bf+Ar74wmyy7sFziC4JLXr 31ajE+MUku1mJ8Pa7EpPU5mfjh423H25fQXmNgffnUU5ZS3jM+JTRA8ARyaQIRwCUu qeicTaDLPw4WQ==
Cc: openpgp@ietf.org
Subject: Re: [openpgp] Fingerprints and their collisions resistance
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2013 00:02:05 -0000

On 01/03/2013 03:08 PM, Daniel Kahn Gillmor wrote:
...
> As i mentioned on the discussion on the GnuPG discussion list, i remain
> unconvinced that OpenPGP fingerprints need to be collision-resistant.
> They certainly need to be able to resist preimage attacks, but i haven't
> seen any convincing attacks that make me think collision resistance is
> an issue.
...
> If anyone disagrees with this analysis, i would be interested in hearing
> how failed collision-resistance of the fingerprint mechanism could lead
> to practical attacks in OpenPGP.
>
>> I have this Keccak in OpenPGP darft written, waiting to for the NIST to
...

Key fingerprints can be designed to be cryptographically strong, so that 
it is infeasible to forge them / find collisions for anybody. The 
overall system is stronger if we can rely on this stronger assertion.

OpenPGP is a format on the wire. I need to show only one vulnerable 
hypothetical OpenPGP system to prove that Daniel is wrong.

Let's say I have a server that manages a domain of user, each have their 
own key, one at a time. Users can update their keys. They cannot remove 
keys (other than updating them). The server logs protocol actions and it 
uses key fingerprints to log changed to keys. The server decide to log 
the whole key on the key material change event, which it identifies by 
the change in the key fingerprint. Seems like a reasonable and secure 
system at first sight.

I am a malicious member of that domain. I create two keys with the same 
fingerprint. Now I can repudiate my document signatures. Document 
signatures will refer to either of my keys with the same 8 byte KeyID. 
Server logs will have the same 160 bit fingerprints. I can replace my 
first key on the server with another and no logs will tell that I have 
updated the key. This will invalidate documents signed with my first key.


There is an easy remedy to this problem, but it will essentially mean 
that we don't trust the key fingerprint and diligently log whole keys. 
This means that we moved away from relying on collision resistance of 
the fingerprint.

v2.23.0 | Report a Bug | By Email