Re: Vanity Keys

[Johan Wevers]

On 13-01-2015 21:38, Werner Koch wrote:

> Well, we could also change the code
> to trial verify with all key ids but that takes longer than needed and
> may by itself be used as a DoS.

You don't need to test all keyID's - just those with the same key ID.
Assuming this is a rare occasion and someone's keyring is not flooded
with keys with the same ID (in that case you are probably under some
kind of attack and might investigate), you can even detect and store
this condition somewere when importing the key and checking this
probably very short list if key ID's that appear multiple times.

I wonder what this would do with the keyserver network. They probably
need adapting too.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Vanity Keys

[David Shaw]

On Jan 13, 2015, at 10:11 PM, Sandeep Murthy  wrote:
> 
> Hi
> 
>> Only the right key will actually work for verification, but the program may 
>> not be able to find that right key.
> 
> Wouldn’t this issue of possible collisions in the long key ID (64 bits / 16 
> hex digits)
> causing problems for the GPG program only be an issue in an organisational 
> setting,
> where there is a large number of users sharing that program and where keys
> are uploaded to/retrieved from key servers using short IDs?
> 
> For an individual who for example only imports keys with fingerprints (160 
> bits /  40 hex) and
> publishes their fingerprint rather than the short or long key ID, how can 
> this risk arise
> or is there still an issue with key servers?

Unfortunately, it doesn't matter if users only use fingerprints when deciding 
to import a key or not.  Internally, keys are looked up using the 64-bit key 
ID.  This is a limitation of OpenPGP - the "issuer" of a signature is 64 bits 
long.  If the user manages to get two keys that happen to have the same 64-bit 
key ID (the lowest 64 bits of the fingerprint, for OpenPGP keys) then this 
problem applies to them.

The discussion on gnupg-devel is about adding a larger issuer that contains the 
complete fingerprint.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Vanity Keys

[Sandeep Murthy]

Hi

> Only the right key will actually work for verification, but the program may 
> not be able to find that right key.

Wouldn’t this issue of possible collisions in the long key ID (64 bits / 16 hex 
digits)
causing problems for the GPG program only be an issue in an organisational 
setting,
where there is a large number of users sharing that program and where keys
are uploaded to/retrieved from key servers using short IDs?

For an individual who for example only imports keys with fingerprints (160 bits 
/  40 hex) and
publishes their fingerprint rather than the short or long key ID, how can this 
risk arise
or is there still an issue with key servers?

Sandeep Murthy
s.mur...@mykolab.com

> On 13 Jan 2015, at 20:52, David Shaw  wrote:
> 
> On Jan 13, 2015, at 2:53 PM, NdK  wrote:
>> 
>> Il 13/01/2015 16:34, David Shaw ha scritto:
>> 
>>> I like the idea of adding a proper fingerprint to signature packets.  I 
>>> seem to recall this was suggested once in the past, but I don't recall why 
>>> it wasn't pursued.
>> What I don't understand (surely because of my ignorance of GPG inner
>> working) is what that should add to the security... IOW, if the private
>> key have been generated by a third party to have a certain fingerprint,
>> what's the purpose of adding that fingerprint to the signature?
> 
> OpenPGP uses the 64-bit key ID to locate keys.  If two people have the same 
> 64-bit key ID, it doesn't mean that person A can impersonate person B, but it 
> does mean that if both person A and person B's keys are on a given keyring, 
> the verifying program will not know which key to use to check the signature.  
> Only the right key will actually work for verification, but the program may 
> not be able to find that right key.
> 
> The fingerprint is a 160-bit key ID - effectively impossible (given today's 
> knowledge) to impersonate.
> 
> David
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Issuer Fingerprint (was: Vanity Keys)

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 13 January 2015 at 11:33:25 AM, in
, Werner Koch wrote:


> Should be pursue this
> task or take a quick solution by using notation data?

I thought we already took care of this with
sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g [0]

[0] 

- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

I don't suffer from insanity I enjoy every minute of it.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJUtbBNXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwIx8IALcVn0Fga/hLnz2iksk36PDk
IkIHNMfi4BmszL23i/CXnDVemDXzReIis1n0eWEicw8hkliEAZHKRMomKNnIqXB7
ezp+dnnhYghIuXCDNlYSigSZy0hyln/tR2Mb9bebQC29IxBuP4HIOQGBaJak6Bq1
oeCqfzcp0GNAqIT5MR/k+pJIQeW9NMLCam+5pv7vXrkgVsP+O0HdSRkZ3Ef8y/Vg
3RBF30JhCmpAVKuUeCTputryeBs3RFTQ6f2CbskUY6gvcKmHmofGpUG5eI2gmjKb
hvP3s2RGMewbYUNGZDmXJdaWdtkjsvNx3X/aM2x3IqUvGZ3eECQz2Op++VbcMbyI
vgQBFgoAZgUCVLWwVV8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45MaNAQC2k5AjdZepyyvbbwYqgK0OzhFF
9Wz0TAvtpMEltAI1GQEA8RyAlAosJa5bO29y1UI2yIFT9B9iozy00H2vBSl49Qg=
=povV
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Vanity Keys

[David Shaw]

On Jan 13, 2015, at 2:53 PM, NdK  wrote:
> 
> Il 13/01/2015 16:34, David Shaw ha scritto:
> 
>> I like the idea of adding a proper fingerprint to signature packets.  I seem 
>> to recall this was suggested once in the past, but I don't recall why it 
>> wasn't pursued.
> What I don't understand (surely because of my ignorance of GPG inner
> working) is what that should add to the security... IOW, if the private
> key have been generated by a third party to have a certain fingerprint,
> what's the purpose of adding that fingerprint to the signature?

OpenPGP uses the 64-bit key ID to locate keys.  If two people have the same 
64-bit key ID, it doesn't mean that person A can impersonate person B, but it 
does mean that if both person A and person B's keys are on a given keyring, the 
verifying program will not know which key to use to check the signature.  Only 
the right key will actually work for verification, but the program may not be 
able to find that right key.

The fingerprint is a 160-bit key ID - effectively impossible (given today's 
knowledge) to impersonate.

David
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Vanity Keys

[Werner Koch]

On Tue, 13 Jan 2015 20:53, ndk.cla...@gmail.com said:

> What I don't understand (surely because of my ignorance of GPG inner
> working) is what that should add to the security... IOW, if the private

Indirectly due to a DoS.  By creating a duplicated long key id and
having someone import that one it makes it impossible to verify a
signature made by the original key.  Well, we could also change the code
to trial verify with all key ids but that takes longer than needed and
may by itself be used as a DoS.

> key have been generated by a third party to have a certain fingerprint,
> what's the purpose of adding that fingerprint to the signature?

Preimage attacks on SHA-1 fingerprints are not even on the horizon.  By
the time they are possible all kind of other serious attacks will also
be possible.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Vanity Keys

[NdK]

Il 13/01/2015 16:34, David Shaw ha scritto:

> I like the idea of adding a proper fingerprint to signature packets.  I seem 
> to recall this was suggested once in the past, but I don't recall why it 
> wasn't pursued.
What I don't understand (surely because of my ignorance of GPG inner
working) is what that should add to the security... IOW, if the private
key have been generated by a third party to have a certain fingerprint,
what's the purpose of adding that fingerprint to the signature?

BYtE,
 Diego.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Vanity Keys

[David Shaw]

On Jan 13, 2015, at 3:10 AM, Werner Koch  wrote:
> 
> On Mon, 12 Jan 2015 21:51, gn...@lists.grepular.com said:
> 
>> Apparently some of the funds will be donated to the GnuPG project. I suspect
>> he hasn't been in contact, and I imagine the funds would not be welcome?
> 
> I have not heard about it but given that the Wau Holland Stiftung is
> collecting GnuPG donations also via Bitcoin, it is likely that this
> can't be tracked.
> 
> However, if that processing power is used to find many dups for long
> keyids we will sooner or later neet to invest work to mitigate the
> effect of this (e.g. adding a fingerprint as signed attribute to each
> signature).

I'm sort of amused by vanitykeys.io.  If you read the HN thread, the author is 
pretty willing to accept this isn't the greatest idea, and has updated the page 
to say that.  (Of course, he hasn't taken the thing down completely either..)

I like the idea of adding a proper fingerprint to signature packets.  I seem to 
recall this was suggested once in the past, but I don't recall why it wasn't 
pursued.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Issuer Fingerprint (was: Vanity Keys)

[Werner Koch]

[Moving discussion to gnupg-devel]

On Tue, 13 Jan 2015 10:41, nicholas.c...@gmail.com said:

> Or a new revision of the standard, I suppose.  But I think that one or

A new key and signature packet version will take years to develop and
deploy.  Thus I think it is better to first do something within the
standard which will be backward compatible.

We currently use this subpacket:

  5.2.3.5.  Issuer

   (8-octet Key ID)

   The OpenPGP Key ID of the key issuing the signature.

A new optional subpacket:

5.2.3.27.  IssuerFingerprint

   (N-octet Key Fingerprint)

   The OpenPGP Fingerprint of the key issuing the signature.  For
   current versions of OpenPGP N has the value 20.  Future versions of
   OpenPGP may specify a different scheme for the fingerprint and thus
   another value for N.  Implementations should thus be prepared for
   other fingerprint lengths but honor this subpacket only if N is 20.

could be used to overcome duplicate key id problems.  The subpacket
type octet for that new subpacket would be 33.  Note that

  Adding a new Signature subpacket MUST be done through the IETF
  CONSENSUS method, as described in [RFC2434].

which takes quite some time.  Should be pursue this task or take a quick
solution by using notation data?

The size of a signature will increase by 22 or even more when using the
notation data approach.  This is noticeable but given that we are anyway
moving to the smaller ECC algorithms I think this is acceptable.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Vanity Keys

[Nicholas Cole]

On Tue, Jan 13, 2015 at 8:10 AM, Werner Koch  wrote:
> On Mon, 12 Jan 2015 21:51, gn...@lists.grepular.com said:
>
>> Apparently some of the funds will be donated to the GnuPG project. I suspect
>> he hasn't been in contact, and I imagine the funds would not be welcome?
>
> I have not heard about it but given that the Wau Holland Stiftung is
> collecting GnuPG donations also via Bitcoin, it is likely that this
> can't be tracked.
>
> However, if that processing power is used to find many dups for long
> keyids we will sooner or later neet to invest work to mitigate the
> effect of this (e.g. adding a fingerprint as signed attribute to each
> signature).

Or a new revision of the standard, I suppose.  But I think that one or
the other would be worth doing in any case given the way things are
moving.  It is best to be ahead of the game.

N.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Vanity Keys

[Werner Koch]

On Mon, 12 Jan 2015 21:51, gn...@lists.grepular.com said:

> Apparently some of the funds will be donated to the GnuPG project. I suspect
> he hasn't been in contact, and I imagine the funds would not be welcome?

I have not heard about it but given that the Wau Holland Stiftung is
collecting GnuPG donations also via Bitcoin, it is likely that this
can't be tracked.

However, if that processing power is used to find many dups for long
keyids we will sooner or later neet to invest work to mitigate the
effect of this (e.g. adding a fingerprint as signed attribute to each
signature).



Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Vanity Keys

[Mike Cardwell]

Just thought I'd make you aware of this horrendous website, which is charging
people for pre-generated GnuPG key pairs with "vanity" key ids:

  https://vanitykeys.io/

I read about it earlier today on the following thread, where the author of the
website has been talking about it:

  https://news.ycombinator.com/item?id=8873182

Apparently some of the funds will be donated to the GnuPG project. I suspect
he hasn't been in contact, and I imagine the funds would not be welcome?

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users