Mailing List Archive: GnuPG: devel

The two V3 attacks

Index | Next | Previous | View Threaded

dshaw at jabberwocky

Jun 22, 2012, 11:08 AM

Post #1 of 8 (291 views)
Permalink

The two V3 attacks

For the curious, I found pointers to the two big fingerprint/keyID spoofing attacks in V3:

DEADBEEF (spoofs key IDs, but not fingerprints):
http://groups.google.com/group/sci.crypt/browse_thread/thread/25248ce8d6dfc1e4/e5372a1bd972dc07

Bit sliding (spoofs fingerprints, but mangles the size in the process):
http://groups.google.com/group/nl.comp.crypt/browse_thread/thread/770e8cc32fb222c7/175823454f2649dc

So neither of these are terribly new attacks (both dating from the 1990s). I had a brainstorm last year about using a DEADBEEF V3 key to collide with a V4 key, as the only way to tell which key was required (for verifying a signature, for example) was via the 64-bit key ID and inside the signature, there was no way to tell if it was a V3 or V4 key making the signature. That may have been the first mention of that particular variant - I don't know. There was some discussion about this on the IETF WG list at the time, but it's really an implementation issue (by the spec, implementations are not required to accept V3 keys if they don't want to).

Note one of the caveats about using DEADBEEF to collide with V4: even numbered keys. Since the key ID is the lower 64 bits of p*q, and p and q are large primes, the key ID for a valid key will always be odd. Offhand I can't think of a simple way around this without the key being either extremely weak, or invalid (a nice thing about DEADBEEF is that it's a collision, but it's a real usable key as well). I suppose if the intent is to just create trouble, then those restrictions are less important.

The other thing to note about DEADBEEF is that this sort of collision can happen V4-V4 as well. It's just very unlikely. Someone astutely pointed out in the original discussion that the possibility of V3-V4 collisions sort of keeps us honest - that banning V3 may mean we won't fix the V4-V4 problem because it's so hard to cause. I look at banning V3 as buying us time to fix V4 (or go to V5).

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

guninski at guninski

Jun 24, 2012, 10:22 PM

Post #2 of 8 (284 views)
Permalink

Re: The two V3 attacks [In reply to]

On Fri, Jun 22, 2012 at 02:08:13PM -0400, David Shaw wrote:
>
> So neither of these are terribly new attacks (both dating from the 1990s). I had a brainstorm last year about using a DEADBEEF V3 key to collide with a V4 key, as the only way to tell which key was required (for verifying a signature, for example) was via the 64-bit key ID and inside the signature, there was no way to tell if it was a V3 or V4 key making the signature. That may have been the first mention of that particular variant - I don't know. There was some discussion about this on the IETF WG list at the time, but it's really an implementation issue (by the spec, implementations are not required to accept V3 keys if they don't want to).
>

If they are not new why they are not fixed yet?

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Jun 25, 2012, 12:08 AM

Post #3 of 8 (285 views)
Permalink

Re: The two V3 attacks [In reply to]

On Mon, 25 Jun 2012 07:22, guninski [at] guninski said:

> If they are not new why they are not fixed yet?

There was no rough consensus to drop v3 packets. Meanwhile there is no
WG anymore because the IETF decided that OpenPGP has been done.

The outcome of a v5 key format discussion was to wait for SHA-3 and then
to start the discussion again.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

guninski at guninski

Jun 25, 2012, 12:32 AM

Post #4 of 8 (283 views)
Permalink

Re: The two V3 attacks [In reply to]

On Mon, Jun 25, 2012 at 09:08:58AM +0200, Werner Koch wrote:
> On Mon, 25 Jun 2012 07:22, guninski [at] guninski said:
>
> > If they are not new why they are not fixed yet?
>
> There was no rough consensus to drop v3 packets. Meanwhile there is no
> WG anymore because the IETF decided that OpenPGP has been done.
>
> The outcome of a v5 key format discussion was to wait for SHA-3 and then
> to start the discussion again.
>
>

You *knowingly* distribute vulnerable warez for a long time?

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

nicholas.cole at gmail

Jun 25, 2012, 1:19 AM

Post #5 of 8 (286 views)
Permalink

Re: The two V3 attacks [In reply to]

On Mon, Jun 25, 2012 at 8:08 AM, Werner Koch <wk [at] gnupg> wrote:
> On Mon, 25 Jun 2012 07:22, guninski [at] guninski said:
>
>> If they are not new why they are not fixed yet?
>
> There was no rough consensus to drop v3 packets. �Meanwhile there is no
> WG anymore because the IETF decided that OpenPGP has been done.
>
> The outcome of a v5 key format discussion was to wait for SHA-3 and then
> to start the discussion again.

Fortunately, that may be as early as the end of this year:

http://csrc.nist.gov/groups/ST/hash/timeline.html

As an aside: one of the problems of any key system is that the
security advantages of changing keys often (and using new formats)
have to be weighed against the inconvenience of distribution and
re-certification.

Best wishes,

N.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

rjh at sixdemonbag

Jun 25, 2012, 1:52 AM

Post #6 of 8 (287 views)
Permalink

Re: The two V3 attacks [In reply to]

On 06/25/2012 03:32 AM, Georgi Guninski wrote:
> You *knowingly* distribute vulnerable warez for a long time?

Listen, I'm about as strident of a "PGP 2.6 and V3 must both die" voice
as they come. If I were any stronger on the subject I'd be ending each
email with the sigline "MD5, PGP 2.6 et V3 delenda est!" [1] But even
then, I think this statement is way overdone.

PGP 2.6 support, MD5 in general, and V3 keys are all inferior
technologies that should have been replaced a long time ago. However,
there's still a need to read existing files that predate these attacks
and there's still a need to provide a migration path from the
known-vulnerable to the believed-good. Any system that provides both
migration tools and read support for PGP 2.6 is going to fall under your
definition of "vulnerable warez."

Me, I call it providing a migration path and support for interoperating
with legacy systems, while loudly begging, pleading, cajoling and
pathetically whining in the hopes that people will stop using these old
systems.

[1] http://en.wikipedia.org/wiki/Carthago_delenda_est

--
Robert J. Hansen <rjh [at] sixdemonbag>
MD5, PGP 2.6 et V3 delenda est!

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Jun 25, 2012, 2:17 AM

Post #7 of 8 (284 views)
Permalink

Re: The two V3 attacks [In reply to]

On Mon, 25 Jun 2012 09:32, guninski [at] guninski said:

> You *knowingly* distribute vulnerable warez for a long time?

Do you mean the v5 format or the use of MD5 (ie. PGP2 compatible v3
keys).

The v5 format will allow to migrate form a SHA-1 fingerprint to a
SHA-{2,3} fingerprint. It will take many years but there is likely
enough time left. We currently don't expect to see a SHA-1 second
second pre-image any time soon. Collision attacks on the fingerprint
might have some bad consequences but the they won't lower the security
of the signatures. New keys use SHA-2 for signatures - this is in
contrast to PGP2 which uses MD5 for everything.

Waiting for the outcome of the SHA-3 competition is just the Right Thing
to do given that there are no SHA-1 attacks on the horizon.

Regarding the v3 format: Well, I'd love to drop it and actually we now
agreed to implement that as the default - along with an option to revert
this default.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Jun 25, 2012, 7:31 AM

Post #8 of 8 (284 views)
Permalink

Re: The two V3 attacks [In reply to]

On Mon, 25 Jun 2012 11:17, wk [at] gnupg said:

> Regarding the v3 format: Well, I'd love to drop it and actually we now
> agreed to implement that as the default - along with an option to revert
> this default.

There is now a new branch "disallow-v3-keys" which implements the v3
removal for 2.1.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads