Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 30 Dec 2014 18:23:51 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: tedu@...unangst.com
Subject: Re: OpenBSD signify and "fingerprint"

On Mon, Dec 29, 2014 at 02:09:20PM +0100, Florian Weimer wrote:
> This is just a warning that what OpenBSD's signify tool calls a
> “fingerprint” is very different from the concept of a fingerprint in
> OpenPGP.  It is just a random 64-bit blob with no relationship to the
> raw public key used for signing.  Conceptually, it is similar to the
> OpenPGP key ID (it is used as a quick check that public key and
> signature match), except that it is even more trivial to forge.
> 
> Fortunately, typical usage patterns of the signify tool do not expose
> the fingerprint to the user, so there is no immediate temptation to
> use it for validating a key (which is the primary use case for
> fingerprints in OpenPGP).  It is also short (64 bits) and thus not
> very secure to the initiated, no matter how it is computed, but I'm
> not fully convinced that this is a sufficient deterrent.
> 
> Maybe a different term instead of “fingerprint” could be used to
> reduce the potential for confusion.  Something like “key number” or
> “key slot” might be appropriate (because these terms do not confer any
> identifying property).

To echo what Ted said, the signify trust model never encompassed key
metadata (including the "fingerprint"). Nonetheless, I found
fingerprints helpful with organizing my own keys so it's a bit
disappointing to see the inspect feature go the way of the dodo.

In retrospect, there's no reason the "fingerprint" (or whatever label)
couldn't have been tied to the key itself (e.g. lowest X bits of
pubkey.pubkey or sha256({pubkey.pubkey, time(NULL)}) rather than 8
random bytes. This probably would have been more useful and more aligned
with OpenPGP.

Unfortunately, key/signature structure members have fixed lengths so
there's no way clean way to make that simple change without breaking
backwards compat unless signify sticks to 64 bits.

Regardless, for those using my *nix signify port
(http://sf.net/projects/slackdepot/files/signify/), the latest tarball
"signify-portable-20141230.tar.bz2" incorporates OpenBSD's most recent
changes (i.e. removal of inspect feature and renaming of fingerprint to
keynum).

--mancha

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.