Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Aug 2018 22:25:50 +0200
Subject: Re: Travis CI MITM RCE

On 31.08.2018 14:18, wrote:
>> I agree about the "key ID" part, but not about the "fingerprint" part.
>> Pinning a cryptographic hash over a public key isn't a security
>> antipattern by any strech of the imagination. Sure, you could argue that
>> the SHA-1 used by GPG isn't state-of-the-art anymore, but we're not
>> talking about collision attacks, but second preimage attacks. Far worse
>> for the attacker.
> True, yes, harder to brute-force a identical private key, than a key with an identical fingerprint.

Hmm, not so sure. Let's say we're talking about RSA-4096, then we have a
security level of around 144 bit. Bruteforcing a second preimage SHA-1
(pretending it's an ideal hash function for a second) would have
complexity of around 159 bit. I.e., even for RSA-4096, it would be
easier to create the *identical* private key by factoring the modulus
(thus obviously creating a keypair with the identical fingerprint) than
just randomly generating keypairs and checking their private key hash.

I.e., my point was that for a given key that's uploaded with a fixed
fingerprint, we're not talking about 2^(b/2) collision complexity, but
2^(b-1) second preimage complexity.

> However, if someone hadn't considered the possibility of a SHA1 collision attack, and a signature verification fails, despite the fingerprint they see matching, what % of GPG users would skip signature verification?
> Perhaps due to confusion/self-doubt/inexperience/other.
> Admittedly, this could be stepping into the realm of social engineering.

I think the attacker model that Daniel referred to was that someone
states "my key's fingerprint is XYZ" and someone downloading a forged,
same-fingerprint key from the keyserver.


"A PC without Windows is like a chocolate cake without mustard."

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.