[52478] in Cypherpunks
PGP key spoofing
daemon@ATHENA.MIT.EDU (Christopher Creutzig)
Fri Mar 22 04:57:05 1996
To: best-of-security@suburbia.net, pgp-friends@fiction.pb.owl.de,
cypherpunks@toad.com
From: christopher@nescio.zerberus.de (Christopher Creutzig)
Date: Tue, 19 Mar 1996 10:40:57 +0100
Hello, everybody,
(Please note that I sent this to several mailinglists at once. I am not=20
subscribed to cypherpunks any longer, so I won't see any replies there.)
I think I have realized a serious flaw in PGPs key-handling. This may=20
lead to people using and signing bogus keys despite the usual security=20
measures.
The problem is that PGP fails to differentiate between two keys sharing=20
the same 64-bit-Key-ID. It is not a real problem to generate a key with a=
=20
given key-ID (just take a prime, invert the desired key-ID modulo this=20
prime and look for another prime whose lower bits are the same as in the=20
number you just calculated), so the following attack would be possible:
- Get the real key you wish to mimic.
- Generate a fake key with the correct IDs.
- Send your bogus key to a person of which you know that
- This person does not have the correct key yet.
- This person is going to meet the correct key's owner.
If the owner of the correct key does not give a fingerprint, but rather=20
a disk with the correct key to the person you are trying to fool, his or=20
her pgp won't ring alarm bells when reading the key (apart from possibly=20
a failed signature), but rather will tell him the key is already there.=20
He will then, most probably, sign the bogus key without any further thoug=
ht.
Therefore, you should *always* check the fingerprint, even if you got=20
the real key, at least if it has no valid signature from its alleged=20
owner.
--=20
Christopher Creutzig # Im Samtfelde 19 # D-33098 Paderborn # V+49-5251-71=
873
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # =
#
Sammele Vorschl=E4ge zur Rettung vom Genitiv.
