[52492] in Cypherpunks
Re: PGP key spoofing
daemon@ATHENA.MIT.EDU (Hal)
Fri Mar 22 12:36:47 1996
Date: Fri, 22 Mar 1996 09:00:59 -0800
From: Hal <hfinney@shell.portal.com>
To: best-of-security@suburbia.net, christopher@nescio.zerberus.de,
cypherpunks@toad.com, pgp-friends@fiction.pb.owl.de
From: christopher@nescio.zerberus.de (Christopher Creutzig)
> I think I have realized a serious flaw in PGPs key-handling. This may
> lead to people using and signing bogus keys despite the usual security
> measures.
>
> The problem is that PGP fails to differentiate between two keys sharing
> the same 64-bit-Key-ID. It is not a real problem to generate a key with a
> given key-ID (just take a prime, invert the desired key-ID modulo this
> prime and look for another prime whose lower bits are the same as in the
> number you just calculated), so the following attack would be possible:
PGP checks specifically for the case of keys whose IDs match but the
keys themselves differ. It has always been obvious that keys can easily
be synthesized with given IDs. I added this warning in version 2.0
about four years ago, in the keyadd code:
"\n\007Warning: Key ID %s matches key ID of key already on
key ring '%s', but the keys themselves differ.
This is highly suspicious. This key will not be added to ring.
Acknowledge by pressing return: "
> If the owner of the correct key does not give a fingerprint, but rather
> a disk with the correct key to the person you are trying to fool, his or
> her pgp won't ring alarm bells when reading the key (apart from possibly
> a failed signature), but rather will tell him the key is already there.
As you can see, it does in fact literally ring an alarm bell - the "\007"
above is the ASCII bell character.
Disclaimer: I have not worked on PGP since version 2.0 so possibly my
code has been changed or eliminated, but I think that is unlikely.
Hal Finney
