gpg --recv-key option
L. Sassaman
rabbi@quickie.net
Sun, 26 Mar 2000 13:30:26 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 26 Mar 2000, Trevor Smith wrote:
>
> Here's a related question: what is the likelihood of a PGP/GPG key's
> fingerprint matching the fingerprint of another key? (This, of
> course, is a question about a 3rd party's ability to create a new,
> fake, key with the same fingerprint to stage a "man in the middle"
> attack.)
It is extremely unlikely, however possible, that two keys would share the
same fingerprint. Obviously, the key data is larger then the fingerprint
data, so overlaps are theoretically possible.
However, other than brute-force generation of keys to match an existing
key, an attacker would not be able to do what you propose... unless, of
course, the hash algorithm is flawed. Neither SHA-1 (required if the key
is DSS) or RIPEMD160 have any known attacks against them. MD5 has been
proven to be insecure.
Of course, the birthday attack scenerio is always an issue with
hashes... so if you are just looking to generate two keys that share a
fingerprint, your task is much easier than matching the fingerprint of an
existing key.
To date, there are no accidental (or known intentional) fingerprint
overlaps.
__
L. Sassaman
System Administrator | "All of the chaos
Technology Consultant | Makes perfect sense..."
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi | --Joe Diffie
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1d (GNU/Linux)
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE43oF6PYrxsgmsCmoRAsrfAJ4llGA5aA0L5CI+JKcj1Qh+aNQR0wCfdYsh
OfCrOAtbTuQX/dEwLiMVtlQ=
=wkpP
-----END PGP SIGNATURE-----