Forging fingerprints/KeyID?

David Shaw dshaw at jabberwocky.com
Tue Nov 29 16:01:59 CET 2005


On Tue, Nov 29, 2005 at 06:00:32AM -0500, Atom Smasher wrote:
> On Mon, 28 Nov 2005, David Shaw wrote:
> 
> >On Tue, Nov 29, 2005 at 05:36:38AM +0100, Christoph Anton Mitterer wrote:
> >>Ah,.. tanks :-)
> >>So it sould be completely enough to verify Name/eMail and the
> >>Fingerprint when signing another key,... and I don't have to compare
> >>creation date/keysize/algorithm/etc., right?
> >
> >Not unless you're signing a PGP 2.x (v3) key.
> ==================
> 
> how feasible would it be for an attacker to create a small (512 bit?) v4 
> key with the same key id as a target key (irrelevant of the size and 
> algorithm of the target key)?

It's pretty easy to create a short (eg, 99242560) key ID collision -
just generate keys over and over on a resonably fast desktop machine
until you collide.  It's not yet realistic to create a long key ID
collision (eg, DB698D7199242560) intentionally, though it does happen
every now and then by accident.  It's currently completely out of the
question to intentionally create a colliding v4 fingerprint.  To do so
would imply a total break of SHA-1, in which case we have other
problems.  Note that even MD5 isn't broken to that extent.

> it may not be practical today to do this with a fingerprint collision, but 
> i subscribe to the theory that it doesn't hurt to check the size and 
> algorithm of keys before signing them.

It doesn't hurt, but it doesn't help either.  Actually, it's not true
that it doesn hurt - it does hurt a little if people start to believe
that this actually protects them in a meaningful way.  It's important
to be honest with yourself.

David



More information about the Gnupg-users mailing list