suspicious key found

David Shaw dshaw at jabberwocky.com
Tue May 16 17:37:13 CEST 2017


On May 16, 2017, at 9:47 AM, Janne Inkilä <janne.inkila at iki.fi> wrote:
> 
> I made a key search with my name and found something suspicious.
> 
> The search:
> 
> https://pgp.mit.edu/pks/lookup?search=janne+inkila&op=index&fingerprint=on
> 
> I have used my old key since 2007. Fingerprint F4DB 40F8 BF22 8B9D 9B8F  F679 A482 4C9A 033E 22A2. I know this is quite old key and maybe I should revoke it.
> 
> BUT
> 
> I also found another key with fingerprint 87C4 F4C8 16D1 3CC3 03E0 7977 1A9C 6259 033E 22A2. The key ID is the same 033E 22A2 on both keys. There's also signatures in this key. Looks like same persons and same key ID's but fingerprints doesn't match. For some reason this key has been revoked.
> 
> Did someone really generated same looking key? And why? Any ideas? Someone tries to capture my emails? I would like to see some sort of theory what is going on, thanks :)

There are many such fake keys on the keyservers.  I have one as well.  It's trivial to forge the short (8 hex digit) key ID - just keep generating keys over and over until you match the lower 32 bits.  Note that the fingerprints do not match, as there is no (current) way to forge an entire fingerprint.

See https://evil32.com - they made the keys as a demonstration, but didn't upload them.  It's an excellent demonstration why people should never trust the short key ID for anything.

David




More information about the Gnupg-users mailing list