Hello, given that it is now possible to generate arbitrary short key ID collisions[1], and that it's now computationally feasible to at least generate a pair of keys with colliding long key IDs, I'd like to rethink practices and tools.
In the spirit of "first get to do it, then document it, then automate
it", I'd like to begin with a simple use case:
So I received a gpg-signed email, can I trust it?
I'll write here my take on it and request your comments on it, to see if
there are any gaps.
Take for example this file, and an empty keyring:
$ mkdir /tmp/keyring
$ chmod 0700 /tmp/keyring
$ echo "keyserver hkp://keys.gnupg.net" >> /tmp/keyring/gpg.conf
$ cat /tmp/testmessage
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Fri Jul 8 11:03:02 CEST 2016: this is a test message
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXf2xGAAoJEAPWVoyDcnWpzsoP/Aiw9y3D7qM/8aIjTuTakXG1
dbDi/7lIrWx2bvFFVAFY27q9l6UKF97nXym28ceatpPhYyeuUbSms12btY3kQ796
nEF81oLIHonayD6QOOSj2SrJIgl2B5oYSg/fxsq+bUBmcY9T3aHPsgGlSU7+to2b
ohv9D/Big3H2hWx0PPfhnLsCXLcNXFmUt83hsrrgUQvRA9oh7FjKBjbOYyLd4hBN
ejvnaf5PWuhPfWtK1mMpTEExn6V5i498+PxGojXLzapbtGEcybqfdvqlbtqii2LP
0dg4UwPnGdzZPUHHRbUwslLoPRb9KCspxlAE1U707NH+4Y3/4GMi/lhnfp/qxpMF
OKey0STi1pIJbn5SbG5GHlQD+1zbypelr4UnvOEZsYNcxkN1iduA5jL4IreQ2KqU
d/bVplK1w9i766ZgLI69A1TuRneKiRJTNur0UOwQZv0zonlGhIlSKi1IoMCtrKtN
jXTwALyUj5xUyNYAwqwR9I93wAcVVWzJbHB6DSCYa11AIkZV7Lnvz6A+dcNOdX21
3mhsjRqM5U28fBk5pdGj/MkjJyL4aegmzFBiImUQtV8gIL5HGmI2yxlLvIEx7O7z
PUrOKZLrHflCZ0kZOty5njnZ2ep2rRQNEdT4mD8SuKKt6vfpQdzUQxTZoRgOHYA2
Skl15idSonqVP370zzDf
=DKdd
-----END PGP SIGNATURE-----
gpg --verify tells me of a short key ID:
$ gpg2 --homedir /tmp/keyring/ --verify /tmp/testmessage
gpg: keybox '/tmp/keyring//pubring.kbx' created
gpg: Signature made Fri 08 Jul 2016 11:03:02 CEST using RSA key ID 837275A9
gpg: Can't check signature: No public key
I can switch to long key IDs, but I still get something that can match
multiple keys:
$ echo "keyid-format long" >> /tmp/keyring/gpg.conf
$ gpg2 --homedir /tmp/keyring/ --verify /tmp/testmessage
gpg: Signature made Fri 08 Jul 2016 11:03:02 CEST
gpg: using RSA key 03D6568C837275A9
gpg: Can't check signature: No public key
So let's assume long key IDs give me only a false sense of security and
go ahead without "keyid-format long". I'll download the key used to sign
the message:
$ gpg2 --homedir /tmp/keyring/ --recv 837275A9
gpg: /tmp/keyring//trustdb.gpg: trustdb created
gpg: key E7AD5568: public key "Enrico Zini <enr...@enricozini.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
In this case I've been lucky, because there were no collisions on the
short key ID of my signing subkey, but I cannot rely on having only the
right key in the keyring at this point. For example:
$ gpg2 --homedir /tmp/keyring/ --recv A7457645
gpg: key A7457645: public key "Piotr Ozarowski <oza...@gmail.com>" imported
gpg: key A7457645: public key "Piotr Ozarowski <oza...@gmail.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg: imported: 2
Now I have one or more keys, I can verify the message:
$ gpg2 --homedir /tmp/keyring/ --verify /tmp/testmessage
gpg: Signature made Fri 08 Jul 2016 11:03:02 CEST using RSA key ID 837275A9
gpg: Good signature from "Enrico Zini <enr...@enricozini.org>" [unknown]
gpg: aka "Enrico Zini <enr...@debian.org>" [unknown]
gpg: aka "Enrico Zini <enr...@truelite.it>" [unknown]
gpg: aka "Enrico Zini <enr...@enricozini.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1793 D6AB 7566 3E6B F104 953A 634F 4BD1 E7AD 5568
Subkey fingerprint: 1CC0 1267 007F ABE6 5846 6857 03D6 568C 8372 75A9
gpg2 tells me that the signature is Good (that is, the message is the
same that has been signed and has not been tampered with), and it has
been verified as having been made with the key
1793D6AB75663E6BF104953A634F4BD1E7AD5568.
I know that the message hasn't been tampered with, but it can still be a
message from the attacker that generated the colliding key, so now I
neeed to find out what I can tell about the owner of key
1793D6AB75663E6BF104953A634F4BD1E7AD5568. I made an attempt at this at
http://www.enricozini.org/blog/2016/debian/verifying-gpg-keys/
Enrico
[1] https://evil32.com/
[2] https://www.ietf.org/mail-archive/web/openpgp/current/msg07195.html
https://github.com/coruus/cooperpair
--
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enr...@enricozini.org>
signature.asc
Description: PGP signature
