Samuel Thibault dijo [Wed, Aug 10, 2016 at 02:03:33PM +0200]: > And actually, moving to 64bit fingerprints by default is possibly not a > good idea: who knows when 64bit will not be secure any more? Estimating > very roughly, if a 32bit collision can be found within a few seconds > with one GPU now as evil32 seems to show, a supercomputer with 10000 > GPUs can find a 64bit collision within a month... > > Really, only signature paths should be looked at by people, and it seems > like we are tending to let people think 64bit fingerprints are "secure".
That's the reason why a key by itself means little, but we do place value on the web of trust around it. If a given 64-bit keyid takes a month to generate¹, and the uploading developers keyring is somewhere around the 820 keys (from which around 700 make up the strong set), it would still take ~60 years to generate our full strong set of evil twins. This is not trivial time. Of course, Evil32 started aided with the power of numbers — It's not that they search to make a evil-twin of every 32-bit keyid, but that they generate keys as fast as they can, and just discard any key not matching an existing keyid. The keyserver network currently carries over 4.3 million keys, so roughly one every thousand generated keys will match *something*¹. Of course, Evil32 is interested in the keyservers' strong set, which I guess will be way smaller (but have no numbers to back my hopes). I believe we are safe to use 64-bit keys *for the time being*. Of course, nobody will imply that it's as safe to use 64-bit as 160-bit. We should end accepting that human-usable keyids are not worth their salt and move to full-fingerprint. But there are many things to fix before that... Among them (and I might be mistaken here) the PGP key format itself, as AFAICT signatures are stored based on their long keyid (and not on full hashes)! -- ¹ Yes, the keyserver network carries several already collided keys — Such as the ones that prompted this thread!