ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Hard expiration dates (was: I-DACTION:draft-ietf-openpgp-rfc2440bis-07.txt)

2003-03-25 04:05:27
from [Bodo Moeller] [Permanent Link] 

On Mon, Mar 24, 2003 at 02:10:40PM -0800, Jon Callas wrote:

On 3/24/03 9:07 AM, "Michael Young" <mwy-opgp97(_at_)the-youngs(_dot_)org> 
wrote:

Jon Callas noted:



The V4 fingerprint *includes* the creation time of the key, which is in most
people's opinion, a flaw.



Could you say why people thought this was a flaw?


[...]

Here's the central question: If Alice and Bob each have a key that by some
coincidence share the same key material, should their keys have the same
fingerprint?

[...]

Suppose Bob takes the key material from Alice's key, and makes a new key
(which he doesn't have the private key to), and claims that one of Alice's
signatures is actually his own. There is no easy way to figure out what's
going on. If the fingerprints were the same, it'd be a snap.


Having the fingerprint depend solely on the key would not totally rule
out this kind of attack, however.  It's still easy to derive related
keys such that at least some signatures remain valid.  (For DSA,
inverting the public key value  y  modulo  p  will yield a new public
key value for which 50% of signatures are still valid, namely those
for which the exponent of  y  in the verification equation is even.
Also I wouldn't want to rely on all software rejecting MPIs with extra
leading zeros -- an easy approach to creating an equivalent but
differently looking key is to represent the key differently without
actually changing the values.)

There may be signature schemes designed to avoid the "key stealing"
attack that you described, but this is not part of the usual security
notion for digital signatures, and certainly DSA is not safe in this
respect.  If you think that this is a flaw, then you should be aware
that changing the fingerprint algorithm does not avoid it; we'd also
have to pick appropriate signature schemes.

I don't really think that OpenPGP has a problem here.  (Bob's key with
Alice's key material won't have a valid self-signature anyway.)


-- 
Bodo Möller <moeller(_at_)cdc(_dot_)informatik(_dot_)tu-darmstadt(_dot_)de>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Hard expiration dates (was: I-DACTION:draft-ietf-openpgp-rfc2440bis-07.txt), Peter Gutmann
Next by Date:  Notary sigs again, David Shaw
Previous by Thread:  Re: Hard expiration dates (was:I-DACTION:draft-ietf-openpgp-rfc2440bis-07.txt), Michael Young
Next by Thread:  Re: Hard expiration dates (was: I-D ACTION:draft-ietf-openpgp-rfc2440bis-07.txt), David Shaw
Indexes:  [Date] [Thread] [Top] [All Lists]