ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Back-signatures, part II

2003-10-28 15:23:56
from [David Shaw] [Permanent Link] 

I just checked over my notes about back-signatures, and there was a
second proposal to solve the same problem.  For completeness, here is
the other proposal.

To repeat the problem: it is possible for an attacker to take a
signing subkey from a victim's key and attach this signing subkey to
the attacker's own key.  The attacker does this by issuing a new
binding signature on the subkey from his own primary key.  The end
result is that a signature issued by this signing subkey may be
claimed to be from either the attacker or the victim.

Second proposed solution: on all signatures issued by a signing
subkey, include a copy of the fingerprint of the primary key that
"owns" this subkey.  An attacker cannot issue signatures from the
stolen subkey at all, so is foiled.

The details:

1) Define a new type of signature subpacket that consists of a
   fingerprint.

2) Include it on all subkey signatures as a hashed subpacket.  (It
   must be hashed to be effective).

Comments:

1) Unlike the subkey-signs-primary key solution, old signatures issued
   before this back-signature protection became available are NOT
   automatically protected.

2) Like the other solution, this does not require generating a new
   subkey.

3) Like the other solution, this uses a signature subpacket so there
   should be no backward compatibility problems.

4) This is simpler than the other solution in several ways (less code
   to do it, for one, does not require the key to be modified and
   redistributed, for two).

5) This is likely to be faster than the other solution, as it only
   requires two signature verifications (the data in question plus the
   subkey binding signature) rather than three (the data in question,
   the subkey binding signature, and the back-signature).

6) It will no longer be possible to issue a v3 signature from a
   signing subkey.  I don't see this as a major problem since the
   older programs that don't understand v4 signatures don't
   understand signatures from signing subkeys anyway.

Comparing the two proposals seems to be a wash.  Back-signatures are a
bit slower, but protect existing signatures.  Including a fingerprint
is a bit faster, but does not protect existing signatures.

Perhaps speed and simplicity should win out here.  Speaking as someone
who regularly uses a signing subkey, I don't particularly care if my
old signatures are protected or not.  I obviously can't speak for
everyone using a signing subkey though.

Again, comments welcome.

David
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: 3rd-party Signatures in a One-Pass Signed Message, poiboy
Next by Date:  Re: Back-signatures proposal, David Shaw
Previous by Thread:  Back-signatures proposal, David Shaw
Next by Thread:  Re: Back-signatures, part II, Michael Young
Indexes:  [Date] [Thread] [Top] [All Lists]