On Sunday 16 January 2005 21:00, Simon Josefsson wrote:
The reason was supposedly that with v3 keys, you subject to something
called the 0xDEADBEEF attack, where I infer that keys can be created
easily with any given key id. The attack is not possible with v4
keys. Someone said the attack is harder for v3 keys if you also
compare the key size, key algorithm and creation time.
There are actually two different attacks. It is trivial to create a
V3 key with any key ID you like. That's the 0xDEADBEEF attack. There
is a different attack altogether (but lacking a catchy name), which is
against the V3 fingerprint. Since the V3 fingerprint consists of the
RSA values n and e, but not their lengths, you can do tricks with
'sliding' bits from one into the other. The end result is a
constructed V3 key with the same fingerprint as the 'victim' V3 key.
The trick is that such a constructed key will always have a different
size than the original key.
Thanks for explaining this, I finally understand. So it seems
"created" never help to mitigate any attacks. Only size does (and
from your description, perhaps also algo).
Actually: only V4 helps. Everything else with V3 can (theoretically, as
unlikely as it is) be changed during transmission (length, timestamps,
etc.pp.) without the receipient noticing, since the fingerprint does not
change (well, with recent advances against MD5 even the V3 key material
cannot be considered secure any more).
Konrad
pgpQIdRtplNoI.pgp
Description: PGP signature