On Fri, Jul 31, 2015 at 9:28 AM, Derek Atkins <derek(_at_)ihtfp(_dot_)com>
wrote:
Daniel Kahn Gillmor <dkg(_at_)fifthhorseman(_dot_)net> writes:
At this point, any attempt to hold Mallet accountable is going to have
to
rely on a human examining the logs and working out that Mallet must have
generated the malicious pair of keys. There is going to be no way to
unwind
the thing automatically.
Why? M1 and M2 are completely different fingerprints, unless you're
assuming that the x's are the same. If the x's are the same that means
that Mallet has performed a 2^50 level attack to get 100 bits to match!
How long and how much energy does Mallet have to do this? It's
certainly not something s/he is going to do over a long weekend!
Not with RSA keys. With ECC keys, different matter entirely.
Are there any other attacks we should be aware of due to failures of
collision resistance in the fingerprint?
I'll note that this attack isn't due to a failure of collision
resistance in the fingerprint. It's an attack due to the application
(on top of OpenPGP) truncating the fingerprint and throwing away extra
data.
Which is makes this a Security Consideration. If people build 'stuff' on
top of OpenPGP as a foundation then they have to understand what the
foundation is designed to support.
I think a 25 character / 125 bit fingerprint is going to be fine. BUT there
are two issues I don't want to come up. One is someone builds something
that depends on the fingerprints being collision resistant and blames it on
the spec. The second is that some yahoo works this out again in five years
time and writes a paper claiming to have 'broken' the spec.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp