ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Mining protection in fingerprint schemes

2016-04-07 10:09:49
from [Bryan Ford] [Permanent Link] 


On Apr 6, 2016, at 7:39 PM, Jon Callas <jon(_at_)callas(_dot_)org> wrote:

I don't get it. What problem are you trying to solve. Along with the previous 
note -- the fingerprint is in fact merely a hash of the key. It's a handle 
you can use in a database to identify the key with a fixed string. That's it.


The problem is that one of the most common uses of fingerprints in practice is 
to verify consistency.

A lot of the people I meet at conferences who use PGP at all tend to put their 
PGP key fingerprint on their business card.  People also put their PGP key 
fingerprints on their websites, etc.  Given the general unusability of the 
“web-of-trust” model as originally envisioned and the lack of any better form 
of effective PKI in the PGP ecosystem, this casual fingerprint verification 
often tends to be “the best we can do” in terms of actually ensuring that you 
have the key you think you have.

But when eyeball-verifying a fingerprint, how many people really look/compare 
beyond the first 10 digits or so?  Whether mentally or verbally, we’re all 
tempted just to say, “oh yeah, that’s the fingerprint that starts with …” and 
assume we’re done.

Which leaves a huge attack vulnerability, at least in principle (although I 
don’t know if it’s actually happened in practice).  Someone who wants to pass 
themselves off as me can simply spend a bit of time mining for a new PGP key 
whose fingerprint matches mine, or yours, in the first 10 digits or so, and 
perhaps the last few as well.  They post their key with my E-mail address on 
one or more PGP key servers, and people download it and assume it’s my key 
because it “looks like” the fingerprint on my business card or web site in the 
first and/or last digits, the only ones they actually look at.  They might not 
be able to fool everyone that way, but still it seems like a pretty serious 
concern.

The whole idea of providing some form of “mining-resistance” in a fingerprint 
scheme is to enable the key-owner to invest some effort at key-creation time, 
to ensure that any attacker who wants to try to mine for a key with a 
similar-looking fingerprint will have to invest a *lot* more time and effort, 
not just a little.

Does this make sense?

B



      Jon

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Fingerprint schemes versus what to fingerprint, Bryan Ford
Next by Date:  Re: [openpgp] Fingerprint schemes versus what to fingerprint, Werner Koch
Previous by Thread:  Re: [openpgp] Mining protection in fingerprint schemes, Jon Callas
Next by Thread:  Re: [openpgp] Mining protection in fingerprint schemes, Jon Callas
Indexes:  [Date] [Thread] [Top] [All Lists]