Given the SHA-1 break, Could we return to the V5 fingerprint discussion?
The issue we are seeing the the SHA-1 break is that a LOT of software is
based on the assumption that SHA-1 is unique. And this is causing software
to crash in real world applications.
For example, lets say you are using a GIT like system and some joker has
uploaded different versions of the the colliding PDF into different
instances of the same repository. The two repositories can function quite
happily for quite a while without noticing anything amiss. The problem
comes when we then take SHA-1 hash of the bulk data in both repos:
SHA1(Evil) = SHA1(Evil')
But
SHA1 (Evil + M0 + .... ) != SHA1 (Evil' + M0 + .... )
We really do need to push to get SHA-1 eliminated before the cost of this
attack falls to the point where you only need 50 GPU years to do it....
The proposal I made introduces a context into the fingerprint so that
S/MIME, OpenPGP, etc. can all use the same fingerprint format without
semantic substitution attacks being possible.
##V5 Fingerprint calculation and presentation
A V5 fingerprint value is a sequence of bits that provides a sufficiently
unique identifier for a public key. In addition to generating and accepting
the text string presentation used in earlier versions of OpenPGP
applications
MAY support such additional presentation formats as are found to be useful.
Conforming V5 OpenPGP implementations MUST support the V5 Fingerprint
text presentation format for display and entry of fingerprint values.
Support for all other fingerprint values is optional.
###V5 Fingerprint value calculation
The OpenPGP V5 fingerprint value is calculated as follows
Fingerprint = <Version-ID> + H (<Content-ID> + ‘:’ + H(<data>))
Where:
Version-ID = 0x60
Content-ID = "application/pgp-v5-key"
<<MIME Content-Type string TBS by IANA>>
H(x) = SHA-2-512(x)
<data> = <pgp-v5-key>
<pgp-v5-key> =
a.1) 0x99 (1 octet)
a.2) high-order length octet of (b)-(d) (1 octet)
a.3) low-order length octet of (b)-(d) (1 octet)
b) version number = 5 (1 octet);
c) algorithm (1 octet): 17 = DSA (example);
d) Algorithm-specific fields.
The value of Version-ID is intentionally chosen so that
the first character of every V5 fingerprint in the text presentation
format is 'M', a character that is guaranteed not to appear in a V4
or earlier fingerprint format where hexadecimal values were used.
Thus ensuring that V5 fingerprints are not accidentally confused.
The construction of the data sequence over which the hash value
is calculated follows the construction used in V4 with the omission
of the key creation timestamp field. This ensures that a given set
of public key parameters has exactly one V5 fingerprint value.
The Content-ID is a MIME content type identifier that indicates that
fingerprint value is of data in the pgp-v5-key format specified
above and is intended for use with an OpenPGP application.
If a fingerprint value is to be calculated for a public key value
specified in a different format (e.g. a PKIX certificate or key)
or for a future version of OpenPGP with a different <data> format,
a different Content-ID value MUST be used.
###V5 Fingerprint Text Presentation.
The Binary Fingerprint Value is truncated to an integer multiple
of 25 bits regardless of the intended output presentation.
The output of the hash function is truncated to a sequence of n bits
by first selecting the first n/8 bytes of the output function. If n
is an integer multiple of 8, no additional bits are required and
this is the result. Otherwise the remaining bits are taken from the
most significant bits of the next byte and any unused bits set to 0.
For example, to truncate the byte sequence [a0, b1, c2, d3, e4] to
25 bits. 25/8 = 3 bytes with 1 bit remaining, the first three bytes
of the truncated sequence is [a0, b1, c2] and the final byte is
e4 AND 80 = 80 which we add to the previous result to obtain the
final truncated sequence of [a0, b1, c2, 80]
A modified version of Base32 [!RFC4648] encoding is used to present
the fingerprint in text form grouping the output text into groups of
five characters separated by a dash ‘-‘.
# IANA Requirements
Register a new content type for application/pgp-v5-key
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp