Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures

On Thu, Jan 23, 2020 at 11:56:39PM +0100, Kai Engert wrote:
> Does this mean, anyone can create a key pair that has the same 
> fingerprint as I have on my business card, by spending that amount of 
> money?
No.

What they have done is generate two keys in such a way that a SHA-1 
certification on one key is also a valid certification for the other 
key.
It means that someone can:

1) create a key A with *your* user ID;

2) create a key *B* with a different user ID;

3) have someone certify the key B with a SHA-1-based signature;

4) attach that signature to key *A* and your user ID.

At the end, that someone gets a key with your name and a 
cryptographically valid signature (or even several signatures, if the 
attacker repeats steps 3 and 4). She can thus impersonate you to anyone 
trusting the signer(s) involved at step 3.
What Marcus says the author *could* have done is to generate the two 
keys A and B in such a way that they also have the same fingerprint. 
They have not done so, as one can easily verify e.g. by running `gpg 
--list-packets` on the provided keys (they don’t even have the same 
short key ID). In the scenario outlined above, I am not sure the 
attacker would have anything to gain in having the two keys A and B 
sharing the same fingerprint anyway, which may explain why the authors 
did not try. They don’t even discuss that possibility.
In any case, the attack does *not* allow to generate a key with the same 
fingerprint as a pre-existing, un-related key.

Cheers,

- Damien

signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp