On Thu, Jan 23, 2020 at 11:56:39PM +0100, Kai Engert wrote:
Does this mean, anyone can create a key pair that has the same
fingerprint as I have on my business card, by spending that amount of
money?
No.
What they have done is generate two keys in such a way that a SHA-1
certification on one key is also a valid certification for the other
key.
It means that someone can:
1) create a key A with *your* user ID;
2) create a key *B* with a different user ID;
3) have someone certify the key B with a SHA-1-based signature;
4) attach that signature to key *A* and your user ID.
At the end, that someone gets a key with your name and a
cryptographically valid signature (or even several signatures, if the
attacker repeats steps 3 and 4). She can thus impersonate you to anyone
trusting the signer(s) involved at step 3.
What Marcus says the author *could* have done is to generate the two
keys A and B in such a way that they also have the same fingerprint.
They have not done so, as one can easily verify e.g. by running `gpg
--list-packets` on the provided keys (they don’t even have the same
short key ID). In the scenario outlined above, I am not sure the
attacker would have anything to gain in having the two keys A and B
sharing the same fingerprint anyway, which may explain why the authors
did not try. They don’t even discuss that possibility.
In any case, the attack does *not* allow to generate a key with the same
fingerprint as a pre-existing, un-related key.
Cheers,
- Damien
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp