Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures

Marcus Brinkmann 
<marcus.brinkmann=40rub(_dot_)de(_at_)dmarc(_dot_)ietf(_dot_)org> wrote:
    >> Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as
    >> printed by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you
    >> have obtained the correct key?

    > The answer to this would formally be "yes", because after creating two
    > such keys, the attacker could first show you one key, and, later on show
    > you the other key and if the only thing you remember about the first key
    > is the fingerprint, you have no way to notice the swap.

Would the attacker have to control the private keys of both generated keys to
accomplish this?  I don't entirely see why.

Clearly the signatures generated by the two keys (with identical
fingerprints) would also be different (assume that the signatures were
calculated on a SHA256 hash, to remove an attack from that side).

    > The question if this is an actual problem (i.e.: violates a security
    > goal that the user is actually interested in) is more difficult to
    > answer and depends on many details.  Figuring this out would require a
    > careful review of OpenPGP implementations and applications using OpenPGP.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr(_at_)sandelman(_dot_)ca  http://www.sandelman.ca/        |   ruby on 
rails    [

signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp