Hi,
On 1/24/20 6:00 PM, Michael Richardson wrote:
Marcus Brinkmann
<marcus.brinkmann=40rub(_dot_)de(_at_)dmarc(_dot_)ietf(_dot_)org> wrote:
>> Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as
>> printed by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you
>> have obtained the correct key?
> The answer to this would formally be "yes", because after creating two
> such keys, the attacker could first show you one key, and, later on show
> you the other key and if the only thing you remember about the first key
> is the fingerprint, you have no way to notice the swap.
Would the attacker have to control the private keys of both generated keys to
accomplish this? I don't entirely see why.
As the collision I am thinking of happens in the modulus MPI, the
attacker would control the modulus and thus the private exponent (public
exponent fixed at 2^16+1).
Clearly the signatures generated by the two keys (with identical
fingerprints) would also be different (assume that the signatures were
calculated on a SHA256 hash, to remove an attack from that side).
Yes. Any signatures made by these keys would be different.
Thanks,
Marcus
--
Dipl.-Math. Marcus Brinkmann
Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum
Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp