0xdeadbeef comes of age: making keysteak with GnuPG

Replying a little late to Thijs's message to oss-security. First: "keysteak", a PoC keyserver-in-the-middle that generates fake V3 public keys with the same long keyid as V4 public keys requested from a keyserver. It uses the classic 0xdeadbeef attack and a (novel?) V3 key/V4 signature crossgrade.*) Available at: https://github.com/coruus/cooperpair/tree/master/keysteak As an example, a spoofed key for a Linux distro is attached. You can confirm that the spoofed key is *not* the real key (which is available at https://tails.boum.org/tails-signing.key) by doing either gpg2 --list-packets spoofed_tails.asc or, mkdir test; chmod go-rwx test gpg2 --home ./test --import spoofed_tails.asc gpg2 --home ./test -k --fingerprint * V3 signatures are not accepted without an explicit option in 2.1; they produce a warning in 2.0 (and maybe recent 1.x as well). (In summary: If you don't use the WoT, get OpenPGP keys via HTTPS. E.g.: keybase.io or pgp.mit.edu (the latter thanks to Yan Zhu's lobbying).) Some details/comments: Date: Mon, 1 Sep 2014 20:33:20 +0200 From: Thijs Kinkhorst <thijs at ...ian.org> Subject: gpg blindly imports keys from keyserver responses > It is however argued that . . . specifying the full fingerprint is a safe way to retreive > a key for a known-good fingerprint. But this argument is again somewhat countered > by an attack on V3 [fingerprints] making such a request dubious again. This isn't quite right. - V3 fingerprints are 16 bytes (32 hex digits) long; they're an MD5 digest of the RSA modulus. - V4 fingerprints are 20 bytes (40 hex digits) long; they're an SHA1 digest of the public key packet (kind of). So: V3 and V4 fingerprints are easily distinguishable. Long keyids aren't: - V3 long keyids are 8 bytes long. They're the low 8 bytes of the RSA modulus. - V4 long keyids are 8 bytes long. They're the low 8 bytes of the V4 fingerprint. As Greg Rose demonstrated (and Paul Leyland had earlier noted)[1], this makes it trivial to forge long V3 keyids: You can control up to about half the bits of an RSA modulus without affecting the strength of the resulting key. Note: Once you have a key with a given 64-bit keyid in your keychain, GnuPG will not import any other key with the same 64-bit keyid.[2] Even if you specify the new key by fingerprint. It's been 18 years since the 0xdeadbeef attack. Maybe it's time to deprecate V3 OpenPGP keys? (There's a discussion on gnupg-devel on this presently; I am hopeful...) [1] Raph Levien's excellent explanation of the history and math of the 0xdeadbeef attack: https://groups.google.com/forum/#!topic/sci.crypt/JSSM6NbfweQ [2] Thus the spoofed key and the real key are a "cooper pair". -------------- next part -------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQIPA1IAAAAAAAEP+wTjDob0f11hgMumSe9OA3z05hFwsgDpr152QACoZYVt4rRp YVqBFCv3cckvd6mgldmxe7MdSa5C+IgWRiMYt8xIJKCN4gF/tNumsOjshptVLkiO bdb2XI+AqwuUbVIzNzKr+zYVhHOUwm87QA5HapVo1Mm4zE2i99YLV30BfDxQMQOV Ux6cnxLicS6edSvHqwO0rlOJGwp8XJT/DLJvfmkdHtkv4FNLKDEHLhsC9xSnm5y6 hrkwghRDJO69NenJWJbqAK63NIEGZhdgyaFBwls3JDIqKPenOjORoybuqw69MPcM snk3Z0cXHD+bHUPm0cQNhFiZYEWXQMjm9RTW5AvP0JeW2RFBPBzqtxUKntQBrdRF GU8Voas9SXUyBiaebrx5wzFBzBjbKZByTOA3T90S5FKTWJ3l4FBfSsSVjT/4WXn4 4QF26ATy0iowAe4l/089mp7qzEKSLCmTQPhhcPz1gX9OZOpkgBBi7dm55R08OX5y 4W98nnSiPQXNVf5DRWmKuWmrJHY7xan2E1A19z+7R/mG3AxUKboNerl3mD+3vLmk HAwZKo0bA297oOhZAY4TXnUNhwLazcGIgctETfuw63HMNvj7hbYAoJb7ghH1cpw9 6NNrVOMoz6A6JFFUYz3L0GPkP/lCukn637Zy9uixBtzss/QyFhICghy+LNnBABEB AAG0L1RhaWxzIGRldmVsb3BlcnMgKHNpZ25pbmcga2V5KSA8dGFpbHNAYm91bS5v cmc+iQI3BBMBCgAhBQJUNrtTAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ EBICghy+LNnBz6YP+gLUXsvi+4IwNxTt/8yQWAwo5C7yVYq4t7X4Z9LTU/v4BQ2u Ogs2E+E8Jd4u9bpTk9RWxg+wc3dm9BpsM3Mfsk23ryO6xqVS2/s+OiKMlK8C6QUT shGw2Kd7FwbSUEHvzSO7f6oIpWs0HC/B1DNsIYCVMHj9xWHOF6osYkumVikVlYzJ 70dNlDNFvLiOR2kmneZ/8/q8NAcBLmPknE/m9iV9QBb4a8UIWhqbrUPoF5MKilCG FgJW85pzWT9Q9SPlwvE7+UqrSBiRmG6EFKWFqGf4bPXZBaBsDHxBcc+UOGQDwHD7 3KfYV5arB6LdNPiF1eeJPscJxmIf6H9PNZ2DDU6BDmN6wK+L8V2fDo4TlLsWGOKH rY8Ga6G0xuGWvIb5uL4nShMkF3E4PP3Z00mawx/cVQbrrH8UY4F51y9WKBRzdbw9 BuCzKBXxkymHVR3V01mEzBLVb80iBFBcOpyS/U66Dk6VsvtCF1g8JnxeRlg/UENp +G6vdSUYKQdxQmY5Imlw64ote8/SHxAPlGnWBmT3eBsqaJpwV84zlBEncZS/WcCr Gn+EzVr0MqRG8DvOfgqsBcgoxhUxldtqsOqTHBLjgwdOHIJnEv3nfEDus8PtMFZk s3ixRFVikd0LSKV/F+02iEDLXQRIsha5Fb5BGodkr/IlaZhLYtqXaReLkKhQ =PPAV -----END PGP PUBLIC KEY BLOCK-----