Bugtraq mailing list archives
Re: Minor PGP vulnerability
From: warlord () MIT EDU (Derek Atkins)
Date: Wed, 16 Jul 1997 12:05:01 -0400
This is old news. Paul Leyland (pcl () ox ac uk) has posted about this at least two years ago. Also, there are a few incorrect facts in your original mail.
As you might know, PGP uses a 32-Bit number, called key-ID, as an internal index for storing and recognizing keys. Although the key-ID's are quite randomly distributed within 31 of the 32 bits (the key-ID is always odd), the scheme how this key id is derived from the (public) key is not cryptographically secure.
Actually, PGP uses 64 bits internally; although it only displays 32 bits to the user. However, these 64 bits are, as you say, insecure in a cryptographic sense. The PGP 5.0 DSS/DH keys are not subject to this attack, since the keyID is a cryptographic derivation from the key. Only the old style RSA keys are succeptible, since the keyID is just the low bits of the public key modulus.
As a consequence, when obtaining PGP keys from insecure sources, you should always check for the existance of a key with the same key-ID in your own public keyring. To verify a key, always use the fingerprint and never the key-ID.
Actually, there is a problem in PGP's RSA fingerprinting algorithm, too. You can create a key with the same fingerprint as another key, however the size and keyid cannot match as well. This means you should *ALWAYS* check the fingerprint, keyid, AND key size in order to verify a key; an attacker can only forge at most two of the three checks. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH warlord () MIT EDU PGP key available
Current thread:
- Re: Minor PGP vulnerability Derek Atkins (Jul 16)