Bugtraq mailing list archives

Re: PGP Signatures security BUG!

From: Noah_Salzman () NAI COM (Salzman, Noah)
Date: Wed, 8 Mar 2000 09:53:39 -0800


Hello Povl,

Your comments have made there way to NAI.  I will make sure an official
response is sent to this list.

My personal response:  32-bit Key ID collisions have been known about for
quite sometime, although they are still very rare.  64-bit Key IDs have been
in use for years and, of course, if Fingerprints (160-bit) and key signing
are used properly there are no problems in the areas you describe.

   Noah Salzman
     noah () pgp com
     noah () nai com
     408-346-5186

-----Original Message-----
From: Povl H. Pedersen [mailto:pope () NETGUIDE DK]
Sent: Tuesday, March 07, 2000 6:29 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: PGP Signatures security BUG!

This message has NOT been sent to Network Associates, as I could not
easily find a free way to report bugs. Most links are for paying
customers only.

BACKGROUND

A friend of mine just received a mail from a colleague in the UK by
the name John Smith (name invented), which was PGP signed. So of
course my friend tried to verify the signature.

This was the first time he verified it.

The s-gnature has Key ID: 0x6F620B65

So he had to look up the key using the keyservers, and surprisingly
enough, the server did NOT return the name of the sender, but of a
person called "Mike Evans".

I then did a lookup on John Smith's e-mail, and I only got the
signature of Mike Evans back. I did not get 2 adresses, or any other
indication that told me something styrange is going on.

Adding Mike Evans' public key to the keyring still results in the
signature verification being OK, but the username is listed as
unknown.

THE PROBLEM

The problem is, that the PGP servers expects all key IDs to be unique
numbers, and does not expect 2 users to have the same keyID. And with
the current amount of users, we are starting to get multiple users
with the same keyID.

EXPLOIT

It is possible to generate false signatures, and John Smith can send
new e-mails in the name of  Mike Evans to users who does not have
Mike Evans' key in their keyring, and when they do a lookup, they
will find Mike Evans' key.

It will take a long time to generate a new key with a specific
fingerprint, but nonetheless, this 'overwriting' and hiding of other
users IDs in the public PGP servers is bad.

--
---
Povl H. Pedersen   -   Chief Technology Officer  -   NetGuide Scandinavia as
Phone: +45 8618 1845    Cellular: +45 4093 5511    Fax:   +45 8618 1863
e-mail: mailto:pope () netguide dk     -    PGP Key ID: 0x8F4BC755

Current thread:

SQL Server Vulnerability details, (continued)
- - SQL Server Vulnerability details Chip Andrews (Mar 18)
- Re: PGP Signatures security BUG! Florian Weimer (Mar 10)
  - Re: PGP Signatures security BUG! Will Price (Mar 20)
  - Esafe Protect Gateway (CVP) does not scan virus under some conditions Hugo.van.der.Kooij () CAIW NL (Mar 21)
    - Re: Esafe Protect Gateway (CVP) does not scan virus under some conditions Alon Rotem (Mar 24)
  - Security bug in Apache project: Jakarta Tomcat Jan Madsen (Mar 21)
  - [TL-Security-Announce] nmh-1.0.2 and earlier TLSA200008-1 Katie Moussouris (Mar 21)
- New Solaris Vulnerability Calculator, Sun Mailing list, and Sun Focus area from SecurityFocus.com Jeremy Rauch (Mar 13)
- Re: PGP Signatures security BUG! Tobias Haustein (Mar 08)
  - Re: PGP Signatures security BUG! Povl H. Pedersen (Mar 09)
- Re: PGP Signatures security BUG! Salzman, Noah (Mar 08)
- Re: PGP Signatures security BUG! Steven M. Bellovin (Mar 08)