[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Number of developers, keyring map

Jason Gunthorpe <jgg@ualberta.ca> writes:

> > If I remember things correctly both the key-ID and the fingerprint
> > can be faked, although the the fingerprint is harder. You really
> > want the combination of both.
> I was told that the keyID was simply a random number assigned to the key
> at key-generation, with a hacked generator you could assing any number you
> like. However, to duplicate a fingerprint you would have to break MD5,
> which if possible means we are in deep trouble anyhow :>

Actually, you would not need to break MD5.  There are various ways of
generating identical MD5 checksums, provided that things like key
size, or the keyid are not known.

Adam Back, recently illustrated this type of fingerprint forgery,
after the IRS and FBI attempted to use a PGP fingerprint to link Carl
Johnson to a series of threats made online.

Check out the follwing URL, you will need to scroll down a ways, just
search for "Adam Back".


Craig Brozefsky        <craig@red-bean.com>
Less matter, more form!      - Bruno Schulz
ignazz, I am truly korrupted by yore sinful tzourceware. -jb
The Osmonds! You are all Osmonds!! Throwing up on a freeway at dawn!!!

Reply to: