So I received a gpg-signed email, can I trust it?

To: debian-devel@lists.debian.org
Subject: So I received a gpg-signed email, can I trust it?
From: Enrico Zini <enrico@enricozini.org>
Date: Fri, 8 Jul 2016 11:21:27 +0200
Message-id: <[🔎] 20160708092127.GA17962@enricozini.org>

Hello,

given that it is now possible to generate arbitrary short key ID
collisions[1], and that it's now computationally feasible to at least
generate a pair of keys with colliding long key IDs, I'd like to rethink
practices and tools.

In the spirit of "first get to do it, then document it, then automate
it", I'd like to begin with a simple use case:

  So I received a gpg-signed email, can I trust it?

I'll write here my take on it and request your comments on it, to see if
there are any gaps.

Take for example this file, and an empty keyring:

  $ mkdir /tmp/keyring
  $ chmod 0700 /tmp/keyring
  $ echo "keyserver hkp://keys.gnupg.net" >> /tmp/keyring/gpg.conf
  $ cat /tmp/testmessage
  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA256
  
  Fri Jul  8 11:03:02 CEST 2016: this is a test message
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1
  
  iQIcBAEBCAAGBQJXf2xGAAoJEAPWVoyDcnWpzsoP/Aiw9y3D7qM/8aIjTuTakXG1
  dbDi/7lIrWx2bvFFVAFY27q9l6UKF97nXym28ceatpPhYyeuUbSms12btY3kQ796
  nEF81oLIHonayD6QOOSj2SrJIgl2B5oYSg/fxsq+bUBmcY9T3aHPsgGlSU7+to2b
  ohv9D/Big3H2hWx0PPfhnLsCXLcNXFmUt83hsrrgUQvRA9oh7FjKBjbOYyLd4hBN
  ejvnaf5PWuhPfWtK1mMpTEExn6V5i498+PxGojXLzapbtGEcybqfdvqlbtqii2LP
  0dg4UwPnGdzZPUHHRbUwslLoPRb9KCspxlAE1U707NH+4Y3/4GMi/lhnfp/qxpMF
  OKey0STi1pIJbn5SbG5GHlQD+1zbypelr4UnvOEZsYNcxkN1iduA5jL4IreQ2KqU
  d/bVplK1w9i766ZgLI69A1TuRneKiRJTNur0UOwQZv0zonlGhIlSKi1IoMCtrKtN
  jXTwALyUj5xUyNYAwqwR9I93wAcVVWzJbHB6DSCYa11AIkZV7Lnvz6A+dcNOdX21
  3mhsjRqM5U28fBk5pdGj/MkjJyL4aegmzFBiImUQtV8gIL5HGmI2yxlLvIEx7O7z
  PUrOKZLrHflCZ0kZOty5njnZ2ep2rRQNEdT4mD8SuKKt6vfpQdzUQxTZoRgOHYA2
  Skl15idSonqVP370zzDf
  =DKdd
  -----END PGP SIGNATURE-----

gpg --verify tells me of a short key ID:

  $ gpg2 --homedir /tmp/keyring/ --verify /tmp/testmessage 
  gpg: keybox '/tmp/keyring//pubring.kbx' created
  gpg: Signature made Fri 08 Jul 2016 11:03:02 CEST using RSA key ID 837275A9
  gpg: Can't check signature: No public key

I can switch to long key IDs, but I still get something that can match
multiple keys:

  $ echo "keyid-format long" >> /tmp/keyring/gpg.conf
  $ gpg2 --homedir /tmp/keyring/ --verify /tmp/testmessage
  gpg: Signature made Fri 08 Jul 2016 11:03:02 CEST
  gpg:                using RSA key 03D6568C837275A9
  gpg: Can't check signature: No public key

So let's assume long key IDs give me only a false sense of security and
go ahead without "keyid-format long". I'll download the key used to sign
the message:

  $ gpg2 --homedir /tmp/keyring/ --recv 837275A9
  gpg: /tmp/keyring//trustdb.gpg: trustdb created
  gpg: key E7AD5568: public key "Enrico Zini <enrico@enricozini.org>" imported
  gpg: no ultimately trusted keys found
  gpg: Total number processed: 1
  gpg:               imported: 1

In this case I've been lucky, because there were no collisions on the
short key ID of my signing subkey, but I cannot rely on having only the
right key in the keyring at this point. For example:

  $ gpg2 --homedir /tmp/keyring/ --recv A7457645
  gpg: key A7457645: public key "Piotr Ozarowski <ozarow@gmail.com>" imported
  gpg: key A7457645: public key "Piotr Ozarowski <ozarow@gmail.com>" imported
  gpg: no ultimately trusted keys found
  gpg: Total number processed: 2
  gpg:               imported: 2

Now I have one or more keys, I can verify the message:

  $ gpg2 --homedir /tmp/keyring/ --verify /tmp/testmessage 
  gpg: Signature made Fri 08 Jul 2016 11:03:02 CEST using RSA key ID 837275A9
  gpg: Good signature from "Enrico Zini <enrico@enricozini.org>" [unknown]
  gpg:                 aka "Enrico Zini <enrico@debian.org>" [unknown]
  gpg:                 aka "Enrico Zini <enrico@truelite.it>" [unknown]
  gpg:                 aka "Enrico Zini <enrico@enricozini.com>" [unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 1793 D6AB 7566 3E6B F104  953A 634F 4BD1 E7AD 5568
       Subkey fingerprint: 1CC0 1267 007F ABE6 5846  6857 03D6 568C 8372 75A9

gpg2 tells me that the signature is Good (that is, the message is the
same that has been signed and has not been tampered with), and it has
been verified as having been made with the key 1793D6AB75663E6BF104953A634F4BD1E7AD5568.

I know that the message hasn't been tampered with, but it can still be a
message from the attacker that generated the colliding key, so now I
neeed to find out what I can tell about the owner of key
1793D6AB75663E6BF104953A634F4BD1E7AD5568. I made an attempt at this at
http://www.enricozini.org/blog/2016/debian/verifying-gpg-keys/


Enrico

[1] https://evil32.com/
[2] https://www.ietf.org/mail-archive/web/openpgp/current/msg07195.html
    https://github.com/coruus/cooperpair
-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: So I received a gpg-signed email, can I trust it?
  - From: Jakub Wilk <jwilk@debian.org>
- Re: So I received a gpg-signed email, can I trust it?
  - From: Simon Richter <sjr@debian.org>
- Re: So I received a gpg-signed email, can I trust it?
  - From: Guilhem Moulin <guilhem@guilhem.org>

Prev by Date: Re: deb.debian.org [was: Re: howto avoid "apt-get update" going guru?]
Next by Date: Re: deb.debian.org [was: Re: howto avoid "apt-get update" going guru?]
Previous by thread: Bug#830306: ITP: python-parsimonious -- fast pure-Python PEG parser
Next by thread: Re: So I received a gpg-signed email, can I trust it?
Index(es):
- Date
- Thread