[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild

Samuel Thibault dijo [Wed, Aug 10, 2016 at 02:03:33PM +0200]:
> And actually, moving to 64bit fingerprints by default is possibly not a
> good idea: who knows when 64bit will not be secure any more? Estimating
> very roughly, if a 32bit collision can be found within a few seconds
> with one GPU now as evil32 seems to show, a supercomputer with 10000
> GPUs can find a 64bit collision within a month...
> Really, only signature paths should be looked at by people, and it seems
> like we are tending to let people think 64bit fingerprints are "secure".

That's the reason why a key by itself means little, but we do place
value on the web of trust around it. If a given 64-bit keyid takes a
month to generate¹, and the uploading developers keyring is somewhere
around the 820 keys (from which around 700 make up the strong set), it
would still take ~60 years to generate our full strong set of evil
twins. This is not trivial time.

Of course, Evil32 started aided with the power of numbers — It's not
that they search to make a evil-twin of every 32-bit keyid, but that
they generate keys as fast as they can, and just discard any key not
matching an existing keyid. The keyserver network currently carries
over 4.3 million keys, so roughly one every thousand generated keys
will match *something*¹. Of course, Evil32 is interested in the
keyservers' strong set, which I guess will be way smaller (but have no
numbers to back my hopes).

I believe we are safe to use 64-bit keys *for the time being*. Of
course, nobody will imply that it's as safe to use 64-bit as
160-bit. We should end accepting that human-usable keyids are not
worth their salt and move to full-fingerprint. But there are many
things to fix before that... Among them (and I might be mistaken here)
the PGP key format itself, as AFAICT signatures are stored based on
their long keyid (and not on full hashes)!


¹ Yes, the keyserver network carries several already collided keys —
  Such as the ones that prompted this thread!

Reply to: