Re: PGP/MIME signature verification

Subject: Re: PGP/MIME signature verification

Date: Wed, 22 Dec 2010 14:11:36 -0500

To: Sebastian Spaeth

Cc: notmuch

From: Daniel Kahn Gillmor


On 12/22/2010 09:38 AM, Sebastian Spaeth wrote:
>>> "sigstatus": [{"status": "error","keyid": "ED34CEABE27BAABC", "errors":
>>> 2}]
>>> (perhaps due to me not having your key???)
>>
>> yup, that is why you get that error.
> 
> Is there a possibility to squeeze a nicer error message out of it? :-)

that's a good question -- i'm not sure libgmime gives us much else to
work with (it is itself calling out to gpg, which in turn might not give
*it* much to work with), but i'll see if there's anything we can do
about that.

One potential concern with this kind of reporting is that (due to the
dirty details of the OpenPGP data signature format), differentiating
"you don't have this key in your keyring" from "you have this key, but
the signature is bad" is not fully possible.

For those who want the details:

 0) an OpenPGP signature contains the signature data itself, plus an
indicator of what key made the signature (the "issuer"):

  https://tools.ietf.org/html/rfc4880#section-5.2.3.5

 1) The indicator is the lower 64-bits of the OpenPGP fingerprint of the
signing key.

 2) OpenPGP fingerprints themselves are SHA-1 sums of (some fiddly
concatenation of) the creation time of the key and the public key
material itself:

  https://tools.ietf.org/html/rfc4880#section-12.2

However, the 64 bits of the key ID (while longer than the 32-bit pattern
commonly expressed like "0xDEADBEEF") isn't really a big-enough search
space to resist collision attacks by moderately-well-resourced adversaries.

That is, it's currently possible to have a computer farm powerful enough
to crank through the search space to create a valid OpenPGP key with any
chosen 64-bit key ID.

So if Alice has her legitimate key with key ID 0x0000DECAFBAD0000, and
Eve has a big computer, Eve can create a new OpenPGP key with the same
Key ID.  If Eve convinces Bob to load her own key into his keyring, then
what happens when Bob receives a signed message from Alice?

Bob's verifier will look at the message, see that it's signed by a key
with key ID 0x0000DECAFBAD0000, and then check the signature against his
copy of Eve's key.  But the signature doesn't verfiy!  This is actually
because Bob doesn't have Alice's key, of course, but his client has no
way of knowing that -- it just sees that it has a matching key that
doesn't verify.

So an attacker can convert a "you don't have this key" to a "you have
this key but the signature doesn't validate" without even tampering with
the message in transit (of course, an attacker who can tamper with the
message in transit can *also* make a signature fail to validate, just by
flipping a bit or two in either the message or the signature).

(note: don't despair!  the full 160-bit OpenPGP fingerprint space is not
currently under threat; only the 64-bit "key ID" has the above problem,
given our current understanding of cryptanalysis and the power of our
computing hardware).

	--dkg

signature.asc (application/pgp-signature)

Thread: