gpg --recv-key option

L. Sassaman
Sun, 26 Mar 2000 13:30:26 -0800 (PST)

Hash: SHA1

On Sun, 26 Mar 2000, Trevor Smith wrote:

> Here's a related question: what is the likelihood of a PGP/GPG key's
> fingerprint matching the fingerprint of another key? (This, of
> course, is a question about a 3rd party's ability to create a new,
> fake, key with the same fingerprint to stage a "man in the middle"
> attack.)
It is extremely unlikely, however possible, that two keys would share the same fingerprint. Obviously, the key data is larger then the fingerprint data, so overlaps are theoretically possible. However, other than brute-force generation of keys to match an existing key, an attacker would not be able to do what you propose... unless, of course, the hash algorithm is flawed. Neither SHA-1 (required if the key is DSS) or RIPEMD160 have any known attacks against them. MD5 has been proven to be insecure. Of course, the birthday attack scenerio is always an issue with hashes... so if you are just looking to generate two keys that share a fingerprint, your task is much easier than matching the fingerprint of an existing key. To date, there are no accidental (or known intentional) fingerprint overlaps. __ L. Sassaman System Administrator | "All of the chaos Technology Consultant | Makes perfect sense..." icq.. 10735603 | pgp.. finger:// | --Joe Diffie -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1d (GNU/Linux) Comment: OpenPGP Encrypted Email Preferred. iD8DBQE43oF6PYrxsgmsCmoRAsrfAJ4llGA5aA0L5CI+JKcj1Qh+aNQR0wCfdYsh OfCrOAtbTuQX/dEwLiMVtlQ= =wkpP -----END PGP SIGNATURE-----