duplicate keyid survey results

Oyvind A. Holm sunny@sunbase.org
Sat Mar 9 11:15:01 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2002-03-08 23:15 David Shaw wrote:
> On Sat, Mar 09, 2002 at 01:03:03PM +0900, Hironobu SUZUKI wrote:
> > I'd like to return only "Found duplicate keys" status to client. If
> > keyserver returns all of duplicate key contents to client, it can
> > be used another DoS attack.
>
> How?
>
> The user does not know if any key from a keyserver is valid or not.
> Even if an attacker creates hundreds of duplicate keys, it does not
> matter since the signatures are what is used to check if the key is
> valid.

This is where the fingerprint comes to use. To ensure you have the key
belonging to the actual user, there has to be some additional
communication to verify that it's not someone who has generated a key
with a false name on it. Even if a false key is used, the only problem
is that the receiver can't read the encrypted message. (I take it for
granted that the sender knows the receivers actual email address.) This
could lead to a mess and could be a problem. I don't know of any
methods to avoid this problem, except spreading your fingerprint
actively to make it easier for other people to verify the authenticity
of the key. The keys from a keyserver is genuine 99% of the time, but
there is always a chance someone has made his own key with the same
name on it.

> > Then, user can select two thing which are retrieve by 64-bit keyid
> > or via Web interface.
> >
> > User may access an exact key via Web interface with database OID
> > number (this numbers are not appeared to user) to check key
> > contents and get it by their own risk.
>
> It is easy to make even a duplicate 64-bit keyid.

Shouldn't the internal CRC routines help avoiding this? I doubt it
would be an easy task to duplicate the 64-bit key _and_ satisfy the
SHA1 checksum.

> If the keyserver makes the user go through many extra steps to get a
> key if there is a duplicate keyid, then that is a (mild) denial of
> service as well.

Not much of extra steps needed here, just a list of all the keys to
choose from. One extra step.

Another thing is when GPG itself gets the key from a server, for
example when verifying a signed text and you don't have the actual key
from before. Will GPG then use the 32-bit keyID to get the key from the
server?

Greetings from Norway,
=D8yvind

#####################################################################
# OpenPGP: 0x629022EB 2002-02-24 =D8yvind A. Holm <sunny@sunbase.org> #
# Fingerprint: DBE9 8D44 67F7 42AC 2CA1  7651 724E 9D53 6290 22EB   #
################### &#x262E;, &#x2665; and Linux. ###################

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE8id/Gck6dU2KQIusRAlNrAJoDaVq06NRUinm56VpDqOMiqF4swwCfS8qw
73Bf5om1z0JckwQJ5Nv1b1E=3D
=3Dh5HH
-----END PGP SIGNATURE-----