key server security

David Shaw dshaw@jabberwocky.com
Sat Jun 21 16:02:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jun 19, 2003 at 03:09:41PM -0500, Kyle Hasselbacher wrote:

> After a thread about a faked key on a key server (which doesn't
> check signatures), I started thinking about a key server which DOES
> check signatures, and strips those it finds lacking.  How do I
> attack such a system?

You could try an overload.  One of the interesting things about DSA
signatures is that they are more expensive to verify than to generate.
You could flood a keyserver with a ton of data that costs it more to
verify than it costs you to generate.  (In reality, this probably
doesn't matter much - you could flood with anything, but DSA makes it
a bit worse).

Still, the real question here is what do you mean by "lacking" ?

> Is there a good reason NOT to use a DB backend (like Postgres) to do
> the storage?

No good reason.  Most keyservers do.

> What's the impact of a black hat owning a key server?

Possible DoS, but no real impact as to the security of a given key
since PGP or GnuPG is going to recheck the key when importing it
anyway.  That is, if you can get a key from a owned server, it may be
corrupt, it may have important bits removed (say, if an attacker
didn't want you using certain subkeys), but what you do get that
passes the local check is going to be valid (if not usable).

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE+9GWW4mZch0nhy8kRAnVvAKCwDiYkhchbT6u6IkfE2+j1hM7i8gCgvjey
BjsJCSotXZT05CLBMrDDfUk=
=0Bmk
-----END PGP SIGNATURE-----