key-signing and stolen subkeys

David Shaw dshaw at jabberwocky.com
Sun May 23 20:33:50 CEST 2004 

On Sun, May 23, 2004 at 12:55:25PM -0400, Atom 'Smasher' wrote:
> On Sun, 23 May 2004, David Shaw wrote:
> 
> > Mallory doesn't issue the challenge.  The person who Mallory wants to
> > sign his or Alice's key issues the challenge.
> >
> > A challenge is of no use to someone else since Mallory doesn't get to
> > issue it in the first place.
> ======================
> 
> i think mallory could trick someone into using his challenge. mallory is
> adept at the fine art of social engineering.
> 
> ~you~ know better than to accept a cooked challenge; alice does not.
> mallory agrees to a challenge with you and expects you to sign it send it
> to him. at the same keysigning party, mallory offers the same challenge to
> alice, who is new to pgp and accepts mallory's non-random challenge.
> 
> mallory can present your signing key to alice and/or alice's signing key
> to you, and he can "prove" to both of you that he has the corresponding
> secret keys. both you and alice could be fooled into signing a bogus
> key... if the only thing that's signed is the challenge. this attack can
> be defeated by not accepting (or generating) a signed challenge unless it
> explains what that challenge is being used for, and by whom.

Work a signing scenario through and you will see your mistake.  He
can't prove anything because ** he does not issue the challenge **.

Let me restate your argument:

   Alice, Mallory, and Baker attend a key signing party.

   Mallory sends a challenge to Alice and Baker.  Because he's trying
   to do something sneaky, he uses the same challenge for both.

   Alice signs Mallory's challenge.

   Baker signs Mallory's challenge.

Now Mallory has the same challenge signed by both Alice and Baker.  So
what?  He can't give it to Baker to persuade Baker to sign anything
since BAKER issues challenges for BAKER.  He can't give it to Alice to
persuade Alice to sign anything since ALICE issues challenges for
ALICE.  The person requesting proof always issues the challenge, or
there is no point in challenging.

If I was going to sign your key, I would issue YOU a challenge.  Not
vice versa, since there is no point in you issuing a challenge to me.
I don't need to prove key ownership, but you do.

David

More information about the Gnupg-users mailing list