Q: Local keyring security, attacks and lsign

Stewart V. Wright svwright+lists at amtp.liv.ac.uk
Fri Sep 3 16:17:17 CEST 2004


I've been pondering an attack, or perhaps a lack of my understanding
of GnuPG as I was wondering if anyone had any opinions.

Take the following example:
I have recently upgraded to the 1.2.6 release.  Before installing I
verified the .sig associated with the source...
  gpg --verify gnupg-1.2.6.tar.bz2.sig

Fortunately(!) I got a good signature:
  gpg: Signature made Wed 25 Aug 2004 16:29:58 BST using DSA key ID 57548DCD
  gpg: Good signature from "Werner Koch (gnupg sig) < HIDDEN ;) >"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 6BD9 050F D8FC 941B 4341  2DCC 68B7 AB89 5754 8DCD

So I unpacked the file, compiled it up and installed.

The problem in _my_ usage is that I did not verify that the signing
key is the key that I have associated with Werner, i.e. I didn't check
that the fingerprint displayed is correct.  I saw "Good signature", I
saw "Werner Koch" and _assumed_ everything was OK.

As I am on a (relatively) public system there is the possibility of
someone (for example root) accessing my account and adding another
key, with the same details as Werner's to my key ring.  Thus the
attacker could, in theory, substitute packages with valid signatures
(from the impostor key), which I would then think was an untampered

There are (at least) two obvious solutions.  The first is for me to
expand my web of trust so that Werner's key is is in my trusted set.
The second is for me to verify the fingerprint each time I check a
signature, however I am looking for something a little more practical,
or more simple maybe.

 * Does "lsign"ing Werner's key make sense in this case?
      I _think_ what I want to achieve is a way to say "this is the
      key that I have added" (and adding a signature is something that
      makes the attack harder) without assigning too much trust in the
      key itself (which seems to be opposite to the lsign)...
 * Would generating a "lsign"ing key which is itself only partially
   trusted be the way to go?

Any ideas, suggestions, corrections, thoughts, flames, rants?  :-)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: Digital signature
Url : /pipermail/attachments/20040903/c4ad73dd/attachment.bin

More information about the Gnupg-users mailing list