Weakness in the keyserver network (Was Re: Global Directory signatures)

Jason Harris jharris at widomaker.com
Fri Jan 7 05:16:40 CET 2005 

On Thu, Jan 06, 2005 at 10:22:02PM -0500, David Shaw wrote:
> On Thu, Jan 06, 2005 at 07:27:11PM -0500, Jason Harris wrote:

> The whole meaning of non-exportable is that the signatures are, well,
> non-exportable.  Having the GD issue non-exportable signatures rather
> defeats the point of the thing.  Forgetting for a minute the protocol
> issues with this, a simple practical reason why this won't work is
> that GnuPG won't import a non-exportable signature without modifying
> the config, and PGP won't do it at all.  Mandating code changes in the
> clients isn't going to happen since it would require all GD users to
> upgrade, which is unrealistic.

OK, so GPG users are ahead of the curve because we had to upgrade
to 1.4.0 to talk to this new keyserver anyway.

> You call the GD a "nuisance".  I don't agree.  We can have that
> discussion if you like, but perhaps more interesting is that the GD,

Oh no, our positions are very clear on this point.  (Besides, didn't
you say they consulted with you about the GD?  :)

> nuisance or not, is illuminating weaknesses in the keyserver network.
> The keyserver network is dependent on clients being well-behaved.
> That's a recipe for abuse if I ever saw one.

So, you can DoS a webserver without even modifying content on it.
How is this news?

> To make an extreme example, say there was a rogue signer, pumping out
> thousands of signatures a day onto the keyserver network, all set to
> expire in a week.  Due to the design of the web of trust, there is no
> real impact on it.  However, there is an ugliness to all those
> signatures.  UI displays (e.g. vindex) are rendered almost useless.
> Over time, this approaches a denial of service when the signed keys
> get so big they can't easily be downloaded.  The keyserver database
> gets huge.  Lots of bandwidth is used to sync all of those signatures
> between the various nodes in the keyserver net.  It gets messy fast.

Right, but let someone open some free webmail accounts, create some
[Open]PGP keys, start placing keys on the GD, and start signing every
key they find there.

Even better, use a dyndns service and create unlimited email accounts
all from the comfort of your own DSL line.

> Now, to be sure, this isn't a brand new keyserver attack that nobody
> ever thought of, plus the GD is nowhere near as bad as my example

Or is it?  Uploading garbage keys is still a DoS attack.

> above.  The GD behavior (being a very prolific signer, with no
> particular effort taken to prevent signatures leaking from the GD onto
> the keyserver net) is just a reminder that the keyserver net is
> vulnerable to this sort of flooding.

Right, but adding cryptographic checks and enforcing no-modify flags
will just shift the DoS attack to uploading garbage keys instead of
bloating existing keys.  Of course, if we come to that, real no-
modify checks will trump the GD by keeping signatures from bogus
keys from littering actual keys.

> If you need a reason other than someone just being mean, spammers
> could fairly easily get keyservers to display their ads with this sort
> of flooding.  There's incentive right there.  You'll forgive me for
> not going into excessive detail how exactly to do it, I hope :)

I'm betting they'll do that with photo IDs first.

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050106/e76e93e1/attachment-0001.bin

More information about the Gnupg-users mailing list