Weakness in the keyserver network (Was Re: Global Directory signatures)

Jason Harris jharris at widomaker.com
Fri Jan 7 23:00:08 CET 2005

On Fri, Jan 07, 2005 at 12:01:33AM -0500, David Shaw wrote:
> On Thu, Jan 06, 2005 at 11:16:40PM -0500, Jason Harris wrote:

> > So, you can DoS a webserver without even modifying content on it.
> > How is this news?
> It's not.  Nor is that the point.  The point is that the keyserver net
> was vulnerable, but nobody really cared.  Now there is something that
> will eventually cause a problem due to this vulnerability.  Plus, the

You should specifically point out that you're referring to the GD here.

> > Right, but let someone open some free webmail accounts, create some
> > [Open]PGP keys, start placing keys on the GD, and start signing every
> > key they find there.

> Quite so, but this is a massively more difficult attack against the GD
> than it is against the keyserver net.  The GD requires mailback
> authentication, so the pace of adding keys cannot be nearly what it is
> on the keyserver net where you can just add keys directly 24/7.

So it will take a bit more programming to make the GD accept the bogus
keys.  Or, maybe throwing keys at the GD and having it spam the world
will be a sufficiently entertaining attack.

> Plus, remember that unlike the keyserver net, the GD is under the
> control of a single entity.  Abuse it too much, and they can simply
> lock you out and refuse to accept more keys and/or key approval web
> hits from your IPs.  That simple response doesn't work on the
> keyserver net, where you'd need to get all operators to agree to block
> an abuser, plus the abuser can resort to other means of getting the
> keys in (email would be a good way in).  It's not impossible to block
> an attacker from sending to the keyserver net, but it is certainly
> vastly more difficult.

[Don't forget, David, I administer one pks and one SKS keyserver.]

If you want to run a pks server where you have to put all new keys in
via pksclient, go for it.  Automating emailed updates of existing keys
is doable with programs running totally outside the keyserver, even to
the point of implementing no-modify.  Require signatures from your own
RobotCA key if you want to.

I don't consider any of this difficult, but I will not like having to
implement it only to thwart attacks.

Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050107/db22effd/attachment.bin

More information about the Gnupg-users mailing list