Forging fingerprints/KeyID?

David Shaw dshaw at jabberwocky.com
Tue Nov 29 05:17:54 CET 2005


On Tue, Nov 29, 2005 at 01:24:18AM +0100, Christoph Anton Mitterer wrote:
> Hi.
> 
> Somewhere (unfortunately I've lost the URL) I've read about forging 
> fingerprints and/keyIDs (not sure)....
> Meaning that an attacker could create a key (but as far as I remember 
> with a different keysize onlz) that has the same fingerprint and/or 
> keyID as another key.
> 
> Is that true?
> Are there any information about that issue? How it works, how I can 
> secure myself against it, etc.

It was true, but not true any longer.  Back in the PGP 2.x days, it
was possible to create a key with (almost) any key ID you liked.  See
the various "DEADBEEF" keys on the keyservers for example.  Similarly,
it was possible to create a key that had the same fingerprint as a
(also PGP 2.x) victim/target key.

If you have a OpenPGP (v4) key, such as created by GnuPG, then this
basically doesn't apply to you.

David



More information about the Gnupg-users mailing list