Modified user ids and key servers and a possible security risk?

Gregor Zattler telegraph at gmx.net
Wed Aug 25 19:11:09 CEST 2010 

Hi Daniel, gnupg-users,
* Daniel Kahn Gillmor <dkg at fifthhorseman.net> [25. Aug. 2010]:
> On 08/25/2010 12:18 PM, thomas weidner wrote:
>> Some sources on the web suggested leaving a message in the old
>> key which states that the key is not used any more. to do this
>> i binary edited a gpg files and uploaded the modified old key
>> to the keyserver again. the result looked promising:
>> http://pgpkeys.pca.dfn.de/pks/lookup?op=vindex&search=0x6260AB5E079E8AA6
>>
>>  Is this a security risk? I could do this for any key and leave
>> wrong messages on the key server which point to some other key. After
>> a discussion on #gnupg i was told that gpg will not import the added
>> user id because the signature is wrong. while this is great for
>> security the key server still shows the user id. is it a bug in the
>> key server, that it does not check new data for validity?
> 
> keyservers do no cryptographic verification whatsoever.  I think this is
> (historically) for several reasons:
> 
>  0) the clients receiving the OpenPGP certificates need to verify the
> material anyway, and
> 
>  1) adding the cryptographic checks to the keyservers is a non-trivial
> amount of work, and
> 
>  2) there is no guarantee that the keyservers will support any specific
> cryptographic protocol.  For example, as elliptic curve keys get rolled
> out for OpenPGP, what should cryptographic-capable (RSA, DSA, and
> ElGamal) keyservers do with such new keys?  what should they do with
> certifications over old keys made by such keys?  And
> 
>  3) With the exception of self-signatures, it's entirely possible that
> the keyserver does not have a copy of the issuer's key, and so can't
> compute the validity of the signature in the first place.

But the selfsig would be enough to verify the legitimacy of new
user ids.
 
> So: is this a cryptographic risk? no, not for clients who verify things
> on their own.  

Doesn't this open a denial of service attack vector on OpenPGPs
PKI infrastructure?  I could binary edit your key, the key server
adds its.  Your correspondent is then not able any more to import
your key from the server...

> Is it a risk of cruft accumulating in the keyservers?
> yep.  Does it mean you shouldn't trust the information you see published
> in a keyserver web page without fetching the keys and verifying them
> locally?  yes, but that remains true whether or not you believe that the
> keyserver is implementing cryptographic checks, as the keyserver itself
> could be compromised.
> 
> On balance, i think we should probably start considering adding crypto
> to keyservers, with the knowledge of these particular constraints.  But
> it's not there yet.
> 
> As always, i'd be happy to hear other people's perspectives on this stuff.
> 
> 	--dkg
> 
> [0] http://tools.ietf.org/html/draft-jivsov-openpgp-ecc-05
> 



Ciao, Gregor
-- 
 -... --- .-. . -.. ..--.. ...-.-

More information about the Gnupg-users mailing list