hashed user IDs [was: Re: Security of the gpg private keyring?]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Mar 1 02:54:25 CET 2011


On 02/28/2011 07:44 PM, Grant Olson wrote:
> I think something similar could be done with hashed emails.  Just some
> (non)standard like:
> 
> hashed_uid://$SHA1_OF_EMAIL/$RIPEMD_OF_EMAIL
> 
> But using something better than my obviously naive hash-collision
> prevention algorithm.

this is (very roughly) what we came up with too (our approach to
avoiding hash collisions was to use a stronger hash instead of 2 weak
hashes).

You can pull a copy of a stalled/never-submitted Internet-Draft from here:

  git://lair.fifthhorseman.net/~dkg/openpgp-hashed-userids

If anyone wants to push this further, please let me know.

However, i'm quite serious about the flaws paralleling the failures of
NSEC3 to prevent DNS zone enumeration.  the problem space is slightly
different, but i think the math comes out about the same in terms of the
cost of trying to brute force these things.

Ultimately, i think Hashed User IDs provide only weak benefit against
the equivalent of zone enumeration through the keyservers (which is
presumably the goal), so understanding these arguments and providing a
convincing refutation of them (or outlining an entirely different
benefit) is probably the first task someone would need to take on.

I'm not convinced that the tradeoff is worth it myself, but if someone
wanted to make the argument, i'd be happy to listen.

> If that could be agreed on, you could probably get a few mailing list
> regulars to add that ID in addition to their normal UIDs.

Having a hashed User ID alongside your non-hashed User ID provides no
benefit at all (unless you consider confusing people trying to
understand and/or certify your OpenPGP certificate a benefit).

This would only be helpful to people who use nothing but hashed user IDs
on their keys.

> From there
> start with a shell script that writes out a correct 'gpg --search-keys'
> request.  Then on to more advanced things, like adding hashed_uid search
> to the default sks-keyserver pages, enigmail integration, etc.

yes, this is the implementation work that would need to be done.
Whoever wants to pick it up needs to also pay particular attention to
the user experience.  OpenPGP tools are pretty confusing already, so
thinking through how to hide the gibberish (hashed userids) in the
background and present the user with something intelligible would be a
critical step toward making this something anyone might want to adopt.

I wish i had a better solution to offer to this concern.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110228/4ba1dad0/attachment.pgp>


More information about the Gnupg-users mailing list