[Enigmail] Popescu and keys

Werner Koch wk at gnupg.org
Thu May 21 21:37:59 CEST 2015 

On Thu, 21 May 2015 18:23, dkg at fifthhorseman.net said:

> At least one of the keys he claimed to have broken is a degraded copy of
> one of H. Peter Anvin's actual subkeys, as Hanno Böck pointed out here:

That reminds if of a private discussion I had last autumn.  Some guy
downloaded most RSA keys from a keyserver and tried to factor 1.9
million moduli.  They found 30 keys with a subkey having one of the
first 1000 primes as a factor.  He asked a few of them and while most
used different versions of GnuPG one recalled to have used a commercial
PGP tool to create the key in 2007.  I looked at 8 of those keys and
found that 2 are likely PGP created and 6 are by GPG.

 | Mail | S | factor | size | keyid    |    created |
 |------+---+--------+------+----------+------------|
 | xxxx | g |    0x3 | 4096 | xxxxxxx7 | 2010-12-28 |
 | xxxx | p | 0x49a3 | 3001 | xxxxxxx2 | 2007-04-29 |
 | xxxx | g | 0x1125 | 4096 | 1299816A | 2011-09-22 |
 | xxxx | g | 0x182d | 2048 | xxxxxxx3 | 2011-09-23 |
 | xxxx | g |    0x3 | 4096 | xxxxxxxB | 2011-08-09 |
 | xxxx | g | 0xc29b | 4096 | xxxxxxx0 | 2011-02-02 |
 | xxxx | g | 0x3cb3 | 2048 | xxxxxxxC | 2012-02-07 |
 | xxxx | p |   0x1f | 2048 | xxxxxxxF | 2010-01-18 |

These are all encryption subkeys.  The third key is the one from
H. Peter Anvin.  I have not found one of the fingerprints given in the
said blog posting: gpg removed it while importing the key.  It is a bit
disturbing that the other subkey listed above has a good key binding
signature.

I got distracted for some time and a few weeks later the PGP team at
Symantec reported back that these are all duplicated subkeys where the
other subkey had no small factors.  Their thesis is that this happened
due to memory corruption while merging a key.  They planned to
investigate that further using the PGP SDK but, like me, the case was
more or less forgotton.

Incidentally, I met one of the other guys with a broken subkey at
LinuxCon and he told me that some folks complained that they can't
encrypt to him.  For other this was no problem, though.

My conclusion is that there are two issue: 

 - Someone adding broken subkeys to the keyservers with a bad
   key-binding signature.  No problem at all.

 - About 30 key with a valid key binding but with a partly duplicated
   subkey where both have a valid key binding signature.  Most likely a
   software bug.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list