Toggle the authenticate capability

Andrew Gallagher andrewg at andrewg.com
Mon Dec 5 13:54:31 CET 2016


On 05/12/16 11:18, Peter Lebbing wrote:
> On 05/12/16 00:09, Andrew Gallagher wrote:
>> Mathematically, authentication is just a special case of
>> signing, so having both S and A on a subkey does not introduce extra
>> vulnerabilities (that we know of).
> 
> Mathematically, I think you're wrong, it's very vulnerable :-).
> Authentication is signing the challenge sent to you by someone else,
> signature is signing the data you wish to approve of in some way. So if
> I can send you a challenge that would turn into a nice signature of you
> authorizing a bank payment to me, that would be easy money.

You don't need A capability to perform this attack though - so long as
you can social-engineer your way to getting someone to sign a message
of your choice. This isn't a *mathematical* vulnerability but an
implementation/procedural one, and it's not technically "extra" -
although it could be viewed as widening an already existing hole. ;-)

OK, I'm clutching at straws. I'll bail out of this argument now. ;-)

> When I brought up the issue some time ago here, I got no response, so I
> concluded it's not a problem. I was worried that some future
> authentication mechanism might actually produce the same data structure
> as a normal signature, but the lack of shared concern made me think it's
> probably not an issue then.

Yes, from an implementation point of view an authentication challenge
and its response should be strictly formatted in a way that can't be
mistaken for another protocol. Your auth routine shouldn't be blindly
signing whatever plaintext the attacker suggests...

>> in such cases it's safer to revoke the key and start
>> again.
> 
> If this is a signature /subkey/, they can be rotated willy-nilly. Expire
> the current signature key, create a new one and delete the private part
> of the old signature key. It doesn't need to be revoked.

Sorry, yes expiry is as good as revocation, and this applies to both
primary keys and subkeys.

> Which defaults produce an authentication-capable key by the way? I don't
> remember seeing that.

I think it was Enigmail on OSX. This was a few years back though, and
it may have changed since.

Andrew.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161205/f92e0001/attachment.sig>


More information about the Gnupg-users mailing list