TOFU
Peter Lebbing
peter at digitalbrains.com
Wed Jun 21 19:02:26 CEST 2017
On 08/06/17 22:33, Stefan Claas wrote:
> I did a test today with Enigmail and with TOFU in command line mode.
> I posted 3 messages with a fantasy name to a Usenet test group where
> the 3rd message was signed with a fake key and Enigmail showed me this:
>
> UNTRUSTED Good signature from Ernst Mustermann <em at example.com>
> Key ID: 0x4608CFA2 / Signed on: 08.06.17, 21:07
>
> UNTRUSTED Good signature from Ernst Mustermann <em at example.com>
> Key ID: 0x4608CFA2 / Signed on: 08.06.17, 21:08
>
> UNTRUSTED Good signature from Ernst Mustermann <em at example.com>
> Key ID: 0x4608CFA2 / Signed on: 08.06.17, 21:17
>
> (It's the usual message under macOS with the blue bar. Note: with auto
> key retrival on.)
>
> Then i downloaded all messages run them through GnuPG and on the first
> message TOFU already told me that there are 3 equal email addresses!
I don't understand what you mean by "there are 3 equal email addresses".
I don't know what you expected either. But I spent some time doing a
little test of my own. Hopefully by reading along with what I did, it
becomes clear how stuff works and to what extent Enigmail can already
work with TOFU even though it doesn't really support it.
TL;DR: Enigmail can correctly identify "genuine" signatures by awarding
them a green bar with "Good signature". Fakes can be spotted by the fact
they only get the blue "UNTRUSTED Good signature".
A little side note: since plaintext mails don't support much formatting,
the following is a tad bit hard to read. If I could have marked the
pieces with console output with a more distinguishing formatting, the
mail would have been a lot easier to read, but alas.
I created two keys bound to an existing e-mail address. (Note that the
address will not accept mail from the internet, only from within my
local network.) I will consider one key to be the "genuine" article, and
one key to be fake. Using Thunderbird and Enigmail, I sent myself two
messages with either key. One message is PGP/MIME. But since that is not
pleasant to work with on the command line and I wanted to do some
command line stuff as well, I also sent a message with an inline
signature, which I could then easily export to a file. So all in all, I
have four messages: one PGP/MIME from the real key, one inline from the
real key, one PGP/MIME from the fake key, and one inline from the fake key.
I then moved my real ~/.gnupg home directory out of the way and started
with a maiden directory containing just gpg.conf. gpg.conf contains
"trust-model tofu+pgp" (and nothing else).
Then I did the following steps:
- Using Thunderbird, open mail considered genuine
Yellow bar, "Unverified signature", no key
- Import genuine key
- Go back to Thunderbird, re-open message:
Blue bar, "UNTRUSTED Good signature"
- Go to command line:
---------------------------8<---------------->8---------------------------
$ gpg2 -k testgpg at butters.digitalbrains.com
pub rsa2048 2017-06-21 [SC] [expires: 2019-06-21]
ABEA7F4D39F72D2F15228F1206B2298382E57EFB
uid [marginal] Test Real Mail <testgpg at butters.digitalbrains.com>
sub rsa2048 2017-06-21 [E] [expires: 2019-06-21]
---------------------------8<---------------->8---------------------------
Marginal validity, per documentation for --tofu-default-policy auto.
Marginal validity is not enough for positively verifying signature
validity. Let's set tofu-policy to "good".
---------------------------8<---------------->8---------------------------
$ gpg2 --tofu-policy good ABEA7F4D39F72D2F15228F1206B2298382E57EFB
gpg: Changing TOFU trust policy for binding <key:
ABEA7F4D39F72D2F15228F1206B2298382E57EFB, user id: Test Real Mail
<testgpg at butters.digitalbrains.com>> from auto to good.
---------------------------8<---------------->8---------------------------
- Go back to Thunderbird, re-open message:
Green bar, "Good signature"
- Open second, inline signed message:
Green bar, "Good signature"
- To the command line! Check inline message:
---------------------------8<---------------->8---------------------------
$ gpg2 -d inline-genuine.asc
This is a signed mail from the account considered "genuine" (inline
signature).
gpg: Signature made Wed 21 Jun 2017 17:37:46 CEST
gpg: using RSA key ABEA7F4D39F72D2F15228F1206B2298382E57EFB
gpg: Good signature from "Test Real Mail
<testgpg at butters.digitalbrains.com>" [full]
gpg: testgpg at butters.digitalbrains.com: Verified 2 signatures in the past
9 minutes. Encrypted 0 messages.
---------------------------8<---------------->8---------------------------
Ah, good. The two signatures are the two mail messages. Note any
signature is always only counted once (it keeps a database of verified
signatures for that purpose).
- Go to Thunderbird, open "fake" message
Yellow bar, "Unverified signature", no key
- Import fake key
- Go to Thunderbird, open "fake" message
Blue bar, "UNTRUSTED Good signature"
Ah, good, it is not considered a "Good signature" (which I would have
called "Valid signature" to avoid confusion with "UNTRUSTED Good
signature" where "Good" means "correct" rather than "valid").
- Let's take a look at what happens if we look at the inline sig by the
fake key on the command line:
---------------------------8<---------------->8---------------------------
$ gpg2 -d inline-fake.asc
This is a signed mail from the account considered "fake" (inline
signature).
gpg: Signature made Wed 21 Jun 2017 17:43:17 CEST
gpg: using RSA key B0E16AFEC0700656231ACCC34FC8B80F5FF212AE
gpg: Good signature from "Test Real Mail
<testgpg at butters.digitalbrains.com>" [undefined]
The email address "testgpg at butters.digitalbrains.com" is associated with
2 keys! Please indicate whether this email address should be associated
with key B0E16AFEC0700656231ACCC34FC8B80F5FF212AE or whether you think
someone is impersonating "testgpg at butters.digitalbrains.com".
This key's user IDs:
Test Real Mail <testgpg at butters.digitalbrains.com> (policy: auto)
Statistics for keys with the email address
"testgpg at butters.digitalbrains.com":
B0E1 6AFE C070 0656 231A CCC3 4FC8 B80F 5FF2 12AE (this key):
Encrypted 0 messages.
Messages verified over the past 1 day: 2.
ABEA 7F4D 39F7 2D2F 1522 8F12 06B2 2983 82E5 7EFB (policy: good):
Encrypted 0 messages.
Messages verified over the past 1 day: 2.
Normally, an email address is associated with a single key. However,
people sometimes generate a new key if their key is too old or they think
it might be compromised. Alternatively, a new key may indicate a
man-in-the-middle attack! Before accepting this association, you should
talk to or call the person to make sure this new key is legitimate.
(G)ood, (A)ccept once, (U)nknown, (R)eject once, (B)ad?
---------------------------8<---------------->8---------------------------
So while Enigmail doesn't really support TOFU, merely not assigning
validity to wrong keys (which would be really bad), the command line
interface will immediately be very verbose about this situation. Let's
confirm that this is indeed an impostor by answering with a b for Bad.
---------------------------8<---------------->8---------------------------
gpg: testgpg at butters.digitalbrains.com: Verified 2 signatures in the past
2 minutes. Encrypted 0 messages.
gpg: WARNING: We do NOT trust this key!
gpg: The signature is probably a FORGERY.
---------------------------8<---------------->8---------------------------
Let's verify the same message again:
---------------------------8<---------------->8---------------------------
$ gpg2 -d inline-fake.asc
This is a signed mail from the account considered "fake" (inline
signature).
gpg: Signature made Wed 21 Jun 2017 17:43:17 CEST
gpg: using RSA key B0E16AFEC0700656231ACCC34FC8B80F5FF212AE
gpg: Good signature from "Test Real Mail
<testgpg at butters.digitalbrains.com>" [never]
gpg: testgpg at butters.digitalbrains.com: Verified 2 signatures in the past
8 minutes. Encrypted 0 messages.
gpg: WARNING: We do NOT trust this key!
gpg: The signature is probably a FORGERY.
---------------------------8<---------------->8---------------------------
GnuPG has indeed set the --tofu-policy for this key to "bad".
- Open a fake message again in Thunderbird:
Blue bar, "UNTRUSTED Good signature"
Luckily it's still not assigning green "Good signature", but seeing how
the validity of this key is now "Never", it could, IMHO, also have said
something more explicit than UNTRUSTED.
Instead of the default --tofu-default-policy auto, you could also use
--tofu-default-policy good. I'll clear out my ~/.gnupg again and add
that to my gpg.conf. Then it will look as follows:
- Opening mail considered genuine
Yellow bar, "Unverified signature", no key
- Import genuine key
- Go back to Thunderbird, re-open message:
Green bar, "Good signature"
- Let's have a look at the command line:
---------------------------8<---------------->8---------------------------
$ gpg2 -d inline-genuine.asc
This is a signed mail from the account considered "genuine" (inline
signature).
gpg: Signature made Wed 21 Jun 2017 17:37:46 CEST
gpg: using RSA key ABEA7F4D39F72D2F15228F1206B2298382E57EFB
gpg: Good signature from "Test Real Mail
<testgpg at butters.digitalbrains.com>" [full]
gpg: testgpg at butters.digitalbrains.com: Verified 2 signatures in the past
20 seconds. Encrypted 0 messages.
---------------------------8<---------------->8---------------------------
Signatures by this key are now considered fully valid, because we have
--tofu-default-policy good.
- Go to Thunderbird, open "fake" message
Yellow bar, "Unverified signature", no key
- Import fake key
- Go to Thunderbird, open "fake" message
Blue bar, "UNTRUSTED Good signature"
Ah, but since we already had a key for this e-mail address, TOFU no
longer defaults to considering the signature good. We have spotted the
fake: a real signature, either from a key seen before or from a key and
e-mail address never seen before, would be considered good, but not this
one.
- Let's take a look what the command line additionally tells us. Open a
signature by the real key:
---------------------------8<---------------->8---------------------------
$ gpg2 -d inline-genuine.asc
This is a signed mail from the account considered "genuine" (inline
signature).
gpg: Signature made Wed 21 Jun 2017 17:37:46 CEST
gpg: using RSA key ABEA7F4D39F72D2F15228F1206B2298382E57EFB
gpg: Good signature from "Test Real Mail
<testgpg at butters.digitalbrains.com>" [undefined]
The email address "testgpg at butters.digitalbrains.com" is associated with
2 keys! Please indicate whether this email address should be associated
with key ABEA7F4D39F72D2F15228F1206B2298382E57EFB or whether you think
someone is impersonating "testgpg at butters.digitalbrains.com".
This key's user IDs:
Test Real Mail <testgpg at butters.digitalbrains.com> (policy: auto)
Statistics for keys with the email address
"testgpg at butters.digitalbrains.com":
ABEA 7F4D 39F7 2D2F 1522 8F12 06B2 2983 82E5 7EFB (this key):
Encrypted 0 messages.
Messages verified over the past 1 day: 2.
B0E1 6AFE C070 0656 231A CCC3 4FC8 B80F 5FF2 12AE (policy: auto):
Encrypted 0 messages.
Messages verified over the past 1 day: 1.
Normally, an email address is associated with a single key. However,
people sometimes generate a new key if their key is too old or they think
it might be compromised. Alternatively, a new key may indicate a
man-in-the-middle attack! Before accepting this association, you should
talk to or call the person to make sure this new key is legitimate.
(G)ood, (A)ccept once, (U)nknown, (R)eject once, (B)ad?
---------------------------8<---------------->8---------------------------
Since we haven't manually marked the real key as "good" yet, as can be
seen by "(policy: auto)" above, it will now present this conflict to us.
We can now flag the key as good, and it will no longer present us with
this conflict:
---------------------------8<---------------->8---------------------------
$ gpg2 -d inline-genuine.asc
This is a signed mail from the account considered "genuine" (inline
signature).
gpg: Signature made Wed 21 Jun 2017 17:37:46 CEST
gpg: using RSA key ABEA7F4D39F72D2F15228F1206B2298382E57EFB
gpg: Good signature from "Test Real Mail
<testgpg at butters.digitalbrains.com>" [full]
gpg: testgpg at butters.digitalbrains.com: Verified 2 signatures in the past
12 minutes. Encrypted 0 messages.
---------------------------8<---------------->8---------------------------
I verified that marking the tofu-policy as good before even ever
encountering the fake key will avoid the message about the conflict and
immediately show this latest result.
Looking at a "fake" signature on the command line gives:
---------------------------8<---------------->8---------------------------
$ gpg2 -d inline-fake.asc
This is a signed mail from the account considered "fake" (inline
signature).
gpg: Signature made Wed 21 Jun 2017 17:43:17 CEST
gpg: using RSA key B0E16AFEC0700656231ACCC34FC8B80F5FF212AE
gpg: Good signature from "Test Real Mail
<testgpg at butters.digitalbrains.com>" [undefined]
The email address "testgpg at butters.digitalbrains.com" is associated with
2 keys! Please indicate whether this email address should be associated
with key B0E16AFEC0700656231ACCC34FC8B80F5FF212AE or whether you think
someone is impersonating "testgpg at butters.digitalbrains.com".
This key's user IDs:
Test Real Mail <testgpg at butters.digitalbrains.com> (policy: auto)
Statistics for keys with the email address
"testgpg at butters.digitalbrains.com":
B0E1 6AFE C070 0656 231A CCC3 4FC8 B80F 5FF2 12AE (this key):
Encrypted 0 messages.
Messages verified over the past 1 day: 2.
ABEA 7F4D 39F7 2D2F 1522 8F12 06B2 2983 82E5 7EFB (policy: good):
Encrypted 0 messages.
Messages verified over the past 1 day: 2.
Normally, an email address is associated with a single key. However,
people sometimes generate a new key if their key is too old or they think
it might be compromised. Alternatively, a new key may indicate a
man-in-the-middle attack! Before accepting this association, you should
talk to or call the person to make sure this new key is legitimate.
(G)ood, (A)ccept once, (U)nknown, (R)eject once, (B)ad?
---------------------------8<---------------->8---------------------------
Let's choose b. From now on verifying a bad signature gives:
---------------------------8<---------------->8---------------------------
$ gpg2 -d inline-fake.asc
This is a signed mail from the account considered "fake" (inline
signature).
gpg: Signature made Wed 21 Jun 2017 17:43:17 CEST
gpg: using RSA key B0E16AFEC0700656231ACCC34FC8B80F5FF212AE
gpg: Good signature from "Test Real Mail
<testgpg at butters.digitalbrains.com>" [never]
gpg: testgpg at butters.digitalbrains.com: Verified 2 signatures in the past
4 minutes. Encrypted 0 messages.
gpg: WARNING: We do NOT trust this key!
gpg: The signature is probably a FORGERY.
---------------------------8<---------------->8---------------------------
Good signatures will stay as:
---------------------------8<---------------->8---------------------------
$ gpg2 -d inline-genuine.asc
This is a signed mail from the account considered "genuine" (inline
signature).
gpg: Signature made Wed 21 Jun 2017 17:37:46 CEST
gpg: using RSA key ABEA7F4D39F72D2F15228F1206B2298382E57EFB
gpg: Good signature from "Test Real Mail
<testgpg at butters.digitalbrains.com>" [full]
gpg: testgpg at butters.digitalbrains.com: Verified 2 signatures in the past
6 minutes. Encrypted 0 messages.
---------------------------8<---------------->8---------------------------
We are no longer bothered about the fake key; it would be a bit annoying
if it kept droning on about it after we've already said it was bad.
I hope this has given you some more insight into how it works!
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170621/5b4eb1a5/attachment-0001.sig>
More information about the Gnupg-users
mailing list