WKD proper behavior on fetch error

Ángel angel at pgp.16bits.net
Wed Jan 20 00:38:33 CET 2021


On 2021-01-19 at 19:29 +0100, Stefan Claas wrote:
> Example: Mallory sitting in the United States likes to prepare
> a list (without my consent) and published on a U.S. site,
> so that like SKS key server dumps the whole world can
> obtain a list of all openpgpkey subdomains. So far so good.
> 
> Mr 'edge case' Stefan knows this and counterstrikes with
> his domain radio-eriwan.su (which I own) and set's up for
> Mr Mallory a WKD direct-method dir with n dummy keys.
> 
> Good luck Mr Mallory figuring out which domains have real
> OpenPGP users keys hosted and which not.
> 
> Best regards
> Stefan

A list of all (well, most) openpgpkey subdomains can be easily created.
However, there is no need for  or dummy keys.

Mallory sees that radio-eriwan.su supports WKD (this is immediate, it
doesn't matter if it uses the advanced or direct method). However, it
can't ask for all keys it stores. Mallory will need to ask for every
possible key:

Do you have an OpenPGP key for a at radio-eriwan.su ?
Do you have an OpenPGP key for b at radio-eriwan.su ?
Do you have an OpenPGP key for c at radio-eriwan.su ?
…
Do you have an OpenPGP key for z at radio-eriwan.su ?
Do you have an OpenPGP key for aa at radio-eriwan.su ?
Do you have an OpenPGP key for ab at radio-eriwan.su ?

and so on until

zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzz at radio-eriwan.su

even if Mallory only checks email addresses with lowercase letters
(although they are not the only allowed characters in an email
address), he would need to ask for 5.8×10³³⁶ email addresses. Just for
radio-eriwan.su

This can be optimized by checking instead the full space of sha-1
hashes, to "only" perform 1.46×10⁴⁸ requests (assuming the server
doesn't validate the local part on WKD requests).

Anyway, such attack is completely unrealistic.

In order to get all keys Mallory would either need access to the server
files (e.g. it compromised the server, or the contents are published in
github), or the web server to have been (mis?)configured with Directory
Listings.

Best regards





More information about the Gnupg-users mailing list