[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenPGP mail/news header
David Shaw <dshaw@xxxxxxxxxxxxxxx> writes:
> On Sun, Jan 16, 2005 at 12:04:37PM +0100, Simon Josefsson wrote:
>> This seems like a good solution. Will there ever be a need to have
>> key id's of different length than 4, 8, 16 and 20 bytes? The BNF now
>> id := 4*HEXDIG / 8*HEXDIG / 32*HEXDIG / 40*HEXDIG
>> And I'm not certain it is a good idea to allow the flexibility of
>> id := *HEXDIG
> I like the simplicity and flexibility of this. The key ID field is a
> message from the OpenPGP user to the world. Specifying that the ID
> must be a particular length doesn't really help anyone, since it is up
> to the recipient to decide how the key ID is going to be handled
> anyway. Plus, someday we'll have a v5 key. Chances are it won't be
> 40 hex digits long.
Ok, I'm convinced.
>> Thanks for this input. I have been trying to understand why
>> algo/size/created are needed, but nobody has been able to explain it
>> to me.
>> The reason was supposedly that with v3 keys, you subject to something
>> called the 0xDEADBEEF attack, where I infer that keys can be created
>> easily with any given key id. The attack is not possible with v4
>> keys. Someone said the attack is harder for v3 keys if you also
>> compare the key size, key algorithm and creation time.
> There are actually two different attacks. It is trivial to create a
> V3 key with any key ID you like. That's the 0xDEADBEEF attack. There
> is a different attack altogether (but lacking a catchy name), which is
> against the V3 fingerprint. Since the V3 fingerprint consists of the
> RSA values n and e, but not their lengths, you can do tricks with
> 'sliding' bits from one into the other. The end result is a
> constructed V3 key with the same fingerprint as the 'victim' V3 key.
> The trick is that such a constructed key will always have a different
> size than the original key.
Thanks for explaining this, I finally understand. So it seems
"created" never help to mitigate any attacks. Only size does (and
from your description, perhaps also algo).
>> Without understanding the motivation for size/algo/created, I'm in
>> favor of dropping them.
> Even understanding the motivation, I'm in favor of dropping them. V3
> keys are deprecated. If someone desperately needs to use V3 keys, and
> desperately needs to include their key size in the OpenPGP header to
> foil this attack, well, there is already a way to include arbitrary
> free-text comments in the header.
Right, unless someone has a good argument to keep them, I believe they
will be dropped.