Upgrading Debian's keys

By Jake Edge
February 26, 2014

One of the requirements of being a Debian Developer (DD) is to have a GnuPG public key on the Debian keyring. But a surprising number of those keys are still 1024 bits in length, even though the keyring maintainers have had a policy of only accepting larger keys (at least 2048 bits, but preferably 4096) since 2010. The keys are used to sign packages that are uploaded to the Debian repositories, so shorter keys could, potentially, allow an attacker to upload a compromised package. The number of shorter keys is starting to concern some in the project, who are now looking at ways to encourage and/or require key-size upgrades. But getting signatures from (at least) two other DDs on a new key may pose a bit of a problem for some.

The discussion started when Clint Adams posted some statistics from the three keyrings (debian, debian-maintainers, and debian-nonupload). As Debian project secretary Kurt Roeckx pointed out, that means that 61.5% of keys are only 1024 bits in length. He continued:

This provides less security than an 80 bit symmetric cipher. A brute force for this is possible. It's considered to have "very short time" protection against agencies, short time against medium[-sized] organisations.

Roeckx suggested that those DDs generate new, longer keys immediately. In fact, Bart Martens thinks it is so critical that the 1024-bit keys should just be removed from the keyring immediately. But, as Gunnar Wolf, one of the keyring maintainers, said, it is not possible to lock out that many keys, so the keyring maintainers are currently trying to figure out how to handle the problem. Many of those keys are integral to the web of trust (WoT), so new keys would need to get signed and to sign other keys before they will be good replacements. And for those DDs who are not particularly "socially connected", what can be done to help them get their keys signed by the requisite two other DDs?

On the other hand, Martens believes that the web of trust is already compromised by the weak keys. Removing those keys from the Debian keyring doesn't delete their existence, just their trust by Debian (so the WoT is unaffected from that perspective).

The keys are used by DDs to sign packages for the distribution, so removing them from the Debian keyring would mean those packages could not be updated—at least by the usual maintainer. Another DD could step in to sign the package, but there are logistical problems with that approach. It would be best to get the keys updated voluntarily, but soon.

There were suggestions that perhaps a majority of the short keys belong to inactive DDs, but Debian project leader Lucas Nussbaum indicated that is not the case. Several advocated setting some kind of deadline, and possibly relaxing the two-signature requirement in some cases. There were arguments both for and against allowing fewer signatures, but there are DDs in isolated locations, so some accommodation for them needs to be found.

Jonathan McDowell, who is another keyring maintainer, described the process to be followed when a DD needs or wants to change a key that has not been compromised (not surprisingly, compromised keys are dealt with quickly, and without any bureaucracy). It is a rather involved process that include a formal request (with old and new key signatures, along with a reason for the change) signed by the existing key, a new key that must be signed by the old key, and the new key that must already have the requisite signatures from two DDs.

Even some who have new keys and the signatures needed have been waiting, though. Some DDs have been gathering more signatures (for the web of trust) and waiting for another, more urgent call to switch. That led Enrico Zini to suggest increasing the urgency by requesting an immediate switch. After a few months, he suggested emailing those who still have 1024-bit keys directly; a few months after that, start removing keys from the keyring (with announcements to a mailing list).

It's a logistical headache, but one worth solving. Unfortunately, many of the 1024-bit keys are digital signature algorithm (DSA) keys that are using the deprecated SHA-1 hash algorithm. Even those using 1024-bit Rivest-Shamir-Adleman (RSA) keys with SHA-256 or SHA-512 hash algorithms are vulnerable to brute-force attacks (which can be done completely silently, unlike "rubber-hose cryptanalysis" and other techniques, as Russ Allbery pointed out). We have seen efforts to insert backdoors into various source distribution chains, so compromising a Debian key to distribute malware is certainly not beyond imagination.

It is a bit unfortunate, perhaps, that the effort to get keys updated to version 4 of the OpenPGP standard (which was completed in 2010) did not mandate a larger key size. At the time, 1024-bit keys were a reasonable choice, but, as expected, compute power has started to outrun them. Requiring 2048-bit (or even 4096-bit) keys back then might have avoided the current logjam. But hindsight is always 20/20, they say.

Index entries for this article
Security	Distribution security

Upgrading Debian's keys

Posted Feb 27, 2014 9:13 UTC (Thu) by ovitters (guest, #27950) [Link] (2 responses)

Any recommendations from moving from an "old" GPG key to a new one? I still want to be able to read the various content that is encoded with the previous GPG key. So ideally the "old" key would still stay active, but just not used by default.

I've found http://keyring.debian.org/creating-key.html and I'm a bit hesitant to override defaults like this. IMO upstream should fix the default. I'm wary of overriding defaults and then figuring out many years later that the current upstream default is more secure than whatever I put in there.

Upgrading Debian's keys

Posted Feb 27, 2014 13:16 UTC (Thu) by hmh (subscriber, #3838) [Link] (1 responses)

You can use the defaults on new gnupg just fine, but these are bound to the key when it is created, so if they change you have to update the key (and upload it to keyservers) to get the new defaults anyway. (gpg --edit-key, subcommand "setprefs" without options).

Avoid SHA1, MD5 and RIPEMD160.

Also, read this:
https://wiki.debian.org/Subkeys

Create the new "master" key in an offline box. That key (the full private key, aka KSK or master key) should *NEVER* be accessed online. Store it safely. It will only be needed to sign other keys (for the web of trust), and to create subkeys, which should be done on a offline, trusted computer.

This protocol may allow you to avoid revoking the entire key in case of a partial compromise (one where the offline copies of the full key were not compromised).

You will normally use the mangled private key (generated by gpg --export-secret-subkeys). If this mangled private key is exposed, you just have to revoke all subkeys and create new ones, thus not losing any key signatures (because the KSK -- the master private key -- was not exposed/compromised).

Obviously, if the master private key is suspect of being compromised, or if it is lost, you have to revoke everything and create a new key, thus losing all web-of-trust signatures.

Upgrading Debian's keys

Posted Feb 27, 2014 13:29 UTC (Thu) by hmh (subscriber, #3838) [Link]

This post is also interesting:
https://www.void.gr/kargig/blog/2013/12/02/creating-a-new...

Upgrading Debian's keys

Posted Feb 27, 2014 14:40 UTC (Thu) by talex (guest, #19139) [Link] (5 responses)

I don't understand why Debian can't accept new keys that are just signed by the old ones. I have two GPG keys: a 2048 bit key (generated in 2009), which I use for most things, and an old 1024 bit key (from 2002), which I use only for uploading Debian packages.

If Debian trusts my old key to upload new packages, why can't they trust it to vouch for the new key?

If I believe that keyA1 belongs to A, and keyA1 and keyA2 sign a transition document saying that keyA2 also belongs to A, then I should believe that keyA2 belongs to A, no? Why shouldn't I then be willing to sign keyA2 myself to say "I verified this key transition was correct on <date before cracking keyA1 was feasible>"?

Upgrading Debian's keys

Posted Feb 27, 2014 15:32 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (4 responses)

The worry seems to be that the keys may be too easy to brute force *today*, not in the near future.

Upgrading Debian's keys

Posted Feb 27, 2014 17:24 UTC (Thu) by talex (guest, #19139) [Link]

That may be the case now (I don't know), but it wasn't five years ago when this problem was first noticed. Seems like rejecting simple key transitions (in favour of requiring new in-person signatures) has had the effect of reducing security here.

Upgrading Debian's keys

Posted Feb 27, 2014 20:04 UTC (Thu) by jwarnica (subscriber, #27492) [Link]

Well, then *today* you have a problem: you have compromised DD shipping bad code. If the WoT is compromised, and able to be compromised, then it gets worse daily.

If you, for example, give 30 days to upgrade to larger keys, by signing with current (bad) ones, then it at least ends the windows of introducing new evil into the WoT.

I know that crypto geeks think that they can make things perfect, but operationally here in the real world, the best you can do is something finite. The can is open, the worms are everywhere.

Putting a hard deadline will provide an actual, if imperfect, level of trust. Letting those striving for perfection wait for perfection means that you have unlimited imperfection, for ever.

Upgrading Debian's keys

Posted Feb 28, 2014 2:48 UTC (Fri) by ras (subscriber, #33059) [Link] (1 responses)

Well if that's the worry, they should stop accepting new keys signed only by 1024 bit keys. As far as I know they haven't.

Currently they prefer new keys to have several signatures. They could formalise that slightly and award points for signatures. A signature from a 1024 bit key gets less points than a 2048 one. Once you get enough points, you are in.

I'm not a huge fan of the WoT. Insisting that every interaction for 6 months (post to a Debian list, or upload) be signed by a key you intend to use would be far better. When they accept you as a DD, it is your past history in interacting with Debian they are judging you on. Whether you have taken 10 minutes out of your life to have a DD sign your key proves very little.

Upgrading Debian's keys

Posted Mar 3, 2014 8:03 UTC (Mon) by eean (subscriber, #50420) [Link]

Yea exactly this. It's for sure good to verify that this person has this legal identity, but at the same time the trust given to Debian maintainers is built on their online actions not their government id cards.

Upgrading Debian's keys

Posted Mar 6, 2014 18:40 UTC (Thu) by kroeckx (guest, #65877) [Link]

Since 2010 the keyring maintainers have a policy of only accepting 2048 and recommending 4096 keys.

NIST has since 2005 been recommending that you should stop using 1024 keys by 2010.