A different sort of "Fake Linus Torvalds"

By Jake Edge
August 24, 2016

A Linux Foundation publicity scheme once (in)famously created a "Fake Linus Torvalds" on Twitter, but a different sort of fake has more recently appeared. A message posted to the linux-kernel mailing list on August 15 announced the existence of a PGP key with the same short key ID as that of Torvalds's real key—something that could potentially lead programs and users to confuse the two keys. The problem with key ID collisions has been known for some time, but the message may have served to raise the profile of the dangers of using short PGP IDs.

PGP keys are typically used for encryption or for digitally signing data of some sort. Those signatures can be used to show that a private key corresponding to a particular public key was used, which strongly implies that the owner of the public key was the one who did it—as long as the private key remains private, of course. Signatures are often used on software distributions of various sorts, including packages, kernels, and, sometimes, commits in Git repositories.

These days, the PGP program itself is not widely used, though the standards (such as OpenPGP) it spawned have been picked up and carried forward by projects like GNU Privacy Guard (GnuPG or GPG). The public key for a PGP user is usually represented as an unwieldy blob of text, however; without some kind of "extra" knowledge, there is no way to know that a given key is really owned by the user it purports to come from. There are two somewhat-related mechanisms to address those problems: keyservers and the web of trust.

Keyservers provide a way for users to get someone else's public key, while the web of trust is a way to provide the user some level of trust that key comes from who it purports to. In order to have a key that is more trusted, users will try to get their key signed by other users' keys. When a new key is examined (normally by GPG or some other program), those signatures can be checked to see if the keys used in the signing are already trusted or if they belong to the "strong set" (a group of well-connected keys within the web of trust). Based on that examination, users can choose a trust level they place in the key.

Unfortunately, all of that is somewhat complex and hard for those who are not particularly technically savvy to understand. So tools are meant to help simplify some of that. But one of those simplifications can lead to problems such that users (both savvy and not) may be tricked into using (and trusting) keys that are not owned by the person or organization they think.

Keys have a "fingerprint" that uniquely identifies them, but they are relatively long hexadecimal strings (20 bytes, so 40 characters), which makes them unwieldy as well—at least for day-to-day use. For that reason, shorter substrings called key IDs (usually either four or eight bytes worth of hexadecimal) are often used to "identify" keys. Ten or fifteen years ago, even four-byte IDs were relatively safe, but these days it is rather easy to generate a key with a key ID that collides with an existing key. That's exactly what was done with Torvalds's key as noted in the mailing post (a key for "Fake Greg Kroah-Hartman" was similarly outed in the message).

In fact, a project called "Evil 32" has created a collision for every 32-bit key ID in the strong set. It used its scallion program to create those collisions, each in roughly four seconds using a GPU. Key collisions might not be that big of a problem, except that GPG and other tools don't treat them as an error, so users can end up with the wrong key. GPG certainly warns that untrusted keys are being used, but that is a relatively common warning in "normal" GPG use so it goes unnoticed.

Evil 32 has an example of how the problem might manifest itself. It uses a package from Puppet Labs for the demonstration (though, now, the instructions at Puppet Labs use its full key fingerprint to avoid the problem). When asking the keyserver for the key ID provided (using the --recv-keys option), GPG would actually accept multiple keys with that key ID and add them to the keyring. Because the signature file contained only the key ID at that time, either of the keys could be used to verify the contents of the package. Thus, a version with a backdoor, say, and signed with the attacker's colliding key could be downloaded and would pass a verification step.

At some level though, the root problem is that the web of trust isn't really being used the way it was envisioned (or, as some would say, the way it should be used). If users were only trusting keys with signatures of other trusted entities or that had other indications of trustworthiness and GPG were configured to reject untrusted keys, the problem would largely not exist. But, for the most part, the "there is no indication that the signature belongs to the owner" warning message is expected by users—if it is even seen.

Given that GPG is used by other encryption tools, some of which also try to simplify the process for novice users, the fact that multiple keys match a particular key ID may be completely hidden by the interface. That's good for reducing complexity, perhaps, but not so good for security and package integrity. GPG has a well-earned reputation for being difficult to use correctly, though it must be said that alternatives don't seem to be overtaking it any way.

Kroah-Hartman reacted to the revelation of his fake key with some cogent observations about the situation:

Yes, there is now a "fake" short fingerprint for my kernel signing key out there on the key servers, and yes, it's not really mine, and yes, we know who did it, and yes, it's revoked, and no, it wasn't just targeted at kernel developers, but at all 24000 keys in the "strong" ring of PGP trust, and yes something like this has been possible for a very long time now so it's not really that much news, and yes, gpg really is horrible to use and almost impossible to use correctly.

As he noted, this problem has been known for some time. There is a blog post from 2011 about it that clearly indicates it is a known problem at that point. A recent post that LWN linked to in June noted colliding key IDs had been found in the wild. The longtime existence of "vanity" key IDs (those that spell out some word or are based on an interesting number) clearly shows the problem—if people can choose their key IDs, nothing stops them from choosing someone else's. In the end, this most recent episode just provided yet another reason for users of PGP keys to pay attention and either use full key fingerprints or the web of trust—perhaps both, though that is probably simply overkill.

Index entries for this article
Security	Encryption/PGP

keyids are not a security feature

Posted Aug 25, 2016 7:20 UTC (Thu) by dd9jn (✭ supporter ✭, #4459) [Link] (11 responses)

Those key id collisions have always been known and never
considered a problem because they are designed as a convenient
handle to a key. This is much like you call your co-hacker by
their given name or handle.

Several of my friends are called Michael; that has rarely been a
problem. It is just a bit inconvenient if several of them are in
the same room. However, it is often more practical to call them
by their given name instead of using their full name or even
their social insurance number.

On key signing parties we all learned to compare the
fingerprint to a written copy of it. Nobody ever suggested
that comparing the keyid (long or short) would be sufficient.
gpg also prints the fingerprint if their is no path to the key
in the WoT.

There are indeed problems with the OpenPGP protocol, though:

- A signature carries only the long keyid and if you happen to
fetch a colliding key, the signature will check out as BAD. A
protocol fix is in the works. With GnuPG 2.1 you can even try
that fix using the experimental --rfc4880bis option.

- There is no automatic way to associate a mail address with a
key. Several groups are working on solutions. The GnuPG
project proposes the Web Key Directory format for which we
even have a prototype implementation to publish this mapping.
(I am going to talk about this at OpenPGP.conf in two weeks.)

keyids are not a security feature

Posted Aug 25, 2016 17:40 UTC (Thu) by eduard.munteanu (guest, #66641) [Link]

That sounds like a design error: either handles should be assigned explicitly by the user *during key validation* or they should be unique if derived without user input. I'm worried if GPG picks a matching handle randomly when I'm trying to pinpoint a specific key.

keyids are not a security feature

Posted Aug 25, 2016 18:50 UTC (Thu) by smoogen (subscriber, #97) [Link] (1 responses)

So more importantly.. is there a way to make things simpler to try and get right? We keep adding more and more features and options which seem to be good ideas at the time but make the tool harder and harder to use without being versed down to a level that makes it useless to the 'casual' user.

keyids are not a security feature

Posted Aug 26, 2016 16:42 UTC (Fri) by ortalo (guest, #4654) [Link]

I think too your interrogation is very pertinent, but I also think it applies only to technically-oriented people (like us engineers or all early adopters of computer-based communication: academia or military circles for example) and not even to the general public.
Outside of technical circles do users with strong security requirements really want their security tools to do the things PGP does? Confronting them raise many doubts: many people want anonymity and deniability, they want collegial signatures, they want secret sharing, and many many things that sometimes make me think cryptographers do not want to live in the real world.
Make no mistake: I have always highly praised the contribution of PGP and its descendants to the dissemination and even the advancement of cryptography in the public domain and for common interest. However, pretty good confidentiality and integrity for point to point message communication between two computers may not be enough.
I have the feeling we need to make another step towards new security tools adressing different needs.

keyids are not a security feature

Posted Aug 29, 2016 8:04 UTC (Mon) by robbe (guest, #16131) [Link] (3 responses)

Yes, keyids are convenient, but the gpg UI should not entice users to employ them at the wrong moment. Versions 2.0.26 and 1.4.18 (both from Debian stable) output short ids in response to --list-sigs. I find it natural (but wrong!) to feed one or more of the ids shown as „[User ID not found]“ into --recv-key.

I guess changing either the output format of --list-sigs or making --recv-key no longer accept short ids is not done due to backward compatibility reasons? Compatibility with scripts or processes that

(a) are doing it wrong in the first place (--with-colons exists since … forever?)

(b) maybe *should* break because they will fall into exactly the trap that short ids pose

keyids are not a security feature

Posted Aug 30, 2016 10:27 UTC (Tue) by dd9jn (✭ supporter ✭, #4459) [Link] (2 responses)

If you put "keyid-format long" into gpg.conf --list-sigs shows the long keyids. That is unfortunately all the data we have in the current OpenPGP specs. Yes, we can't reject short keyids as input to --recv-key. There are even valid use cases, like private key servers of companies.

a) --with-colons exists since 0.2.12 (early 1998) and the format as always been backward compatible.

b) The problem is that there are many non-public systems which might update gpg at some point and would then break.

keyids are not a security feature

Posted Aug 31, 2016 2:57 UTC (Wed) by eduard.munteanu (guest, #66641) [Link] (1 responses)

Long keyids aren't safe either (even fingerprints are kinda weak), so it's rather pointless to urge people into a short-term fix. Perhaps it's time to break compatibility on purpose, because the standard is broken. So what if some non-public installation breaks, is it really any better if it ends up silently compromised at some point?

keyids are not a security feature

Posted Aug 31, 2016 6:14 UTC (Wed) by dd9jn (✭ supporter ✭, #4459) [Link]

Please give a reference for your statement that fingerprints are weak. Keep in mind that all cryptographers agree that SHA-1 is resistant to pre-image attacks; it will eventually be possible to create collisions but that is irrelevant for the use case of fingerprints. Further the OpenPGP WG is working on updates to the standard including an update on the fingerprint algorithm. In any case there is no need for a fix - the evil32 thing is merely an annoyance but not at all a security problem; same would hold true for an evil64.

keyids are not a security feature

Posted Aug 29, 2016 9:59 UTC (Mon) by pabs (subscriber, #43278) [Link] (3 responses)

You might want to look at these horrors:

https://codesearch.debian.net/search?q=\bapt-key\b.*--rec...{8}\b
https://codesearch.debian.net/search?q=\bgpg\b.*--recv%28...{8}\b

keyids are not a security feature

Posted Aug 29, 2016 16:28 UTC (Mon) by jwilk (subscriber, #63328) [Link] (2 responses)

Apparently LWN doesn't like curly brackets in URLs. :-\
Here are fixed links:
https://codesearch.debian.net/search?q=%5Cbapt-key%5Cb.*-...
https://codesearch.debian.net/search?q=%5Cbgpg%5Cb.*--rec...

keyids are not a security feature

Posted Aug 30, 2016 4:47 UTC (Tue) by voltagex (guest, #86296) [Link] (1 responses)

Those look like they're all in installation scripts or readmes. Someone should go through all (sigh) of them and check if upstream is still using short key IDs. What does current PGP do if recv-keys returns more than one key?

keyids are not a security feature

Posted Aug 31, 2016 9:14 UTC (Wed) by pabs (subscriber, #43278) [Link]

Saves both keys to the keyring.

A different sort of "Fake Linus Torvalds"

Posted Sep 6, 2016 19:06 UTC (Tue) by mst@redhat.com (subscriber, #60682) [Link]

Looks like friendlier (than hex) representations of fingerprints have been
explored and shown effective. Hopefully someone will try coding them up

https://www.usenix.org/system/files/conference/usenixsecu...