gpget icon indicating copy to clipboard operation
gpget copied to clipboard
verified publisher icon brianredbeard

32bit key ids are not secure to use

Open osminogin opened this issue 9 years ago • 5 comments

I found examples of the use of 32 bit gpg key ids in the documentation and code. This is a bad behavior, because now it is very easy to generate a colliding 32bit key id with special software.

More information on trouble: https://evil32.com/

In my opinion, a good idea to specify in the documentation that short key ids are no longer safe.

Possible in gpget code is to completely eliminate processing of short ids. This is the current reality.

osminogin avatar Mar 24 '16 07:03 osminogin

Whoops. This issue slipped through the cracks. I'll put in some serious "WARN" messages on that. As you mentioned with the evil32.com link, this is just as much an issue of education.

As of right now the default behavior in gpg is still to display the 32bit id. This means for the average user they won't know the difference between their short id, long id, or full fingerprint. Speaking of that last point, I'm going to make sure that gpget will also support the full long fingerprint.

brianredbeard avatar Jul 20 '16 06:07 brianredbeard

It should also be noted that this is only relevant if the key id is specified with the -k flag. In my use, I'm always pre-loading the entire public key into the key ring and not specifying the key id on the CLI.

Nonetheless, still good to call out.

brianredbeard avatar Jul 20 '16 06:07 brianredbeard

Man, thank you for attention.

I fully agree that the most users don't understand difference between the short ids, long ids and fingerprint. I also understand that GnuPG use short ids in CLI in most cases, but I believe that all the new GPG oriented software should take into insecurity 32bit ids.

Yes, this issue - a special case. But it is possible to treat ALL security issues as theoretically and only for learning.

osminogin avatar Jul 20 '16 14:07 osminogin

After another month of thinking through this my opinions have evolved a bit. I'll summarize them as follows:

  1. Providing a warning on short ids really just adds a false sense of security. While it could be useful from an education perspective to let folks know about the perils of 32 bit identifiers, it won't change any behavior.
  2. the ante on this has been upped recently - it's now no longer even a hypothetical confusion
  3. As mentioned in that article, even long ids can now have collisions

In light of this in the coming weeks I will be:

  • remove support for short ids
  • change the warnings aroud "short ids" to fire on long ids
  • recommend the use of full fingerprints

Any other commentary is welcome, and thanks @osminogin for bringing this up!

brianredbeard avatar Aug 24 '16 17:08 brianredbeard

Is really now very simple make collading short gpg ids (especially with videocard acceleration), is very simple make similar bitcoin address for donations and etc. Importantly it's now available even for script kiddies.

It may look like an of paranoia attack, but my opinion of the whole modern GPG oriented software should proceed from current reality. Thank you again.

osminogin avatar Aug 24 '16 18:08 osminogin