A new collision attack brings attention to a number of fake short ID keys exploiting a well-known flaw with Pretty...
Good Privacy, or PGP, encryption keys.
The issue arises from the use of short IDs, which are the last eight digits of a public key's fingerprint. These digits are used to label the key, meaning this short ID can be spoofed if a fingerprint is generated with the same last eight digits.
On Monday, the Linux Kernel Mailing List posted a warning to users, describing a surge in collision attacks on developers beginning in June and culminating in fake keys being found for Linus Torvalds, the creator of Linux, and Greg Kroah-Hartman, the current Linux kernel maintainer.
Experts have long acknowledged the flaw in PGP allowing collision attacks to spoof a short ID key. PGP is a cryptography program for encrypting and digitally signing messages or files, so a fake PGP key could leave a recipient unable to decrypt or authenticate a message. But Jon Rudolph, principal software engineer at Core Security SDI Corp., based in Roswell, Ga., said the issue would be far worse for someone like Torvalds.
"For Linus, losing control of the source for his projects is a major setback for the infrastructure of secure operating systems and competition for Microsoft," Rudolph told SearchSecurity. "With increasing access to cloud computing, the ability to find colliding hashes has really multiplied over the last few years."
The Linux Kernel Mailing List post on the issue referenced warnings about the issue of collision attacks on PGP short IDs dating back five years.
In 2011, Asheesh Laroia, former Debian developer and current software engineer for cloud operating system Sandstorm, wrote: "It is important that we stop using short key IDs. There is no vulnerability in OpenPGP and GPG [Good Practice Guides]. However, using short key IDs is fundamentally insecure; it is easy to generate collisions for short key IDs. We should always use 64-bit (or longer) key IDs."
In 2013, Daniel Kahn Gillmor, former Debian developer and current technology fellow for the Speech, Privacy and Technology Project with the American Civil Liberties Union, noted it would still not be safe to use a longer key ID cut from the PGP fingerprint.
"I am more convinced than ever that key IDs (both short and long) are actively problematic to real-world use of OpenPGP. We want two things from a key management framework -- unforgeability and human-intelligible handles. Key IDs fail at both," Gillmor wrote. "Fingerprints are unforgeable, but they aren't human-intelligible. User IDs are human-intelligible, and they are unforgeable if we can rely on a robust keysigning [sic] network. Key IDs (both short and long) are neither human-intelligible nor unforgeable, so they are the worst of all possible worlds."
Experts widely agreed the best advice is for users to never trust an ID shorter than the full fingerprint of the public PGP key.
Gunnar Wolf, a Debian developer and teacher at the National Autonomous University of Mexico, agreed with Gillmor on short IDs and wrote, "We should rather target either always showing full fingerprints, or not showing it at all," because he said software checks of those strings would be far more accurate than humans.
"Education [is] about sticking to the rules for security, and learning what the real load-bearing structures are," Rudolph said, because, "sometimes, the convenient shortcuts bite back."
Learn more about if it is time for a new encryption standard to replace PGP.
Find out how OpenPGP encryption can improve messaging security.
Get info on protecting PGP keys.