An Open Specification for Pretty Good Privacy (openpgp)

Daniel Kahn Gillmor | 5 May 2009 06:05

how to specify "trust no signatures over hash X from this key"?

As i'm thinking about hash function transitions right now, it occurs to
me that i'm not sure how to specify something like "The holder of this
key will never issue signatures using digest algorithm $foo"

In RFC 4880, section 5.2.3.8 the digest algorithm preferences subpacket
says something similar:

   Message digest algorithm numbers that indicate which algorithms the
   key holder prefers to receive.  Like the preferred symmetric
   algorithms, the list is ordered.  Algorithm numbers are in Section 9.
   This is only found on a self-signature.

But this is semantically something fairly different from stating what
kind of use the keyholder expects to pursue.

Consider the case where a user has in the past made and published
MD5-based signatures, and no longer believes that hash algorithm is
secure for the purposes used (or if you like, think into the near
future, and imagine the same situation with SHA1).

It seems to me that it would be useful to have a way that a keyholder
could explicitly state "I no longer make signatures over digest X.
Please consider any signatures from this key using digest X to be invalid."

This does lead to the possibility of an explicit "impedance mismatch",
where Alice says "I never issue MD5, SHA1, or RIPEMD160 digests" and Bob
says "I prefer to receive only SHA1, RIPEMD160, or MD5 digests" -- in
this case, Alice's key is useless to Bob.  But this impedance mismatch
exists implicitly anyway, if these are the actual policies.  It seems
like it would be useful to know that the conflict exists at that level.

(Continue reading)

Ian G | 5 May 2009 08:58

Re: how to specify "trust no signatures over hash X from this key"?


On 5/5/09 06:05, Daniel Kahn Gillmor wrote:

> Is there interest in being able to explicitly state such a policy?

None whatsoever.  Simplify, simplify, simplify.  One hash is good enough 
for 99.99% of the users, and the rest should be implementing not eulogising.

Has anyone read the OSS Guide to Sabotage?  In there it has a list of 
things about how to break up a user group.  One of them is to insist on 
following rules because they are important, another advice is to always 
refer things to a committee.

If it was updated today for IETF, it would say:  always insist on the 
right to variations in protocols, for future-proofing.

iang

Daniel Kahn Gillmor | 5 May 2009 15:20

Re: how to specify "trust no signatures over hash X from this key"?

On 05/05/2009 02:58 AM, Ian G wrote:
> Simplify, simplify, simplify.  One hash is good enough
> for 99.99% of the users, and the rest should be implementing not
> eulogising.
 [...]
> If it was updated today for IETF, it would say:  always insist on the
> right to variations in protocols, for future-proofing.

I've seen you express this sentiment before, Ian, and i can appreciate
where you're coming from.  Variable ciphers and digests are messy,
difficult to get right, and alienating arcana to most users.  But i
don't understand what your concrete proposal is here.

Say OpenPGP had Just One Hash, and it was SHA-1 -- what would be the
best approach for us 0.01% of the users/implementors to take in response
to the news that SHA-1's collision-resistance was insufficient against
well-resourced organizations, and seems likely to get worse before SHA-3
is settled?

How would we help facilitate the transition for the 99.99% of the users
to a safer hash?  Or would we simply tell them "OpenPGP is done, go find
something else before the year is up if you want to maintain
private/authenticated communications"?

Regards,

	--dkg

Ian G | 6 May 2009 00:27

Re: how to specify "trust no signatures over hash X from this key"?


On 5/5/09 15:20, Daniel Kahn Gillmor wrote:
> On 05/05/2009 02:58 AM, Ian G wrote:
>> Simplify, simplify, simplify.  One hash is good enough
>> for 99.99% of the users, and the rest should be implementing not
>> eulogising.
>   [...]
>> If it was updated today for IETF, it would say:  always insist on the
>> right to variations in protocols, for future-proofing.
>
> I've seen you express this sentiment before, Ian, and i can appreciate
> where you're coming from.  Variable ciphers and digests are messy,
> difficult to get right, and alienating arcana to most users.

And, anything that slows users slows usage.  Unusability is the killer, 
not the number of bits in the algorithm.

> But i
> don't understand what your concrete proposal is here.
>
> Say OpenPGP had Just One Hash, and it was SHA-1 -- what would be the
> best approach for us 0.01% of the users/implementors to take in response
> to the news that SHA-1's collision-resistance was insufficient against
> well-resourced organizations, and seems likely to get worse before SHA-3
> is settled?

Wait until SHA-3.  Meanwhile, design how to use SHA-3 from 2012 to 2022.

The predictions of the end of the world are premature.  Note that nobody 
has stolen money through an MD5 as yet, and nobody has stolen money

(Continue reading)

Daniel A. Nagy | 24 May 2009 14:03

Weak crypto [was: Re: how to specify "trust no signatures over hash X from this key"?]

Hi,

Ian G wrote:
> Nor, has 40 bit secret keys been embarrassed as yet.

That is not true. Stealing luxury cars with 40-bit ciphers in their RFID keys by
brute-forcing the (cryptographic) key is routine criminal practice.

See also http://en.wikipedia.org/wiki/Motor_vehicle_theft

Ian G | 24 May 2009 23:20

Re: Weak crypto [was: Re: how to specify "trust no signatures over hash X from this key"?]

On 24/5/09 14:03, Daniel A. Nagy wrote:
> Hi,
>
> Ian G wrote:
>> Nor, has 40 bit secret keys been embarrassed as yet.
>
> That is not true.

Ah, caught by my lack of precise terms.  The earlier sentence gave the 
clue that I meant by embarrassment: broken and money lost because of it.

> Stealing luxury cars with 40-bit ciphers in their RFID keys by
> brute-forcing the (cryptographic) key is routine criminal practice.
>
> See also http://en.wikipedia.org/wiki/Motor_vehicle_theft

OK, another great data point.  But other than this:

# New keyless ignition/lock cars often share the same 40-bit encryption 
method between their "keys" and their computers. Using a RFID 
microreader and a laptop, university students have managed to remotely 
unlock, start, and drive away in top-of-the-line luxury cars, not 
without returning the cars to their rightful owners of course and with 
their consent to "steal" it in the first place.[citation needed]

I see no evidence of "routine criminal practice" ... and unlike some, I 
explicitly exclude "university students with or without laptop" from the 
general class of criminals :)

(Continue reading)

Daniel A. Nagy | 25 May 2009 02:04

Re: Weak crypto [was: Re: how to specify "trust no signatures over hash X from this key"?]

Hi,

I think there *is* a good reason for being more paranoid about broken crypto
than all the other attacks: broken crypto often leaves no evidence (to the point
of the victim not even noticing the attack) and hence leaves no room to reactive
countermeasures. More below.

Ian G wrote:
> I see no evidence of "routine criminal practice" ... and unlike some, I
> explicitly exclude "university students with or without laptop" from the
> general class of criminals :)

No-no, the wikipedia link was not meant as evidence, just a description of the
actual method. I have provided no evidence to the fact that brute-forcing 40 bit
RFID keys is routine criminal practice, because I was too lazy/busy to dig it
up. But I *have* read somewhere that several real cars (and very expensive ones,
at that) have been really stolen (in several countries, AFAIR) using this
technique by real criminals. For now, please take my word for it or google it up
yourself. A bit later, I might do the googling for you.

In the context of OpenPGP, I believe that we really should exclude the
possibility of attacks that penetrate our crypto, because the intended use cases
of OpenPGP include quite a few where such an attack cannot be detected even ex
post. A good example would be insider trading on information gained from
supposedly confidential correspondence. Such threats cannot be validated. Weak
crypto invites such attacks without any possibility of validating the vulnerability.

--

-- 
Daniel

(Continue reading)

Lionel Elie Mamane | 23 May 2009 01:24

Picon

Re: how to specify "trust no signatures over hash X from this key"?

On Wed, May 06, 2009 at 12:27:13AM +0200, Ian G wrote:

> The predictions of the end of the world are premature.  Note that nobody  
> has stolen money through an MD5 as yet, and nobody has stolen money  
> because of an RSA-512, either.

Maybe, but people have stolen money because of "too small RSA"
keys. It was RSA-320, not RSA-512. According to my sources, yp to and
including in the year 2007 (I don't know when it was stopped or
whether it was). Because the debit card of the swiss PostFinance was
using RSA-320 for authentication. As was the whole debit / credit card
system in France until the early 21st century; it seems there were
cases of theft up to 2001 in France.

France:
 http://www.parodie.com/monetique/breveyescard_porteur_21112001.htm
 http://www.parodie.com/monetique/

Switzerland:
 http://events.ccc.de/congress/2006/Fahrplan/events/1775.en.html
 http://www.postcard-sicherheit.ch/
 http://chaostreff-zh.tuners.ch/Pestcard

--

-- 
Lionel

Ian G | 23 May 2009 12:12

Re: how to specify "trust no signatures over hash X from this key"?


On 23/5/09 01:24, Lionel Elie Mamane wrote:
> On Wed, May 06, 2009 at 12:27:13AM +0200, Ian G wrote:
>
>> The predictions of the end of the world are premature.  Note that nobody
>> has stolen money through an MD5 as yet, and nobody has stolen money
>> because of an RSA-512, either.
>
> Maybe, but people have stolen money because of "too small RSA"
> keys. It was RSA-320, not RSA-512. According to my sources, yp to and
> including in the year 2007 (I don't know when it was stopped or
> whether it was). Because the debit card of the swiss PostFinance was
> using RSA-320 for authentication. As was the whole debit / credit card
> system in France until the early 21st century; it seems there were
> cases of theft up to 2001 in France.
>
> France:
>   http://www.parodie.com/monetique/breveyescard_porteur_21112001.htm
>   http://www.parodie.com/monetique/
>
> Switzerland:
>   http://events.ccc.de/congress/2006/Fahrplan/events/1775.en.html
>   http://www.postcard-sicherheit.ch/
>   http://chaostreff-zh.tuners.ch/Pestcard
>

Well, this is an important benchmark, if it indeed happened.

The questions would be:  was the RSA cracked, or was it something else 
that failed?  Or a combination of things?  What's with the 320 number?

(Continue reading)

Lionel Elie Mamane | 24 May 2009 12:14

Picon

Financial RSA crack case study: Carte Bleue & PostFinance debit cards [was: how to specify "trust no signatures over hash X from this key"?]


On Sat, May 23, 2009 at 12:12:00PM +0200, Ian G wrote:
> On 23/5/09 01:24, Lionel Elie Mamane wrote:
>> On Wed, May 06, 2009 at 12:27:13AM +0200, Ian G wrote:

>>> The predictions of the end of the world are premature.  Note that nobody
>>> has stolen money through an MD5 as yet, and nobody has stolen money
>>> because of an RSA-512, either.

>> Maybe, but people have stolen money because of "too small RSA"
>> keys. It was RSA-320, not RSA-512. According to my sources, yp to and
>> including in the year 2007 (I don't know when it was stopped or
>> whether it was). Because the debit card of the swiss PostFinance was
>> using RSA-320 for authentication. As was the whole debit / credit card
>> system in France until the early 21st century; it seems there were
>> cases of theft up to 2001 in France.

> Well, this is an important benchmark, if it indeed happened.

> The questions would be: was the RSA cracked, or was it something
> else that failed?

Executive summary: The RSA was cracked, but that is not the only non
social-engineering-or-physical attack on the system. AFAIK the RSA
crack came after the other attacks were already used in the wild.

All the information here comes from the websites I linked to, or from
my memory of the media stories in France in 1999/2000 or talk at the
CCC, translated when needed.

(Continue reading)

Ian G | 24 May 2009 23:26

Re: Financial RSA crack case study: Carte Bleue & PostFinance debit cards [was: how to specify "trust no signatures over hash X from this key"?]

Thanks for the summary!  I would conclude that (a) their system was a 
bit of a mess, and (b) it is a shame, because otherwise we would have 
got a clear benchmark.

As the banks weren't cooperating, what we would have to do is look at 
the gangs and see if they could reveal the methods.  Oh well, not this year.

iang

PS: the 320 question is that I was thinking RSA could only work down to 
something like 380?  But then I thought about it some more, that's to do 
with the hash size and pacjet formats.  Likely these guys didn't follow 
that.

On 24/5/09 12:14, Lionel Elie Mamane wrote:
> On Sat, May 23, 2009 at 12:12:00PM +0200, Ian G wrote:
>> On 23/5/09 01:24, Lionel Elie Mamane wrote:
>>> On Wed, May 06, 2009 at 12:27:13AM +0200, Ian G wrote:
>
>>>> The predictions of the end of the world are premature.  Note that nobody
>>>> has stolen money through an MD5 as yet, and nobody has stolen money
>>>> because of an RSA-512, either.
>
>>> Maybe, but people have stolen money because of "too small RSA"
>>> keys. It was RSA-320, not RSA-512. According to my sources, yp to and
>>> including in the year 2007 (I don't know when it was stopped or
>>> whether it was). Because the debit card of the swiss PostFinance was
>>> using RSA-320 for authentication. As was the whole debit / credit card
>>> system in France until the early 21st century; it seems there were

(Continue reading)

Return

Return to gmane.ietf.openpgp.

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane