1995-11-27 - Re: establishing trust

Header Data

From: Greg Rose <Greg_Rose@sydney.sterling.com>
To: Carl Ellison <cme@clark.net>
Message Hash: 46fb203e0687049c946467607d79a519e68f41217ec9e692c1cb141788315e4f
Message ID: <pgpmoose.199511271220.42718@paganini.sydney.sterling.com>
Reply To: <199511240500.AAA07836@clark.net>
UTC Datetime: 1995-11-27 01:37:52 UTC
Raw Date: Mon, 27 Nov 1995 09:37:52 +0800

Raw message

From: Greg Rose <Greg_Rose@sydney.sterling.com>
Date: Mon, 27 Nov 1995 09:37:52 +0800
To: Carl Ellison <cme@clark.net>
Subject: Re: establishing trust
In-Reply-To: <199511240500.AAA07836@clark.net>
Message-ID: <pgpmoose.199511271220.42718@paganini.sydney.sterling.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Carl Ellison <cme@clark.net> wrote:
  Ed Carp wrote:
  >Subject: Re: crypto for porno users
  >To: khijol!clark.net!cme@uunet.uu.net (Carl Ellison)
  >Date: Thu, 23 Nov 1995 15:57:17 -0600 (CST)
  >Cc: khijol!got.net!edge@uunet.uu.net, khijol!toad.com!cypherpunks@uunet.uu.n
 et
  >

  >totally different from this "web of trust" I keep hearing about - and that i
 s
  >*it*.  Do you trust me any more now than before I started signing my posting
 s?

  Actually, in my view, signed postings are the first step.  With those (and
  the right S/W (not there yet)), I get to know that a bunch of postings came
  from the same person.  I even know who they came from:  the person who
  is capable of signing with key 0xXXXXXXXX.

I hate to point this out, but that isn't true.
Anyone can create a key with any chosen keyid and
attach the same publicly known name to it. (see,
eg., the key I signed this with, given below).
The only unforgeable things about a particular
key are:

1. The key itself (you know, the product of the
primes),
2. The key fingerprint (unless MD5 is compromised)
and 
3. The web of trust leading to that key.

So, in practice, you actually have to look at the
key fingerprint of the key used to sign a message,
if you want to be sure of the uniqueness of that
key.

Or you have to only trust keys that come
well-introduced. Back to the Web of Trust.

  Since the only way I have of getting to know the person is through those
  postings, I get to know that person and through that knowledge I decide
  whether or not to trust.

I've been trying to think of the possible
ramifications of spoofing people's names and
keyids on a large scale. And a large scale is
certainly possible -- it only took me about an
hour to create this key. I was originally
intending to use this key as part of a real
project, to gain attention to the project, but the
more I thought about it the more I worried about
the implications. This "coming out" invalidates
any chance of that happening.

There are two bad things I can think of.
Suppose I want to somehow attack Fred. I can
create a key with the same ascii text associated
with it very easily. With only a little more
effort, I can also duplicate the keyid. PGP adds
new keys at the front of the keyring, so if I
start distributing this new key widely, it will
appear in keyrings before the "real" Fred's.
Whenever this happens automatically, there is some
possibility that the wrong key will be used for
some operations. PGP doesn't help much, because it
is hard to specify the key unambiguously in this
case.

PGP uses more than just the visible part of the
keyID. So at least it will choose the right key to
verify signatures, right? Maybe not. I can apply
the same spoofing technique to the whole internal
keyID, and generated a key that even PGP can't
tell is the wrong one. I think that when PGP tried
to check the signature on a message from the "real"
Fred that it would notice that it had applied the
wrong key, but I'm not absolutely sure on this
point. Anyway, an inattentive or somewhat
automated user will merely notice that the
document signature fails to check out, essentially
slurring the "real" Fred's reputation.

Any other possible attacks?

Greg.

Greg Rose               INTERNET: greg_rose@sydney.sterling.com  
Sterling Software       VOICE:  +61-2-9975 4777    FAX:  +61-2-9975 2921
28 Rodborough Rd.       http://www.sydney.sterling.com:8080/~ggr/
French's Forest         35 0A 79 7D 5E 21 8D 47  E3 53 75 66 AC FB D9 45
NSW 2086 Australia.     co-mod sci.crypt.research, USENIX Director.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMLkSAqaauZzerb7vAQFpbgP+KpPj1SH746nmJca3VmEGU13t/enQL5GT
FmCGHqnqI757GRNOiHMXnNe8mMdwMn67UgxU/3a7R/UU7rspGH3P/IrmDH0NnDHG
z5QuhQcutgswz7ncNeuUxi6BRHP12SM/aNnLqCmT308zd1sL1BNL/CUgPdxNBnFT
kCe5dS0FVaI=
=mopc
-----END PGP SIGNATURE-----

-----BEGIN PGP MESSAGE-----
Version: 2.6.2i

lQHgAzBrI8cAAAEEANQqR/iaxVP8FZ5CKqI2hcYFFyWAsnNmsZsPi+nOehI1nMyi
PBzX1PPBh8pCAS+0mrUqKKUp2ArCS6n6Ph/R2VjHsqq8HFKOT14Md3C6/M15SKDV
ODcgKvfZf7gs6KEhPqcCS1P8OpGQWRczE1nTxYAw65bBRpDg7KaauZzerb7vAAUR
Adj6LAUodVxLA/4dxjQlaNqaJp5ElB0amAQ81/9Zah4Zf1j8CLVw08g5Kz4oK3hJ
dx61pjBJ2fag1/UUM6y9gIT5yL0ErK+KQ1sPdvZPe5p5JEhCV2tlqlT+d1iPdEiN
x7t986et7Zb91T+UsEyLLaTxQMKk4obDb2IvJvKgcvNm+wRW5rGNXitpRQIAGmTd
ypkNQIwWq07d+QNaFUYgTl8ZQfX078a6VMPl2DQni6uLmvUvgI3VHW8oTcpyqu5j
mJt0FTkeGMA0lKQa5AIA//fzyVUXGJEKkXIBkfCJ/F1V4dMsfZ/3z73RiNtKl46p
lMTztn/cCEUoE+GwonQhkJUnAXbBYtFifisyVf92ngH/u7YxY+z4T2SrhsYj+oGc
Ox/T2VlugUYPowQr3070OoHrrd7icwXNU69nHkle7/jnFjMTvDSZrPYZiXFa0yhV
0apCtBBQcmltZSBSaWIgTG92ZXJziQCVAwUQMLkLB6aauZzerb7vAQEHyAQApGgP
xyUR71jntGeir3yJpcBAEVkmqXLYZPb83dzVlWh7HHQmTiyE/rrcJT7NZRZGA8X7
TTPMZnITDETdwFVIkznvY8v7DWGXD8SD0LNlE61lzhmhNvsfUmQ/q4YHrCERb31P
56TPaveSwYlkPanOYLLJ7m47KICP0z3jzNgwqRo=
=DLC7
-----END PGP MESSAGE-----





Thread