Mailing List Archive

Key poisoning
If the keyserver implemented a signer blacklist, (which would scrub the
blacklisted signature from any current or incoming public keys), what
consequences am I missing?

In essence, shadowbanning a signing key. Keyservers without blacklist
support would still pass around the toxic keys, but only until they get
updated with the blacklist.

The notion of nothing getting deleted is a feature (as nice as it would be
to be able to nuke my keys from the 90s that never really got used to begin
with). Masking out signatures from bad actors seems like a valid solution.

It doesn't address all of the problems were seeing now (core infrastructure
not in a maintainable state for the project, using effectively voodoo to do
its job)

But could be a start.
Re: Key poisoning [ In reply to ]
> On 14 Aug 2019, at 23:38, Daniel Clery <dan@savevsgeek.com> wrote:
>
> If the keyserver implemented a signer blacklist, (which would scrub the blacklisted signature from any current or incoming public keys), what consequences am I missing?

This is known as “enumerating badness” and it doesn’t scale. You would only be able to identify a bad actor after its actions are noticed - by a human being. Also, if thousands of separate keys have signed another key, making it unusable, how do we decide which of those thousands of keys are legit and which the bad actors? Generating lots of keys on modern hardware is not difficult.

A
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key poisoning [ In reply to ]
> If the keyserver implemented a signer blacklist, (which would scrub the
> blacklisted signature from any current or incoming public keys), what
> consequences am I missing?

Someone already chimed in about how this is "enumerating badness", which
runs counter to best practices in security.

Additionally, the bad guys can create new malicious certificates faster
than the keyserver network can blacklist.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key poisoning [ In reply to ]
On 15/08/2019 08:50, Robert J. Hansen wrote:
> Additionally, the bad guys can create new malicious certificates faster
> than the keyserver network can blacklist.

Plus, the attacker could just create a signature that looks likely to be
real (self-sig or existing third-party sig seems a good candidate). Only
when actually doing the cryptographic verification will it turn out to
be fake anyway. By that time the amount of processing GnuPG has done is
already enough for the denial of service.

I think the attacker only used cryptographically valid signatures
because it was easier to use existing tooling. There is no reason for
the poison to be cryptographically valid. It just has to be slightly
expensive to verify. GnuPG doesn't even get to the bit where the
signature is validated, since the signing key isn't on the keyring, and
still, we have this DoS.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
Re: Key poisoning [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 15 August 2019 at 10:26:31 AM, in
<mid:b1133e78-032a-3465-7e03-8abf999f7696@digitalbrains.com>, Peter
Lebbing wrote:-


> Plus, the attacker could just create a signature that
> looks likely to be
> real (self-sig or existing third-party sig seems a
> good candidate).


Would the attack work by just concatenating lots of identical
signature packets onto a copy of the target key and sending the result
to the keyserver?

- --
Best regards

MFPA <mailto:2017-r3sgs86x8e-lists-groups@riseup.net>

An obstinate man does not hold opinions. They hold him.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXVW3MV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+ncpAQDhG3HrT17ZNRCddaPh4Mz+PDmDzoYA8g5TgSsrP2UecQEAswc8FBOdRJku
sPjNfiQaWyQSPHLnWNDkccPTywm+vgCJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXVW3MV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/1tfD/sFEf1QzMMnhDOZMt+RAhHMp3Va
TcM3O8g9453Hb1eFkkIa+7lZCox4S4uDAVa4eKwhmqnhv9HTDlRFrxYR1d+rXWn7
7XcwdgsBdMlJxZ0YIDSXdEXuNzcokQlIvLhcf4qhx9jY3v/+3hd1luNjzb/sYWr4
j5nErWrFywQD5BWh9kFa6hMisrfVNTSo0Tb2R3HwUej97iwcuwVdu/6dIW3uSUFt
MACQDmYNvWJqw/Rvjb+YKt7L5E/yY+47tO++Izm+cYvSYUM/DqDFLayvOVLtT/Wl
JGGwpxbdaBmk41t4wnpp8c0bpoZuAVgylAzk39Yal67yIOzcEipcyupqNlPupcVd
79h+1j48KweDrvHdHw2smaHsbSJOSPWpZBwpzeveMHKqiavmoFpY3BVzEwZYU7wq
dTTG55z3dnFkcUiWzNzzr/6HRPRMkgYSX+1YDdCeSdDrtTguOyDmK9nUJDoDyvvZ
r70sgftCF54j4jK2Xq/B2mj0bHbQvkPi9kEwXUU+VaPWyWtlki8V5vL4HFypTdrh
eWVrwdbvDSaaxnIrjlyrxMOpjvAQ/2tYFSJgOA2jjAFqDYDBtFqJwCLWMc0Ksohq
5S2KNxhOcxRfR32QgYDHj9k1AtYjDDCfz9MMemr8B13zgALLFSJYTVpOUf2cSo3X
cIlFh2czPTfUlsL3Nw==
=GjEU
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key poisoning [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 15 August 2019 at 7:07:34 AM, in
<mid:9B2C2E8C-669E-4E0B-95F2-063AE03396A7@andrewg.com>, Andrew
Gallagher wrote:-

> Also, if thousands of
> separate keys have
> signed another key, making it unusable, how do we
> decide which of
> those thousands of keys are legit and which the bad
> actors?
> Generating lots of keys on modern hardware is not
> difficult.

Does the attacker even keep the same signing keys to use again? Each
key could be dumped after adding its signature to the target key. The
suggested blacklist could soon grow to be a crippling overhead for the
keyserver.

- --
Best regards

MFPA <mailto:2017-r3sgs86x8e-lists-groups@riseup.net>

Beware the deadly donkey falling slowly from the sky
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXVW3jV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+p0hAP41O5yaJ515MrR96zg9Q9I10Cuy54lSrIk+ZHZkvROcRwEAwO+sl8WbImDE
MWOPszYYgh55/IKsyL4CMCyVIPP44QaJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXVW3jV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/xtjD/9CrOG0mu655f6EWK69mRlRcclj
J4dXznJ1HFy7WC3pV9/mEhBjgVIvsHGv/IMQzx7oQSm8Q6e+iY7OvK4gp1sRZ5Gt
q8GUVW2L3uzXaGO2XDWOP3JnMwg1VPGLfF6XbV9Kzr02Rg/kcAaeffefYWfSUSJr
P9oBfFut5BeBbEAJE6AZdgBnccRJWOOtd19haHEBnhS4wb2pCUA4J6h1760Tg2Nv
1IrjICnz2w20gLxbUKJkwZGpA5fg5rRVOAjPWGtBqzVCgW11/KhoNg9/5EOjdmau
bOo2PpXj5evSzF7HB715Ivf/Yp7AnJIe8QNvkFa7gHylt1R2WRZ4bmhehHE0UWFD
zs7ga3ynxquYWFe+IM4eOXmwVjdAU/IuxigztPSsyvdB9zg+oL/ADO4TzPd8+aDY
xURX8tTMPVuI8ETfxQFcrVyk5gGcPvqUaE/t/AfnbjbCqacqmUNxdRC9jF7ArNP3
+F6RNorFKaDQj/30pG4nqSX7uHfoq2rOZifSmhIXmHToIVUcKxXKamWeJ3V3xgLg
PVD0Igan1TbuU6L74fUYZAQq1diz3Ab4VaD2QjVfkVKW4Co02tbJDtTEPY5QMuPK
XD3e++TNJVXBsteEI7Vg0M/G3ZM4OSC4PvS953PrnngkQ4LOrHY3D6HiavD+tlbf
c9VUzHfbfULsmlVqpA==
=Gz3/
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key poisoning [ In reply to ]
Hi MFPA,

> Would the attack work by just concatenating lots of identical
> signature packets onto a copy of the target key and sending the result
> to the keyserver?

I have no knowledge of the workings of the keyservers. But my guess is
that they would all be coalesced into the single signature that they are
(similarly to when a single new signature was uploaded to two different
SKS keyservers and these are coalesced on reconciliation).

It might be possible if you just change some bytes. I dunno.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
Re: Key poisoning [ In reply to ]
Thanks - I knew I was being naive.

Is it correct that the thesis that describes the fundamentals of the
current reconciliation algorithm is 'Spreading Rumors Cheaply, Quickly, and
Reliably'?