[ale] Ouch Damnit. I am a victim of a gpg security attack
Charles Shapiro
hooterpincher at gmail.com
Tue Nov 30 12:19:01 EST 2021
I've been preparing for a gpg key signing party at work. On checking
my personal gpg key on , I discovered that it had been Revoked:
pub unk(#0)0/a4a66548382d0f35f394881fefc2dfb41df36586
Hash=c191ea816aea760f17bb30226e67a5bf
sig revok efc2dfb41df36586 2016-08-16T05:12:19Z ____________________
____________________ [selfsig]
I had no memory of doing this, so I investigated further. I was
particularly intrigued by the "2016-08-16T05:12:19Z" timestamp. I
don't do things like revoke my keys at midnight or so local.
It turns out that someone had figured out a hash collision attack on
32-bit key fingerprints back in 2016, then published a list of all
the vulnerable fingerprints. The list is 89 mb long and is still
available ( https://evil32.com/ ). I downloaded it and verified that,
alas, 1DF36586 was on that list. My wife's key ( B4E4FC10) was not.
Someone _else_ then went ahead and Revoked every key on it, including
mine but not my wife's.
So now I need to generate a whole new key and get it signed by a bunch
of people. I'm going to use this tragedy//opportunity to update the
GPG Simple How To still available on the ALE site (
https://ale.org/static_pages/gpgstepbystep.html ) (and still very
close to a Web Whack ( or Hapax Legomenon ) if you search for
"Millicent Arondofique" ! )
Check your own keys and see if any of them were also Revoked without
your knowledge.
It's time for another ALE key signing party.
-- CHS
More information about the Ale
mailing list