[ale] Ouch Damnit. I am a victim of a gpg security attack

Jeremy T. Bouse jeremy.bouse at undergrid.net
Tue Nov 30 13:08:26 EST 2021


Be sure to check by long key-id, not short key id... I have this set as my
default in my gpg.conf. The dump of vulnerable fingerprints is a long-known
issue for those that ran SKS key servers. If you look closer you'll find
that the key that was revoked was actually not yours exactly but one made
to look like yours by short key-id collision.

At a minimum I highly recommend adding the following to your gpg.conf:
keyid-format 0xlong

On Tue, Nov 30, 2021 at 12:19 PM Charles Shapiro via Ale <ale at ale.org>
wrote:

> I've been preparing for a gpg key signing party at work.  On checking
> my personal gpg key on , I discovered that it had been Revoked:
>
> pub unk(#0)0/a4a66548382d0f35f394881fefc2dfb41df36586
> Hash=c191ea816aea760f17bb30226e67a5bf
> sig revok efc2dfb41df36586 2016-08-16T05:12:19Z ____________________
> ____________________ [selfsig]
>
> I had no memory of doing this, so I investigated further. I was
> particularly intrigued by the "2016-08-16T05:12:19Z" timestamp.  I
> don't do things like revoke my keys at midnight or so local.
>
> It turns out that someone had figured out a hash collision attack on
> 32-bit key fingerprints back in 2016,  then published a list of all
> the vulnerable fingerprints. The list is 89 mb long and is still
> available ( https://evil32.com/ ). I downloaded it and verified that,
> alas, 1DF36586 was on that list. My wife's key ( B4E4FC10) was not.
> Someone _else_ then went ahead and Revoked every key on it, including
> mine but not my wife's.
>
> So now I need to generate a whole new key and get it signed by a bunch
> of people.  I'm going to use this tragedy//opportunity to update the
> GPG Simple How To still available on the ALE site (
> https://ale.org/static_pages/gpgstepbystep.html ) (and still very
> close to a Web Whack ( or Hapax Legomenon ) if you search for
> "Millicent Arondofique" ! )
>
> Check your own keys and see if any of them were also Revoked without
> your knowledge.
>
> It's time for another ALE key signing party.
>
> -- CHS
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20211130/37383615/attachment.htm>


More information about the Ale mailing list