[ale] Ouch Damnit. I am a victim of a gpg security attack

Charles Shapiro hooterpincher at gmail.com
Tue Nov 30 19:26:36 EST 2021


Ah, phew, I am Enlightened. So I don't need to actually revoke
7f1f c4c8 ba3e b464 49c2 42f2 b169 65b5 1df3 6586.  I just need to
make sure it's not confused with
a4a6 6548 382d 0f35 f394 881f efc2 dfb4 1df3 6586.  ( note that the
last 8 digits of these key ids are identical).

I'm still updating _Simple_How_To_ though.  It's _way_ out of date.

-- CHS

On Tue, Nov 30, 2021 at 4:29 PM Jeremy T. Bouse via Ale <ale at ale.org> wrote:
>
> To be more precise, your key is not vulnerable unless, of course, you lose control of the private key data itself. The vulnerability showed that a new key could be generated that would cause a 32-bit short key-id hash collision. It pointed out that an erroneous key could be returned by simply requesting keys via the 32-bit short key-id. If you look closely at your key and the key in the vulnerable list, the actual full fingerprint does not match; however, if you only request by the short key-id rather than the long key-id or the full fingerprint you could have the wrong key returned. Your key isn't affected other than the confusion caused by retrieving the key using the short key-id. This is a prime example of why you verify the complete fingerprint of the key before signing a key.
>
> On Tue, Nov 30, 2021 at 1:51 PM Steve Litt via Ale <ale at ale.org> wrote:
>>
>> Charles Shapiro via Ale said on Tue, 30 Nov 2021 12:19:01 -0500
>>
>>
>> >It turns out that someone had figured out a hash collision attack on
>> >32-bit key fingerprints back in 2016,  then published a list of all
>> >the vulnerable fingerprints.
>>
>> Is there anything I can do to make myself less vulnerable to a hash
>> collision attack?
>>
>> Thanks,
>>
>>
>> SteveT
>>
>> Steve Litt
>> Spring 2021 featured book: Troubleshooting Techniques of the Successful
>> Technologist http://www.troubleshooters.com/techniques
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> https://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


More information about the Ale mailing list