Home page logo

bugtraq logo Bugtraq mailing list archives

Re: PGP Signatures security BUG!
From: Florian.Weimer () RUS UNI-STUTTGART DE (Florian Weimer)
Date: Fri, 10 Mar 2000 19:11:58 +0100

"Povl H. Pedersen" <pope () NETGUIDE DK> writes:

This was the first time he verified it.

The signature has Key ID: 0x6F620B65

So he had to look up the key using the keyservers, and surprisingly
enough, the server did NOT return the name of the sender, but of a
person called "Mike Evans".

Several answers in this thread have addressed quite a few problems
regarding faked user IDs and key IDs.  This kind of attack is a
significant threat only if you rely on this information to establish
the validity of a public key, but of course, this approach is
fundamentally flawed.

The problem that Povl observed was likely quite different.  According
to my own attempts, NAI's server simply returned the wrong key, which
didn't share any obvious characteristics with the one which was
requested (both key ID and user ID were different).  Currently, I'm
unable to reproduce the server behavior, though.

BTW: If you want to hide the name of your communication partners, it's
not very wise to reveal their PGP key ID, especially if it's
registered at public key servers.

Florian Weimer                    Florian.Weimer () RUS Uni-Stuttgart DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS Security Team                 +49-711-685-5973/fax +49-711-685-5898

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]