[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some thoughts on a v5 key and why it shouldn't be a mess (fwd)



On Wednesday 21 September 2005 23:00, Daniel A. Nagy wrote:
> As before, I would like to express my concerns about allowing a choice of
> hash algorithms. Here's some detail:
>
> A complete break (feasible reversal) of ANY ONE of the supported hash
> algorithms would allow generating keys with arbitrary long key IDs,
> possibly colliding with an attacked key. This was a major problem with v3
> and v4 was a giant step in the right direction. This would be a small
> step backwards.

I don't see how this attack would work.

Let's say MDX is broken by some genius.

First the trivial case: 
Alices Key A uses MDX as its fingerprint algorithm. The fingerprint looks 
like: 99:AB 12 34 56 78 90 CD EF...
Mallory can now generate an arbitrary key M, that has the same algorithm and 
fingerprint.

Now the less trivial:
Bobs key B uses MDY (which was not broken). Fingerprint: A0:12 34 56 78...
Mallory could attempt to create a key M2 which has the same hash value using 
MDY as Bobs key using MDX, but the fingerprint would still be different: 
99:12 34 56 78...

I don't see any way for Mallory to compromise Bobs key without changing the 
first byte of the fingerprint. So allowing different algorithms AND 
including their ID in the fingerprint would in my opinion be a good measure 
to limit the damage (only Alices key becomes ambiguous, not Bobs) in case 
of a broken algorithm.



	Konrad

Attachment: pgpekhZP7OtDx.pgp
Description: PGP signature