​PGP security weakness exposed

If you're still using 32-bit PGP keys, you only think you have security. But you really don't. It would take a cracker about four seconds to forge your PGP signature.

How do you know someone is really who they say they are? In developer and security circles, you do it with Pretty Good Privacy (PGP) keys. Or, you used to anyway.

xkcd PGP

As Randall Munroe, creator of xkcd, pointed out, PGP is far more secure in theory than it is ever was in practice. (Image: Randall Munroe)

If someone signs and encrypts their code or email with their PGP digital signature, you could, in theory, be sure they are who they say they are and their words or code are indeed their words or code. If they use a short (32-bit or smaller) key, they have no real security. In that case, a hacker can now easily forge a fake PGP signature. And that's exactly what happened to Linus Torvalds, Greg Kroah-Hartman, and other leading Linux kernel developers.

On the Linux Kernel Mailing List (LKML), it was revealed that for the last two months, since about mid-June, "some developers found their fake keys with same name, email, and even 'same' fake signatures by more fake keys in the wild, on the keyservers".

This isn't a new attack. Linux programmers have known since December 2011 that short PGP keys were inherently insecure. It's just that no one bothered to break the PGP keys... until now.

In June, hackers Richard Klafter and Eric Swanson saw that GPG [a popular open-source implementation of PGP] usage had continued to grow, but people were still using short keys. On the site Evil 32, they state: "32-bit key ids were reasonable 15 years ago but are obsolete now. Using modern GPUs, we have found collisions for every 32-bit key id in the WOT's (Web of Trust) strong set. Although this does not break GPG's encryption, it further erodes the usability of GPG and increases the chance of human error."

How bad is it? It took them four seconds using the scallion program to generate a colliding 32-bit key id on a run-of-the-mill graphics processing unit (GPU), such as a Nvidia GeForce GTX.

This is not an attack aimed at Linux. Indeed, no damage seems to have been done. As Kroah-Hartman, Linux kernel maintainer for the stable branch of Linux, explained on Google+: "It wasn't just targeted at kernel developers, but at all 24,000 keys in the 'strong' ring of PGP trust, and yes something like this has been possible for a very long time now so it's not really that much news, and yes, GPG really is horrible to use and almost impossible to use correctly."

Linux developers, however, were the first to notice that something odd was going on with PGP signed code releases. Since then, Swanson explained on Ycomhinator News, "We wanted to bring awareness to the dangers of using short key IDs in the 21st century, since that ID is very easy to fake, and most of the contents of the key body are not covered by the signature, so they can be changed at will. However, we feel that the keys uploaded to the public keyserver are, on balance, more of harmful to the usability of the PGP ecosystem than they are helpful in highlighting security flaws."

Just because they didn't do any harm is no reason to relax about using PGP. Swanson continued, "It's important to realize that anyone could repeat our work pretty easily. While we did not release the scripts that automated cloning the web of trust, the whole process took me less than a week. Cloning a single key is even easier - it could be done with only a few minutes of effort by someone familiar with GPG. The GPG ecosystem needs to develop better defenses to this attack."

So, what can you do about this? Well, besides never using 32-bit keys again, I can recommend you follow Kroah-Hartman's advice: "Short answer, always use 'long' keys when using GPG, and never auto-refresh keys from the keyservers."

Related Stories: