[ale] Ouch Damnit. I am a victim of a gpg security attack

Jeremy T. Bouse jeremy.bouse at undergrid.net
Tue Nov 30 16:29:03 EST 2021


To be more precise, your key is not vulnerable unless, of course, you lose
control of the private key data itself. The vulnerability showed that a new
key could be generated that would cause a 32-bit short key-id hash
collision. It pointed out that an erroneous key could be returned by simply
requesting keys via the 32-bit short key-id. If you look closely at your
key and the key in the vulnerable list, the actual full fingerprint does
not match; however, if you only request by the short key-id rather than the
long key-id or the full fingerprint you could have the wrong key returned.
Your key isn't affected other than the confusion caused by retrieving the
key using the short key-id. This is a prime example of why you verify the
complete fingerprint of the key before signing a key.

On Tue, Nov 30, 2021 at 1:51 PM Steve Litt via Ale <ale at ale.org> wrote:

> Charles Shapiro via Ale said on Tue, 30 Nov 2021 12:19:01 -0500
>
>
> >It turns out that someone had figured out a hash collision attack on
> >32-bit key fingerprints back in 2016,  then published a list of all
> >the vulnerable fingerprints.
>
> Is there anything I can do to make myself less vulnerable to a hash
> collision attack?
>
> Thanks,
>
>
> SteveT
>
> Steve Litt
> Spring 2021 featured book: Troubleshooting Techniques of the Successful
> Technologist http://www.troubleshooters.com/techniques
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20211130/a472d55d/attachment.htm>


More information about the Ale mailing list