[Cryptography] [messaging] "Keybase Attack" on RSA signatures

Dennis E. Hamilton dennis.hamilton at acm.org
Tue Sep 9 23:43:25 EDT 2014 

Comment below.
 
    Original Message
    ----------------
From: cryptography [mailto:cryptography-bounces+dennis.hamilton=acm.org at metzdowd.com] On Behalf Of Tony Arcieri
Sent: Tuesday, September 9, 2014 15:07
To: Max Krohn
Cc: messaging; Crypto
Subject: Re: [Cryptography] [messaging] "Keybase Attack" on RSA signatures
 
On Tue, Sep 9, 2014 at 2:52 PM, Max Krohn <themax at gmail.com <mailto:themax at gmail.com> > wrote:
A Keybase “proofs” is a signatures of JSON object that includes: [...] (3) the user’s PGP fingerprint
 
Sorry, I must've glossed over this. It would seem to provide an immediate defense to forging a keypair under which the signature would validate, however it seems in conjunction with a SHA1 collision that allows the replacement of the fingerprint in the original message, this could be potentially problematic.
 
-- 
Tony Arcieri
 
I am not certain how this can work.  
 
The fact that there is a fingerprint included in the message that keybase.io has be signed with my private key does not mean that determines the public key certificate that is used for verification of the signed message.  If someone else finds one of my claims, they should use my keybase.io ID to fetch the key to use in verifying the signed message for themselves.  I.e., if they want to check the message at http://orcmid.com/keybase.txt, they should go to keybase.io/orcmid to get my public-key certificate if they don’t have it already.
 
Now, if you could forge a message such that it verifies with an existing affixed signature, and the message is even intelligible, that would be a remarkable action against public-key technology.  It would mean a lot more than there being a defect in keybase.io protocols for association of identifiers with an entity having authority over a private key.  Not only would you have found an SHA1 collision, let’s say, but you are able to have the modified message still look like a JSON plaintext and be unnoticeable as a crafted collision.  There’s just no place to do that in these plaintext claim documents.
 
Since the readable plaintext in those posted claims is not the actual signed message, but a statement about what the signed message is, it is possible to be misleading.  But if the signed message block that is on that page is altered, keybase.io will detect that on periodic verification of the file at that URL.
 
 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140909/bcd5c00a/attachment.html>

More information about the cryptography mailing list