Of GPG Collisions and UX Security

Researchers have found a way to generate GPG key collisions in just four seconds, and put out a call for GPG to harden its UX.

Attack and vulnerability details are often disclosed in order to prompt vendors and project maintainers into action. It happened recently with publication of attack code that mimicked the work of Karsten Nohl on BadUSB and tried to nudge Phison Electronics of Taiwan into looking at its USB firmware. It has happened before with Microsoft vulnerabilities where disclosures are made when there’s a perception the vendor is sitting on a vulnerability for too long.

Over the summer, two researchers presented research at DEFCON on GPG collision attacks that resulted in their own call to action: Stay away from 32-bit key IDs in GPG.

Using a tool they built called Scallion, Eric Swanson and Richard Klafter need just four seconds to generate colliding 32-bit key IDs on a GPU.

“Key servers do little verification of uploaded keys and allow keys with colliding 32bit ids,” they wrote in a blogpost in July. “Further, GPG uses 32bit key ids throughout its interface and does not warn you when an operation might apply to multiple keys.”

While this weakness has been known with GPG keys since at least 2011, a secondary call to action in this scenario is made to the handlers of GPG: Fix your UX, or user experience.

“The core of GPG’s crypto is 100 percent rock solid,” Swanson said. “However, like a lot of tools, GPG has fairly atrocious UX. When attacking security, it’s almost always best to attack the user. These short key id collisions are a way to do that.”

Swanson and Klafter concluded through their research that they can create a collision for every 32-bit key in the Web of Trust strong set, putting GPG’s longterm viability at risk.

“GPG’s interface has needed an update for a long time. The goal of our project was to further demonstrate this need,” Klafter said. “I am positive there is enough passion for privacy and the GPG project itself that it will get the update it needs.”

Simon Josefsson, a member of the GPG support team, said UX work is up to each application developer.

“I’m sure that all applications that use short keyids should have some kind of thinking happening due to the evil32 issue, but whether it happens or not depends on the authors of the respectively project,” he said.

GPG, short for Gnu Privacy Guard, is a free OpenPGP implementation, and it’s used to encrypt and sign data and communications. In their DEFCON presentation, Swanson and Klafter also disclosed some information on a vulnerability in GPG wherein the recv-key with full fingerprint feature does not verify the received key matches the fingerprint. GPG issued a patch Aug. 29 that mitigates potential man-in-the-middle attacks exploiting this situation. Swanson and Klafter hope the project continues on and addresses the collision issue.

“There are a variety of ways to address this, but most strongly, GPG should switch to using at least 64-bit key IDs by default, and warn you whenever it detects a collision in displayed key
ID (either 32-bit or 64-bit),” Swanson said.

Swanson urges organizations using GPG to be careful with receiving keys, and to use gpg—fingerprint to verify key exchanges. The availability of tools such as Scallion allows for the rapid computation of key IDs, which even on older hardware, can try around 400 million keys per second, he said.

“Despite its interface, GPG is still an excellent piece of software used everywhere from email encryption to software package verification,” Klafter said. “Its encryption is rock solid and I would still recommend GPG over other encryption tools, just make sure to check your full fingerprints.”

Suggested articles