A long-feared attack vector used against Pretty Good Privacy, the framework used to authenticate and keep email messages private, is being exploited for the first time. The attack, which takes aim at keyserver verification directories, makes it impossible for Pretty Good Privacy (PGP) to work properly for those targeted in attacks.
Unknown adversaries have singled out two recognized experts in the field of OpenPGP email encryption, Robert Hansen and Daniel Gillmor, in a series of targeted attacks. OpenPGP refers to the standard that uses the cryptographic privacy and authentication program PGP.
“In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community… This attack exploited a defect in the OpenPGP protocol itself in order to ‘poison’ [Hansen] and [Gillmor’s] OpenPGP certificates,” wrote Hansen in a technical description of the attacks.
The attack use undermines the complex mechanics used by OpenPGP. In a nutshell, the attack exploits Synchronizing Key Servers (SKS) that are used to help the discovery and distribution of public PGP digital certificates. Certificates are vital to how PGP works, in that they can be used to verify identity between two people. For added protection, people add signatures to certificates to further ensure a certificate is owned by the person who claims to own it.
What is exploited by attackers is the signature process. Within this framework, there are no limits to the number of signatures that a certificate can have. Generally, that’s not an issue. However, in one of the popular implementation packages of OpenPGP, called GnuPG, attackers are exploiting a known “defect” where GnuPG cannot handle extremely high numbers of signatures very well.
Researchers call these signature-heavy certificates “poisoned”.
“Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways,” the researcher wrote. “Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates.”
Gillmor wrote last week on his personal blog that he was attacked. “My public cryptographic identity has been spammed to the point where it is unusable in standard workflows,” he wrote.
Researchers believe now, given the ease and publicized success of the attacks, the number of poisoned certificates will escalate as copycat attacks spread.
“We’ve known for a decade this attack is possible. It’s now here and it’s devastating,” Hansen wrote.
There is skepticism that the OpenPGP Working Group, who are tasked with maintaining the platform, will fix this issue in a reasonable timeframe. “Future releases of OpenPGP software will likely have some sort of mitigation, but there is no time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network,” Hansen wrote.
Researchers say the problem of certificate poisoning and subsequent flooding of those certificates to the SKS has been known for years. Gillmor points out in his blog there have been proof-of-concept attacks and dire warnings.
“You can see discussion about this problem from a year ago along with earlier proposals for how to mitigate it. But none of those proposals have quite come to fruition, and people are still reliant on the SKS network,” he wrote.
As for temporary mitigation, Hansen said recommends: “At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately.”