Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fake PGP Keys For Crypto Developers Found

Posted by timothy on from the who-you-say-you-are dept.

IamTheRealMike (537420) writes "In recent months fake PGP keys have been found for at least two developers on well known crypto projects: Erinn Clark, a Tor developer and Gavin Andresen, the maintainer of Bitcoin. In both cases, these PGP keys are used to sign the downloads for popular pieces of crypto software. PGP keys are supposed to be verified through the web of trust, but in practice it's very hard to find a trust path between two strangers on the internet: one reply to Erinn's mail stated that despite there being 30 signatures [attached to] her key, [the respondent] couldn't find any trust paths to her. It's also very unclear whether anyone would notice a key substitution attack like this. This leaves three questions: who is doing this, why, and what can be done about it? An obvious candidate would be intelligence agencies, who may be trying to serve certain people with backdoored binaries via their QUANTUMTHEORY man-in-the-middle system. As to what can be done about it, switching from PGP to X.509 code signing would be an obvious candidate. Both Mac and Windows support it, obtaining a forged certificate is much harder than simply uploading a fake PGP key, and whilst X.509 certs can be issued in secret until Google's Certificate Transparency system is fully deployed, finding one would be strong evidence that an issuing CA had been compromised: something that seems plausible but for which we currently lack any evidence. Additionally, bad certificates can be revoked when found whereas beyond making blog posts, not much can be done about the fake PGP keys."

5 of 110 comments (clear)

  1. Re:The chain of trust is broken. by sanvila · · Score: 4, Informative

    No "chain" here. This is not SSL, this is GPG, and the term used here is "web of trust". To consider the web of trust broken you would need to find that one of those fake GPG keys is signed by someone you trust.

  2. x.509 WTF? by maswan · · Score: 4, Insightful

    The CA model for X.509 certificates has been shown to be utterly broken for protection against intellengence agencies, they clearly have both access to some of the private keys of "trusted" CAs as well as the leverage to have "trusted" CAs issue arbitrary certificates in their home jurisdiction. There is no way in which this would get better by switching to X.509 compared to PGP.

    We have already have plenty of malware with valid signatures backed by trusted CAs using stolen keys etc, check stuxnet/duqu for instance.

    Now, I know it can be hard to bootstrap a PGP web of trust, and there is certainly plenty of work to be done there to make it easier and user friendlier. But chucking out the one piece of actually working low-level technology for real security in favour of one that is utterly broken, and has been shown to be broken for years, is just plain stupid.

    1. Re: x.509 WTF? by IamTheRealMike · · Score: 5, Interesting

      The thing is, you're wrong and your own post shows that.

      Firstly, we have no evidence of any CA being compromised by intelligence agencies despite the obvious appeal to them of doing so. This is remarkable. Despite the huge number of Snowden documents so far none of them have even hinted at compromise of the CA infrastructure. What we have seen a lot of discussion of is ways of circumventing it by stealing private keys directly from end users, and doing MITM on non-SSLd connections of which there are plenty.

      Nobody can rule out that some CA is in fact minting false certificates for intelligence agencies. But so far nobody has presented any evidence of it.

      Your Stuxnet example proves my point and disproves yours. They didn't use a false certificate there - they hacked the end user (a hardware manufacturer) to obtain their private key. Well guess what, you can steal PGP keys in the same way, nothing magical about that.

  3. Re:The chain of trust is broken. by Anonymous Coward · · Score: 5, Interesting

    Well; interestingly enough, the summary is proposing moving to X.509 which would rely on the chain of trust and which would be vulnerable. Exactly the problem of simple chains of trust is what meant that the Stuxnet virus had device drivers that only required a single signature from a company authorized by Microsoft in order to be automatically loaded by Windows.

    This is probably a false-flag operation trying to trick software developers into moving over to X.509 where a false certificate attack like this might never be detected.

  4. Transitivity of trust by tepples · · Score: 4, Insightful

    Just because you trust somebody doesn't mean you trust him or her to trust others.