I w̶a̶s̶ t̶a̶r̶g̶e̶t̶e̶d̶ got hit by an attack on GnuPG/PGP

Update: Might not actually be targeted. See Evil 32. Thanks to Ximin Luo for giving me more peace of mind!

Update: I’m not the only one hit by this. Here’s a conversation on GNU social with more people hit - though no one else reported yet having two keys faked and cross-signed.

Update: At the very least you should do this: echo keyid-format long >> ~/.gnupg/gpg.conf

On the 29th of August a colleague asked me “which key should I use to encrypt to you?” I was confused, because I only have one key for that email address. So he showed me the keys he saw:

$ gpg2 --list-keys --fingerprint arne.babenhauserheide
-------------------------------
pub   2048R/A70DA09E 2011-10-07 [expires: 2016-10-05]
uid                  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>
sub   2048R/39829E5F 2011-10-07 [expires: 2016-10-05]

pub   2048R/A70DA09E 2014-06-16 [revoked: 2016-08-16]
uid                  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>

What’s happening here?

At first I thought “did I accidentally create and upload a new key?”

Then I noticed the key IDs:

pub 2048R/A70DA09E 2011-10-07 [expires: 2016-10-05]
pub 2048R/A70DA09E 2014-06-16 [revoked: 2016-08-16]

They are the same. But with different creation date, and one of them revoked. Was that a bug? Did I really revoke my key? Did someone break into my computer and steal the private key? I felt a moment of panic.

Then I remembered an article about spoofing keys by brute forcing partially equal fingerprints. Note that what you see as IDs is only a small part of the real identifier, and that what every tutorial on GnuPG tells you to to verify is not the ID, but the fingerprint: The full identifier.

After taking a deep breath, that’s what we did. The results showed clearly that what we had seen is an actual attack on my key - though one that had just ended:

pub   2048R/A70DA09E 2011-10-07 [expires: 2016-10-05]\\
      Key fingerprint = DC44 49A9 A0C9 9632 9897  1842 5C83 F364 A70D A09E
uid                  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>\\
sub   2048R/39829E5F 2011-10-07 [expires: 2021-08-28]

pub   2048R/A70DA09E 2014-06-16 [revoked: 2016-08-16 ]\\
      Key fingerprint = FA7F DA53 89DC 30F0 385B  FC4A EA32 F8E6 A70D A09E
uid                  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>\\
     (also: expires: 2016-10-05)

Note the matching IDs and the matching two blocks of the fingerprint (which are just what’s shown in the ID), while the rest of the fingerprint is clearly different.

In a modern gpg setup, the key should have been shown with a 16 letter ID, so we would have seen the difference, but if the creation date is correct, these keys were made 2 years ago (though this could be faked easily by simply changing the date on the computer doing the computation). And my local gpg still shows the shorter 8 letter ID, just like the one from my colleague. If you request my key with gpg --recv-key A70DA09E, you could actually get the fake key!

Is this an attack?

Let’s relax for a moment. How do I know that this isn’t just someone experimenting with fake keys for fun?

I don’t strictly know, but there are strong indicators:

  1. The fake key has the same description as my main key.
  2. The expiration date is set to the expiration date of my main key (this is easy to do, since it can be adjusted without changing the fingerprint).
  3. My key for my other email address was targeted, too:
pub   1024R/FE96C404 2014-06-16 [revoked: 2016-08-16]
      Key fingerprint = A000 B099 C138 B7EE 4C19  1D8F 895D BE4E FE96 C404
uid                  Arne Babenhauserheide (Physikliebhaber, Hobbysänger und Ideenspringquell) <arne_bab@web.de>

pub   1024D/FE96C404 2002-02-04
      Key fingerprint = 6B05 41F0 94FF 2163 6FBA  2433 3307 469B FE96 C404
uid                  Arne Babenhauserheide (Physikliebhaber, Hobbysänger und Ideenspringquell) <arne_bab@web.de>
uid                  Arne Babenhauserheide (Rollenspieler, Spinner und freiberuflicher Weltenbastler) <arne_bab@yahoo.de>
uid                  Arne Babenhauserheide (Eine selbstbewusste Gesellschaft kann viele Narren ertragen) <arne_bab@web.de>
uid                  Arne Babenhauserheide (Rollenspieler, Spinner, Physikliebhaber, Gurpser und freiberuflicher Weltenbastler) <arne_bab@web.de>
sub   1024R/0BC10548 2010-07-29
sub   1024R/95806B33 2010-07-29
sub   1024g/0136732E 2002-02-04

With this it looks like this was a targeted attack, trying to trick people into encrypting to the attackers instead of me — or in addition to me (which could easily happen when they use a GUI which selects all matching keys by default).

How can I protect myself?

This isn’t actually attacking the crypto in GnuPG but rather uses the weakest link: human oversight. To protect yourself against this, always check the full fingerprint before you use a key.

And if you download a key from someone you did not meet yet, always check the signatures on the key, before you use it for the first time. For example like this:

gpg --check-sigs "<fingerprint or email>"
gpg --check-sigs "arne.babenhauserheide@kit.edu"
pub   2048R/A70DA09E 2011-10-07 [expires: 2021-08-28]
uid                  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>
sig!         FE96C404 2011-11-07  Arne Babenhauserheide (Physikliebhaber, Hobbysänger und Ideenspringquell) <arne_bab@web.de>
sig!3        A70DA09E 2016-08-29  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>
sig!3        A70DA09E 2011-10-07  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>
sub   2048R/39829E5F 2011-10-07 [expires: 2021-08-28]
sig!         A70DA09E 2016-08-29  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>

pub   1024R/FE96C404 2014-06-16 [revoked: 2016-08-16]
rev!         FE96C404 2016-08-16  Arne Babenhauserheide (Physikliebhaber, Hobbysänger und Ideenspringquell) <arne_bab@web.de>
uid                  Arne Babenhauserheide (Physikliebhaber, Hobbysänger und Ideenspringquell) <arne_bab@web.de>
sig!3        FE96C404 2014-08-04  Arne Babenhauserheide (Physikliebhaber, Hobbysänger und Ideenspringquell) <arne_bab@web.de>
sig!         A70DA09E 2014-08-05  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>

100 signatures not checked due to missing keys

You can see that my real key has signatures from people I know. The raw number of signatures also helps here, but it is easy to fake by just creating more fake keys, so do not rely on it for security. If you think “but they would not”, have a second hard look at the list above (and kudos if you spotted it right now!). The attacker actually signed the fake key for arne.babenhauserheide@kit.edu with the other fake key he or she created for arne_bab@web.de (and vice versa)!

You cannot distinguish these keys by just my keys alone!

However this is not perfect: it shows all those missing keys but not how to get them. I should file a bug for changing that.

And refer to the key by its fingerprint, so you don’t accidentally tell gpg to use the wrong key.

Summary

I was likely targeted by an attack which tried to trick people into encrypting to the wrong keys by creating new keys which looked exactly the same as my two main keys in the default key listing. These keys were revoked about a month ago, so it is likely that this attack just ended.

The attack used the keyservers as vector, combined with the UI and convenience policy of client programs. It did not break the encryption in gpg.

To protect yourself and others against being victim of attacks like this, always check the fingerprint, be vary of duplicated keys and, most importantly, sign the keys of people you know — after checking the fingerprints! And use the fingerprints for signing!

The fingerprints of my main keys:

$ gpg2 --list-keys --fingerprint arne
pub   2048R/A70DA09E 2011-10-07 [verfällt: 2021-08-28]
  Schl.-Fingerabdruck = DC44 49A9 A0C9 9632 9897  1842 5C83 F364 A70D A09E
uid       [ uneing.] Arne Babenhauserheide <arne.babenhauserheide@kit.edu>
sub   2048R/39829E5F 2011-10-07 [verfällt: 2021-08-28]

pub   1024D/FE96C404 2002-02-04
  Schl.-Fingerabdruck = 6B05 41F0 94FF 2163 6FBA  2433 3307 469B FE96 C404
uid       [ uneing.] Arne Babenhauserheide (Physikliebhaber, Hobbysänger und Ideenspringquell) <arne_bab@web.de>
uid       [ uneing.] Arne Babenhauserheide (Rollenspieler, Spinner und freiberuflicher Weltenbastler) <arne_bab@yahoo.de>
uid       [ uneing.] Arne Babenhauserheide (Eine selbstbewusste Gesellschaft kann viele Narren ertragen) <arne_bab@web.de>
uid       [ uneing.] Arne Babenhauserheide (Rollenspieler, Spinner, Physikliebhaber, Gurpser und freiberuflicher Weltenbastler) <arne_bab@web.de>
sub   1024R/0BC10548 2010-07-29
sub   1024R/95806B33 2010-07-29
sub   1024g/0136732E 2002-02-04

pub   1024D/2F6F2642 2004-10-28
  Schl.-Fingerabdruck = 7172 BE09 9661 8A67 0D70  E801 E8B2 C3EB 2F6F 2642
uid       [ vollst.] Arne Babenhauserheide (Dust: Dumb Unsuspecting STudent) <arne_bab@web.de>
sub   1024g/14FAA61F 2004-10-28

pub   4096R/FF8DA6F0 2016-03-16
  Schl.-Fingerabdruck = AFCE FDAA A09E 3014 367C  7384 7D0A B287 FF8D A6F0
uid       [ vollst.] "Arne Bab." <Arne_Bab@web.de>
sub   4096R/CE39F489 2016-03-16

pub   4096R/2403C3EB 2016-01-04
  Schl.-Fingerabdruck = F34D 6A12 35D0 4903 CD22  D5C0 13EF 8D45 2403 C3EB
uid       [ vollst.] Arne Babenhauserheide (Drak) <arne_bab@web.de>
sub   4096R/D0E0B44C 2016-01-04

pub   4096R/8A8AAA50 2016-08-29 [verfällt: 2021-08-28]
  Schl.-Fingerabdruck = B5B3 AC76 6695 D1E3 4E0B  9075 B598 1EEC 8A8A AA50
uid       [ uneing.] Arne Babenhauserheide (-) <arne.babenhauserheide@kit.edu>
sub   4096R/A017ECEC 2016-08-29 [verfällt: 2021-08-28]

For additional security you should check the copy of this article in Freenet1, where the fingerprints are protected by crypto which cannot be faked as easily as that from this site, because the keys stay on the local machine and cannot be changed by breaking into a remote machine.

Note that I extended the expiration date of my keys after I my colleague told me about the revoked keys, because my keys were short of expiring.

And if you see something like the following, you have every reason to increase your operational security:

pub   2048R/A70DA09E 2011-10-07 [expires: 2021-08-28]
      Key fingerprint = DC44 49A9 A0C9 9632 9897  1842 5C83 F364 A70D A09E
uid                  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>
sub   2048R/39829E5F 2011-10-07 [expires: 2021-08-28]

pub   2048R/A70DA09E 2014-06-16 [revoked: 2016-08-16]
      Key fingerprint = FA7F DA53 89DC 30F0 385B  FC4A EA32 F8E6 A70D A09E
uid                  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>

pub   1024D/FE96C404 2002-02-04
      Key fingerprint = 6B05 41F0 94FF 2163 6FBA  2433 3307 469B FE96 C404
uid                  Arne Babenhauserheide (Physikliebhaber, Hobbysänger und Ideenspringquell) <arne_bab@web.de>
uid                  Arne Babenhauserheide (Rollenspieler, Spinner und freiberuflicher Weltenbastler) <arne_bab@yahoo.de>
uid                  Arne Babenhauserheide (Eine selbstbewusste Gesellschaft kann viele Narren ertragen) <arne_bab@web.de>
uid                  Arne Babenhauserheide (Rollenspieler, Spinner, Physikliebhaber, Gurpser und freiberuflicher Weltenbastler) <arne_bab@web.de>
sub   1024R/0BC10548 2010-07-29
sub   1024R/95806B33 2010-07-29
sub   1024g/0136732E 2002-02-04

pub   1024R/FE96C404 2014-06-16 [revoked: 2016-08-16]
      Key fingerprint = A000 B099 C138 B7EE 4C19  1D8F 895D BE4E FE96 C404
uid                  Arne Babenhauserheide (Physikliebhaber, Hobbysänger und Ideenspringquell) <arne_bab@web.de>

  1. Once you have Freenet running, just open this link: USK@V~1bZXDO1YhvvyYoYVivW-GTwqCTqaBovBM2ad7vd2E,XnsG558vT1nDLezaPpN5TGXJqZ73~wb3funZeCLWyeo,AQACAAE/gnupg-attack/0/ (but if you cannot trust this website, better check my long-lived site in Freenet (you can find it in several indexes) for a link to that article. If you happen to get a different link here than what I link on random_babcom, please get in touch! 

Inhalt abgleichen
Willkommen im Weltenwald!
((λ()'Dr.ArneBab))



Beliebte Inhalte

sn.1w6.org news