[messaging] Keybase Proofs

Tony Arcieri bascule at gmail.com
Tue Nov 18 21:34:44 PST 2014

Moving the conversation here...

On Tue, Nov 18, 2014 at 5:44 PM, Max Krohn <themax at gmail.com> wrote:

> I don’t follow how Keybase proofs are particularly susceptible to SHA-1
> 2nd preimage attacks. Let’s say Bob has key k1 and has posted a proof on
> Github.  Let’s say Mallory generates her own k2 such that SHA1(k1) =
> SHA1(k2), and compromises the Keybase server to reply with k2 whenever
> someone asks for Bob’s key.  This still isn’t good enough.  Someone who
> gets k2 will still download Bob’s signature posted on Github. He’ll check
> that SHA1(k2) = SHA1(k1), but the posted signature will fail to verify with
> k2.

The specific attack that can be used here is called the dual-share
key-share attack, and it can be used to derive an RSA keypair such that the
signature will verify, even though we don't know the original private key.
If we can produce a key like that, a second preimage attack against the
hash function can be leveraged to produce and include the public
fingerprint of an attacker-controlled key. There was a pretty extensive
thread discussing this on various crypto mailing lists earlier (google
"Keybase Attack")

The fundamental design flaw in the entire Keybase proof scheme is that it's
depending on security properties of a signature under an unknown key, when
the security of any cryptosystem typically rests in the key(s).

I am sure you can find one-off mitigations for attacks of this nature as
they arise, but I feel like what you are trying to do is conceptually

You should publish the public key fingerprints along with the proof. The
proof alone is not sufficient.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141118/c707f682/attachment.html>

More information about the Messaging mailing list