[messaging] Keybase Proofs

Tim Bray tbray at textuality.com
Tue Nov 18 22:47:16 PST 2014

Are there any threads other than the one starting at
http://www.metzdowd.com/pipermail/cryptography/2014-September/022754.html ?

The conclusion there, via David Leon Gil, is instructive:

On Tue, Nov 18, 2014 at 9:34 PM, Tony Arcieri <bascule at gmail.com> wrote:

> Moving the conversation here...
> On Tue, Nov 18, 2014 at 5:44 PM, Max Krohn <themax at gmail.com> wrote:
>> I don’t follow how Keybase proofs are particularly susceptible to SHA-1
>> 2nd preimage attacks. Let’s say Bob has key k1 and has posted a proof on
>> Github.  Let’s say Mallory generates her own k2 such that SHA1(k1) =
>> SHA1(k2), and compromises the Keybase server to reply with k2 whenever
>> someone asks for Bob’s key.  This still isn’t good enough.  Someone who
>> gets k2 will still download Bob’s signature posted on Github. He’ll check
>> that SHA1(k2) = SHA1(k1), but the posted signature will fail to verify with
>> k2.
> The specific attack that can be used here is called the dual-share
> key-share attack, and it can be used to derive an RSA keypair such that the
> signature will verify, even though we don't know the original private key.
> If we can produce a key like that, a second preimage attack against the
> hash function can be leveraged to produce and include the public
> fingerprint of an attacker-controlled key. There was a pretty extensive
> thread discussing this on various crypto mailing lists earlier (google
> "Keybase Attack")
> The fundamental design flaw in the entire Keybase proof scheme is that
> it's depending on security properties of a signature under an unknown key,
> when the security of any cryptosystem typically rests in the key(s).
> I am sure you can find one-off mitigations for attacks of this nature as
> they arise, but I feel like what you are trying to do is conceptually
> flawed.
> You should publish the public key fingerprints along with the proof. The
> proof alone is not sufficient.
> --
> Tony Arcieri

- Tim Bray (If you’d like to send me a private message, see
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141118/a3d496c5/attachment.html>

More information about the Messaging mailing list