Are there any threads other than the one starting at http://www.metzdowd.com/pipermail/cryptography/2014-September/022754.html ?
The conclusion there, via David Leon Gil, is instructive: http://www.metzdowd.com/pipermail/cryptography/2014-September/022758.html On Tue, Nov 18, 2014 at 9:34 PM, Tony Arcieri <[email protected]> wrote: > Moving the conversation here... > > On Tue, Nov 18, 2014 at 5:44 PM, Max Krohn <[email protected]> wrote: > >> I don’t follow how Keybase proofs are particularly susceptible to SHA-1 >> 2nd preimage attacks. Let’s say Bob has key k1 and has posted a proof on >> Github. Let’s say Mallory generates her own k2 such that SHA1(k1) = >> SHA1(k2), and compromises the Keybase server to reply with k2 whenever >> someone asks for Bob’s key. This still isn’t good enough. Someone who >> gets k2 will still download Bob’s signature posted on Github. He’ll check >> that SHA1(k2) = SHA1(k1), but the posted signature will fail to verify with >> k2. > > > The specific attack that can be used here is called the dual-share > key-share attack, and it can be used to derive an RSA keypair such that the > signature will verify, even though we don't know the original private key. > If we can produce a key like that, a second preimage attack against the > hash function can be leveraged to produce and include the public > fingerprint of an attacker-controlled key. There was a pretty extensive > thread discussing this on various crypto mailing lists earlier (google > "Keybase Attack") > > The fundamental design flaw in the entire Keybase proof scheme is that > it's depending on security properties of a signature under an unknown key, > when the security of any cryptosystem typically rests in the key(s). > > I am sure you can find one-off mitigations for attacks of this nature as > they arise, but I feel like what you are trying to do is conceptually > flawed. > > You should publish the public key fingerprints along with the proof. The > proof alone is not sufficient. > > -- > Tony Arcieri > -- - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
