COMMAND

    PGP

SYSTEMS AFFECTED

    NAI PGP

PROBLEM

    Povl H.  Pedersen found  following.   A friend  of his  received a
    mail from  a colleague  in the  UK by  the name  John Smith  (name
    invented), which was PGP signed.  So of course my friend tried  to
    verify the  signature.   This was  the first  time he verified it.
    The signature has Key ID: 0x6F620B65

    So  he  had  to  look  up  the  key  using  the  keyservers,   and
    surprisingly enough,  the server  did NOT  return the  name of the
    sender, but of a person called "Mike Evans".

    Povl then did a lookup on John Smith's e-mail, and he only got the
    signature of Mike  Evans back. I  did not get  2 adresses, or  any
    other  indication  that  told  me  something styrange is going on.
    Adding Mike Evans' public key to the keyring still results in  the
    signature verification  being OK,  but the  username is  listed as
    unknown.

    The problem is,  that the PGP  servers expects all  key IDs to  be
    unique  numbers,  and  does  not  expect  2 users to have the same
    keyID.  And with the current  amount of users, we are starting  to
    get multiple users with the same keyID.

    It is possible  to generate false  signatures, and John  Smith can
    send new e-mails in the name of  Mike Evans to users who does  not
    have Mike Evans' key in their keyring, and when they do a  lookup,
    they will find Mike Evans' key.

    It will take  a long time  to generate a  new key with  a specific
    fingerprint,  but  nonetheless,  this  'overwriting' and hiding of
    other users  IDs in  the public  PGP servers  is bad.   Minor nit;
    there's a big difference between  a "fingerprint" -- which is  the
    result of  a cryptographic  hash on  the key,  and should  *never*
    collide (and if it does, you can get lots of attention by  showing
    that the  hash function  isn't strong  enough) --  and a "key id",
    which is much shorter.

SOLUTION

    32-bit Key ID collisions have been known about for quite sometime,
    although they are still  very rare.  64-bit  Key IDs have been  in
    use for years  and, of course,  if Fingerprints (160-bit)  and key
    signing are used properly there  are no problems in the  areas you
    describe.

    This problem is called the  'deadbeef attack'.  It's discussed  in
    the PGP FAQ:

        http://www.pgp.net/pgpnet/pgp-faq/faq-04.html

    RFC2440 clearly states that  a conforming implementation MUST  not
    assume that key IDs are unique.  However, NAI does not claim  that
    their PGP is OpenPGP compatible.