Security news that informs and inspires

OpenPGP Certificate Attack Worries Experts


There’s an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates.

The attack is quite simple and doesn’t exploit any technical vulnerabilities in the OpenPGP software, but instead takes advantage of one of the inherent properties of the keyserver network that’s used to distribute certificates. Keyservers are designed to allow people to discover the public certificates of other people with them they want to communicate over a secure channel. One of the properties of the network is that anyone who has looked at a certificate and verified that it belongs to another specific person can add a signature, or attestation, to the certificate. That signature basically serves as the public stamp of approval from one user to another.

In general, people add signatures to someone’s certificate in order to give other users more confidence that the certificate is actually owned and controlled by the person who claims to own it. However, the OpenPGP specification doesn’t have any upper limit on the number of signatures that a certificate can have, so any user or group of users can add signatures to a given certificate ad infinitum. That wouldn’t necessarily be a problem, except for the fact that GnuPG, one of the more popular packages that implements the OpenPGP specification, doesn’t handle certificates with extremely large numbers of signatures very well. In fact, GnuPG will essentially stop working when it attempts to import one of those certificates.

Last week, two people involved in the OpenPGP community discovered that their public certificates had been spammed with tens of thousands of signatures--one has nearly 150,000--in an apparent effort to render them useless. The attack targeted Robert J. Hansen and Daniel Kahn Gillmor, but the root problem may end up affecting many other people, too.

“This attack exploited a defect in the OpenPGP protocol itself in order to ‘poison’ rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned,” Hansen wrote in a post explaining the incident.

“This attack cannot be mitigated by the SKS keyserver network in any reasonable time period. It is unlikely to be mitigated by the OpenPGP Working Group in any reasonable time period. Future releases of OpenPGP software will likely have some sort of mitigation, but there is no time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network.”

“So none of this is a novel or surprising problem. However, the scale of spam attached to certificates recently appears to be unprecedented.”

SKS, or synchronizing key server, is the software used to run keyservers, and the keyserver network itself is a distributed network with no central authority. The system was designed that way on purpose as it allows for synchronization of certificates among the various servers and provides resistance against an attack on one server. However, the architecture also allows the certificate spamming or flooding attack that affected Hansen and Gillmor, something that has been known for many years. There have been other such attacks in the past, but Gillmor said this incident looks different.

“SKS is known to be vulnerable to this kind of Certificate Flooding, and is difficult to address due to the synchronization mechanism of the SKS pool. (SKS's synchronization assumes that all keyservers have the same set of filters),” Gillmor, a contributor to free software projects and a senior staff technologist at the American Civil Liberties Union, wrote in a post.

“So none of this is a novel or surprising problem. However, the scale of spam attached to certificates recently appears to be unprecedented.”

GnuPG is used in a variety of applications, including some encrypted email and chat programs. But it’s also used extensively in signing software packages, something that a certificate flooding attack could wreak havoc with.

“The number one use of OpenPGP today is to verify downloaded packages for Linux-based operating systems, usually using a software tool called GnuPG. If someone were to poison a vendor's public certificate and upload it to the keyserver network, the next time a system administrator refreshed their keyring from the keyserver network the vendor's now-poisoned certificate would be downloaded. At that point upgrades become impossible because the authenticity of downloaded packages cannot be verified,” Hansen said.

Matthew Green, a cryptographer and associate professor at Johns Hopkins University, said that the attack points out some of the weaknesses in the entire OpenPGP infrastructure.

"PGP is old and kind of falling apart. There's not enough people maintaining it and it's full of legacy code. There are some people doing the lord's work in keeping it up, but it's not enough," Green said. "Think about it like an old hospital that's crumbling and all of the doctors have left but there's still some people keeping the emergency room open and helping patients. At some point you have to ask whether it's better just to let it close and let something better come along.

“I think PGP is preventing the development of better stuff and the person who did this is clearly demonstrating this problem.”

The certificate flooding attack on Hansen and Gillmor already has had some consequences for other people. Gillmor said that several people he knows have had serious issues because they had his certificate in their keyrings and refreshed them, which resulted in the spammed certificate being imported. Though the certificate spamming issue was known, it was never addressed because of a variety of barriers, including the fact that the keyserver system generally worked. But Gillmor said the attacks illustrate both the fragility and necessity of projects such as OpenPGP.

“One of the points I've been driving at for years is that the goals of much of the work I care about (confidentiality; privacy; information security and data sovereignty; healthy communications systems) are not individual goods. They are interdependent, communally-constructed and communally-defended social properties,” he said.

“As an engineering community, we failed -- and as an engineer, I contributed to that failure -- at protecting these folks in this instance about because we left things sloppy and broken and supposedly ‘good enough’.”

Green said that while OpenPGP and the tools that depend on it have value still, they shouldn't be the best option for people in high-risk situations.

“People make a big deal out of why it's so important but in practice if people's lives are being put at risk because of this, it can't be that important. This tool can't be what's protecting activists if it can be broken like this.”