Wave of Spoofed Encryption Keys Shows Weakness in PGP Implementation

"No security is ever 'absolute.'"

Don't always trust an encryption key.

Someone has generated a host of dodgy PGP keys, and by abusing the inherent weakness in the short identifying code attached to each, has made the keys appear to belong to a series of high profile individuals in the security community.

This means that someone trying to communicate with these people, which include developers of the Tor anonymity software, may accidentally use the wrong key, leaving messages potentially open to snooping. Or, at best, recipients will simply not be able to decrypt some of the messages they receive. Many of the keys appear to relate to a 2014 research project, but their reemergence highlights a lingering security concern with PGP, which stands for "pretty good privacy".

On Monday, a post on the unofficial Linux Kernel Mailing List claimed that encryption keys purportedly belonging to Linus Torvalds, the creator of Linux, and Greg Kroah-Hartman, a Linux kernel developer, were instead fake. The post pointed to keys stored on the MIT server, a popular repository where people upload their keys for others to more easily find.

The issue revolved around each key's "short ID," a numerical code that is supposed to uniquely identify every key. In Torvald's case, the short ID of his real key was 00411886. But someone had created a key with exactly the same 8 digit code.

"The 32-bit short ID's of pgp are completely useless. They may be 'convenient', but they also entirely bypass the whole point of having a nice secure key," Torvalds told Motherboard in an email. Kroah-Hartman also confirmed to Motherboard that one of the keys apparently belonging to him was fake.

Plenty of people list their short ID on their social media profiles, so anyone wanting to get in touch has a relatively easy way to check that whatever key they find is legitimate: If the short ID on the MIT key server is the same as the one on the person's Twitter profile, then you'd think there was a pretty good chance that they were in fact the same key. But, as this case shows, you would be wrong.

"This is not trivial to pull off, but it's exactly the scenario PGP is supposed to prevent"

Isis Lovecruft, a Tor developer, also reported on Tuesday that someone had created a fake key for her, as well as others from the Tor Project. And although it doesn't seem to be part of this more recent wave of spoofed keys, journalist Glenn Greenwald tweeted a similar experience back in 2014.

All of this is possible because generating a key with the same 8 digit code as another is pretty simple. Using a tool called Scallion, a user can quickly cycle through different PGP keys until they create one that they're happy with.

This is not a new problem: Back in 2014, German journalist Hanno Boeck covered the issue from DEF CON 22 (Boeck also reported spotting a fake key for himself earlier today).

At least some of the reported fake keys were part of the 2014 Evil 32 project which highlighted the dangers of short IDs, explained Eric Swanson, the co-creator of that project, in a comment on Y Combinator on Tuesday. Swanson added that he has generated revocation certificates for each key, meaning they can be marked as "revoked" on the key server.

The potential issue here is that if an attacker created a fake key, people started using it, and this attacker had the potential to intercept emails or otherwise access the target's email account, they might be able to read incoming encrypted messages. Of course, that would need to be a highly resourceful attacker.

But, as Boeck pointed out to Motherboard in an email, that is the whole point of PGP and end-to-end encryption: to stop someone who has the ability of interception from reading messages.

"So yes, this is not trivial to pull off, but it's exactly the scenario PGP is supposed to prevent," he wrote.

However, perhaps the more likely situation is that someone will use the wrong key when trying to send a message, and the recipient won't be able to read it.

Even if someone is pretty vigilant and closely reads the longer, 40 character key fingerprint, another issue is that some PGP programs rely on short IDs for importing keys.

"The really bad thing is that the short ID is what you end up often using even with the tools, and there have even been bugs where the tools themselves used the short ID internally despite it not being secure," Torvalds continued.

"No security is ever 'absolute'. PGP has some very real technical strengths, but I have to say, it has a lot of weaknesses too. The weaknesses tend to be about the UI and usage, not about core algorithms, but with security, that's a big deal," Torvalds added.