[tor-talk] Choosing a name for a .onon
asheesh at asheesh.org
Fri Mar 30 04:44:08 UTC 2012
Excerpts from Robert Ransom's message of Thu Mar 29 23:28:39 -0400 2012:
> On 2012-03-29, Seth David Schoen <schoen at eff.org> wrote:
> > There's a nice description of the possibility of creating a public key
> > with a chosen set of bits at the beginning or end at
> > http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
> > although note that the Tor hidden service identifiers are 80 bits, while
> > PGP short key IDs are only 32 bits, so it's 2⁴⁸ times as hard to fake a
> > hidden service as it is to make a colliding PGP short key ID. (Full PGP
> > fingerprints are 160 bits.)
> In the old-style (PGP 2.x) key ID format, a portion of the public RSA
> modulus was directly used as the key ID. The most
> difficult-to-implement algorithm that you could possibly want to use
> to attack that involves a lattice computation, and succeeds far faster
> than brute-force.
> New-style (OpenPGP) key IDs are hashes of the public key; the only
> attack that can produce a desired key ID is brute-force search.
> (That's not hard though -- for RSA, generate a keypair in the usual
> manner, then change the public exponent (as Shallot does); for DSA or
> ElGamal, generate a keypair and then search for powers of the group
> generator and of the public key which lead to the desired hash. Both
> attacks allow the brute-force search to be performed on computers
> which cannot be trusted to know the private key.)
> So yes, short PGP key IDs are very bad news. Avoid them if you can
> (but I doubt that you can).
As the author of that asheesh.org note, I suggest you read it carefully.
In particular, pay attention to how key timestamps are used in OpenPGP!
It's interesting and was surprising to me at first, too.
More information about the tor-talk