View Issue Details

IDProjectCategoryView StatusLast Update
0001473Main CAcert WebsiteGPG/PGPpublic2022-09-22 20:07
Reportergleurent Assigned ToTed  
PriorityhighSeveritymajorReproducibilityhave not tried
Status ready to deployResolutionopen 
PlatformDefaultOSanyOS Versionany
Summary0001473: PGP keys are signed with SHA1
DescriptionYou seem to be using SHA-1 to certify PGP keys of users.
I didn't try to get a signature myself, but there are many such signatures on public keyservers.
This is an important security risk because weaknesses of SHA-1 can be abused to create keys with different identities and colliding signatures.
I strongly advise that you move to a more recent hash function, such as SHA-2!
Additional InformationWe tried to contact you by email at support@cacert.org but got no answer.

We are two researchers working in cryptography, and we have recently
obtained important cryptanalysis results on SHA-1. We have noticed that
your CA is still signing PGP keys with SHA-1 signatures, and we believe
this an important security risk.

A few months ago we published a paper with a theoretical chosen-prefix
collision attack against SHA-1 (at Eurocrypt 2019). In the last months,
we managed to improve the attack and to run it in practice, and we have
obtained the first chosen-prefix collision against SHA-1. This work is
currently under embargo, and will be announced at the Real World Crypto
conference in early January. We are attaching the abstract of the talk
to this report.

Concretely, a chosen-prefix collision attack against SHA-1 means that we
can do the same type of attacks that have been possible against MD5
since 2009. In particular, we can abuse SHA-1 signatures and create
forgeries.

More precisely, the chosen-prefix collision that we have built is
targeted at PGP key-certification forgeries: we have created a pair of
PGP keys with different identities so that their key-certification
signatures collide with SHA-1. This means that if one of the keys is
signed with SHA-1, the signature can be transferred to the second key
(assigned CVE is CVE-2019-14855).

Apparently, CAcert is still using SHA-1 when signing user keys. For
instance the signature that you issued on key 6634000791E1DA76 on Nov 29
uses the SHA-1 hash function.

Our attack can probably not be directly applied to CAcert because we
abuse the image attribute of PGP keys, which is apparently not signed by
CAcert. However, we strongly advise you to update your system to use a
stronger hash function!
TagsGPG
Reviewed byTed
Test Instructions

Relationships

related to 0001496 needs review & testingTed CAcert signed GPG key reports Invalid Digest Algorithm 
related to 0001500 new Issues in mail template for gpg signing response 

Activities

gleurent

2019-12-18 19:29

reporter  

SHA1_CPC.pdf (303,025 bytes)

Ted

2020-01-06 11:39

administrator   ~0005858

This has to be addressed. Priority is up to discussion.

gleurent

2020-04-12 14:38

reporter   ~0005875

If there any news on this issue? Are you still signing PGP keys with SHA-1?
Our paper has been public for several months, so the issue doesn't need to be private anymore, but it should be fixed rapidly!

gleurent

2020-05-13 13:34

reporter   ~0005884

I'm sure the COVID pandemedic is making everybody's work harder, but this is an important security issue, and it have been almost six months now!
Is someone working on it?

jandd

2020-05-16 22:19

administrator   ~0005886

The attached patch for the release branch fixes this issue by defining the cert-digest-algo as SHA256. I tested the command line used by the patch on a very old (1.4.10) and a recent (2.2.12) gpg version in Debian Squeeze (6.0.10) and Debian Buster (10.4) Docker containers because I do not know the exact version of gpg running on the signer.
0001-Set-GPG-digest-algorithm-to-SHA256.patch (1,364 bytes)   
From fcd88cae43ef981a6c2ddfa28a62543f0d671d3c Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jandd@cacert.org>
Date: Sun, 17 May 2020 00:07:48 +0200
Subject: [PATCH] Set GPG digest algorithm to SHA256

This commit fixes https://bugs.cacert.org/view.php?id=1473 by setting
the cert-digest-algo parameter of gpg to SHA256.
---
 CommModule/server.pl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CommModule/server.pl b/CommModule/server.pl
index 3fd77e6..7e0e1e8 100755
--- a/CommModule/server.pl
+++ b/CommModule/server.pl
@@ -26,6 +26,8 @@ my $serialport="/dev/ttyUSB0";
 
 my $CPSUrl="http://www.cacert.org/cps.php";
 
+my $GPGCertDigestAlgo="SHA256";
+
 my $OCSPUrl="http://ocsp.cacert.org/";
 
 my $gpgbin="/usr/bin/gpg";
@@ -688,7 +690,7 @@ sub SignOpenPGP
 
     $ENV{'LANG'}="";
 
-    my $line="$gpgbin --no-tty --default-key $gpgID --homedir $homedir --default-cert-expire $days"."d --ask-cert-expire --cert-policy-url $CPSUrl --command-fd 0 --status-fd 1 --logger-fd 2 --sign-key $keyid ";
+    my $line="$gpgbin --no-tty --default-key $gpgID --homedir $homedir --default-cert-expire $days"."d --ask-cert-expire --cert-policy-url $CPSUrl --command-fd 0 --cert-digest-algo $GPGCertDigestAlgo --status-fd 1 --logger-fd 2 --sign-key $keyid ";
     SysLog($line."\n");
 
     my $pid = open3($stdin,$stdout,$stderr,$line);
-- 
2.17.1

egal

2020-05-17 10:21

administrator   ~0005887

Patch installed on test.cacert.org (our test-server).

Please run your tests there and give us a feedback of your tests.

1st review done successfully, 2nd review needed

jandd

2020-12-26 17:02

administrator   ~0005935

This has been successfully tested in 0001496

Ted

2021-08-07 19:33

administrator   ~0006065

Created new branch bug-1473 (on github) and merged in @jandd's pull request.

Ted

2021-08-07 20:04

administrator   ~0006068

Last edited: 2021-08-07 20:05

I did a review of the code changes, and according to https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html (under "Doing things one usually doesn’t want to do") the code change should change the digest algorithm to SHA256 if the GPG version does support SHA256 at all.

Since another visit to the signer is needed for other reasons anyway, I asked @egal to check the GPG version on the server.

Assuming the GPG version does support SHA256, the review is PASSED

Ted

2021-08-08 12:28

administrator   ~0006072

According to @egal, the signer has GPG 1.4.9 installed, and reports SHA256 (as well as SHA512) as supported algorythm.

Ted

2021-08-08 15:05

administrator   ~0006073

The proposed change is now installed on <https://test.cacert.org>.

Please test it and report your results here or on <cacert-devel@lists.cacert.org>

Ted

2021-08-08 15:43

administrator   ~0006074

I made a test run myself:
- Create a new key with GPG, with data matching my testserver account
- Let the testserver sign the new key
- Import the signature into GPG
- Using "gpg -a --export | gpg --list-packets --verbose" to show the details of the signature.

The relevant signature packet is shown as:
:signature packet: algo 17, keyid 4BE7348177F751AC
        version 4, created 1628431932, md5len 0, sigclass 0x10
        digest algo 8, begin of digest 74 fe
        hashed subpkt 2 len 4 (sig created 2021-08-08)
        critical hashed subpkt 3 len 4 (sig expires after 1y1d0h0m)
        hashed subpkt 26 len 29 (policy: http://www.cacert.org/cps.php)
        subpkt 16 len 8 (issuer key ID 4BE7348177F751AC)
        data: 0ACD98E61F728EDC70E03D59A4401C824C8BC30C
        data: 6BB54FAA8D31E218A12A760CCBA4D42F5170237C


According to <https://datatracker.ietf.org/doc/html/rfc4880#section-9.4> "digest algo 8" stands for SHA256, which is the expected result.

Note that there are two more signature packets in the output, using SHA1 (or "digest algo 2"). IMHO these are the self signatures of the testserver's key. If anyone knows anything other please let me know!

alkas

2022-09-21 12:00

manager   ~0006132

Last edited: 2022-09-21 12:13

The user Chris Jacobs (his Email address replaced with u@org.nl) reports: PGP certification: The cacert signature still gives an invalid digest-algorithm in Kleopatra.

> This is the info about the signatures:
>
> {quote}
>
> PS C:\Users\chris> gpg --list-sigs
> C:/Users/chris/AppData/Roaming/gnupg/pubring.kbx
> ------------------------------------------------
> pub dsa1024 2003-07-11 [SCA] [expires: 2033-07-03]
> A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58
> uid [ full ] CA Cert Signing Authority (Root CA)
> <gpg@cacert.org>
> sig 3 D2BB0D0165D0FD58 2003-07-11 CA Cert Signing Authority
> (Root CA) <gpg@cacert.org>
> sig N 0A8DCE0E49E78923 2021-09-16 Christiaan Theodoor Maria
> Jacobs <u@org.nl>
> sub elg2048 2003-07-11 [E] [expires: 2033-07-03]
> sig D2BB0D0165D0FD58 2003-07-11 CA Cert Signing Authority
> (Root CA) <gpg@cacert.org>
>
> pub rsa2048 2019-11-18 [SC]
> 77F2139E41FE00A28ABB9FF70A8DCE0E49E78923
> uid [ultimate] Christiaan Theodoor Maria Jacobs
> <u@org.nl>
> sig 3 0A8DCE0E49E78923 2021-09-02 Christiaan Theodoor Maria
> Jacobs <u@org.nl>
> sig P D2BB0D0165D0FD58 2022-09-20 CA Cert Signing Authority
> (Root CA) <gpg@cacert.org>
> sub rsa2048 2019-11-18 [E]
> sig 0A8DCE0E49E78923 2021-09-02 Christiaan Theodoor Maria
> Jacobs <u@org.nl>

> check-sigs gives better info than list-sigs:
>
> {quote}
>
> PS C:\Users\chris> gpg --check-sigs
> C:/Users/chris/AppData/Roaming/gnupg/pubring.kbx
> ------------------------------------------------
> pub dsa1024 2003-07-11 [SCA] [expires: 2033-07-03]
> A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58
> uid [ full ] CA Cert Signing Authority (Root CA)
> <gpg@cacert.org>
> sig!3 D2BB0D0165D0FD58 2003-07-11 CA Cert Signing Authority
> (Root CA) <gpg@cacert.org>
> sig! N 0A8DCE0E49E78923 2021-09-16 Christiaan Theodoor Maria
> Jacobs <u@org.nl>
> sub elg2048 2003-07-11 [E] [expires: 2033-07-03]
> sig! D2BB0D0165D0FD58 2003-07-11 CA Cert Signing Authority
> (Root CA) <gpg@cacert.org>
>
> pub rsa2048 2019-11-18 [SC]
> 77F2139E41FE00A28ABB9FF70A8DCE0E49E78923
> uid [ultimate] Christiaan Theodoor Maria Jacobs
> <u@org.nl>
> sig!3 0A8DCE0E49E78923 2021-09-02 Christiaan Theodoor Maria
> Jacobs <u@org.nl>
> gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
> sig% P D2BB0D0165D0FD58 2022-09-20 [Ongeldig digest-algoritme]
> sub rsa2048 2019-11-18 [E]
> sig! 0A8DCE0E49E78923 2021-09-02 Christiaan Theodoor Maria
> Jacobs <u@org.nl>

Ted

2022-09-21 19:44

administrator   ~0006133

No need to keep this private since 0001496 is a duplicate (and public) case...

Ted

2022-09-21 19:57

administrator   ~0006135

Any other test reports?

Ted

2022-09-22 20:07

administrator   ~0006136

I'll take 0001496:0005934 from 0001496 as a test report, though it is not fully clear to me exactly what code change has been tested there...

Nevertheless, concerning the very minor code changes, I'll hand this over to critical for installation.

Issue History

Date Modified Username Field Change
2019-12-18 19:29 gleurent New Issue
2019-12-18 19:29 gleurent Tag Attached: GPG
2019-12-18 19:29 gleurent File Added: SHA1_CPC.pdf
2020-01-06 11:39 Ted Assigned To => Ted
2020-01-06 11:39 Ted Status new => confirmed
2020-01-06 11:39 Ted Note Added: 0005858
2020-04-12 14:38 gleurent Note Added: 0005875
2020-05-13 13:34 gleurent Note Added: 0005884
2020-05-16 22:19 jandd Note Added: 0005886
2020-05-16 22:20 jandd File Added: 0001-Set-GPG-digest-algorithm-to-SHA256.patch
2020-05-16 22:20 jandd Assigned To Ted => egal
2020-05-16 22:20 jandd Status confirmed => needs review & testing
2020-05-17 10:21 egal Note Added: 0005887
2020-05-17 10:22 egal Assigned To egal => Ted
2020-12-15 13:38 gleurent Relationship added related to 0001496
2020-12-26 17:02 jandd Note Added: 0005935
2021-08-07 19:33 Ted Note Added: 0006065
2021-08-07 20:04 Ted Note Added: 0006068
2021-08-07 20:05 Ted Note Edited: 0006068
2021-08-08 12:28 Ted Note Added: 0006072
2021-08-08 12:28 Ted Reviewed by => Ted
2021-08-08 15:05 Ted Note Added: 0006073
2021-08-08 15:43 Ted Note Added: 0006074
2022-09-21 12:00 alkas Note Added: 0006132
2022-09-21 12:13 alkas Note Edited: 0006132
2022-09-21 19:44 Ted View Status private => public
2022-09-21 19:44 Ted Reviewed by Ted => Ted
2022-09-21 19:44 Ted Note Added: 0006133
2022-09-21 19:45 Ted Relationship added related to 0001500
2022-09-21 19:57 Ted Note Added: 0006135
2022-09-22 20:07 Ted Status needs review & testing => ready to deploy
2022-09-22 20:07 Ted Note Added: 0006136