View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001473 | Main CAcert Website | GPG/PGP | public | 2019-12-18 19:29 | 2024-10-05 07:37 |
| Reporter | gleurent | Assigned To | Ted | ||
| Priority | high | Severity | major | Reproducibility | have not tried |
| Status | ready to deploy | Resolution | open | ||
| Platform | Default | OS | any | OS Version | any |
| Summary | 0001473: PGP keys are signed with SHA1 | ||||
| Description | You seem to be using SHA-1 to certify PGP keys of users. I didn't try to get a signature myself, but there are many such signatures on public keyservers. This is an important security risk because weaknesses of SHA-1 can be abused to create keys with different identities and colliding signatures. I strongly advise that you move to a more recent hash function, such as SHA-2! | ||||
| Additional Information | We tried to contact you by email at support@cacert.org but got no answer. We are two researchers working in cryptography, and we have recently obtained important cryptanalysis results on SHA-1. We have noticed that your CA is still signing PGP keys with SHA-1 signatures, and we believe this an important security risk. A few months ago we published a paper with a theoretical chosen-prefix collision attack against SHA-1 (at Eurocrypt 2019). In the last months, we managed to improve the attack and to run it in practice, and we have obtained the first chosen-prefix collision against SHA-1. This work is currently under embargo, and will be announced at the Real World Crypto conference in early January. We are attaching the abstract of the talk to this report. Concretely, a chosen-prefix collision attack against SHA-1 means that we can do the same type of attacks that have been possible against MD5 since 2009. In particular, we can abuse SHA-1 signatures and create forgeries. More precisely, the chosen-prefix collision that we have built is targeted at PGP key-certification forgeries: we have created a pair of PGP keys with different identities so that their key-certification signatures collide with SHA-1. This means that if one of the keys is signed with SHA-1, the signature can be transferred to the second key (assigned CVE is CVE-2019-14855). Apparently, CAcert is still using SHA-1 when signing user keys. For instance the signature that you issued on key 6634000791E1DA76 on Nov 29 uses the SHA-1 hash function. Our attack can probably not be directly applied to CAcert because we abuse the image attribute of PGP keys, which is apparently not signed by CAcert. However, we strongly advise you to update your system to use a stronger hash function! | ||||
| Tags | GPG | ||||
| Attached Files | |||||
| Reviewed by | Ted | ||||
| Test Instructions | |||||
|
|
This has to be addressed. Priority is up to discussion. |
|
|
If there any news on this issue? Are you still signing PGP keys with SHA-1? Our paper has been public for several months, so the issue doesn't need to be private anymore, but it should be fixed rapidly! |
|
|
I'm sure the COVID pandemedic is making everybody's work harder, but this is an important security issue, and it have been almost six months now! Is someone working on it? |
|
|
The attached patch for the release branch fixes this issue by defining the cert-digest-algo as SHA256. I tested the command line used by the patch on a very old (1.4.10) and a recent (2.2.12) gpg version in Debian Squeeze (6.0.10) and Debian Buster (10.4) Docker containers because I do not know the exact version of gpg running on the signer. 0001-Set-GPG-digest-algorithm-to-SHA256.patch (1,364 bytes)
From fcd88cae43ef981a6c2ddfa28a62543f0d671d3c Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jandd@cacert.org>
Date: Sun, 17 May 2020 00:07:48 +0200
Subject: [PATCH] Set GPG digest algorithm to SHA256
This commit fixes https://bugs.cacert.org/view.php?id=1473 by setting
the cert-digest-algo parameter of gpg to SHA256.
---
CommModule/server.pl | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/CommModule/server.pl b/CommModule/server.pl
index 3fd77e6..7e0e1e8 100755
--- a/CommModule/server.pl
+++ b/CommModule/server.pl
@@ -26,6 +26,8 @@ my $serialport="/dev/ttyUSB0";
my $CPSUrl="http://www.cacert.org/cps.php";
+my $GPGCertDigestAlgo="SHA256";
+
my $OCSPUrl="http://ocsp.cacert.org/";
my $gpgbin="/usr/bin/gpg";
@@ -688,7 +690,7 @@ sub SignOpenPGP
$ENV{'LANG'}="";
- my $line="$gpgbin --no-tty --default-key $gpgID --homedir $homedir --default-cert-expire $days"."d --ask-cert-expire --cert-policy-url $CPSUrl --command-fd 0 --status-fd 1 --logger-fd 2 --sign-key $keyid ";
+ my $line="$gpgbin --no-tty --default-key $gpgID --homedir $homedir --default-cert-expire $days"."d --ask-cert-expire --cert-policy-url $CPSUrl --command-fd 0 --cert-digest-algo $GPGCertDigestAlgo --status-fd 1 --logger-fd 2 --sign-key $keyid ";
SysLog($line."\n");
my $pid = open3($stdin,$stdout,$stderr,$line);
--
2.17.1
|
|
|
Patch installed on test.cacert.org (our test-server). Please run your tests there and give us a feedback of your tests. 1st review done successfully, 2nd review needed |
|
|
This has been successfully tested in 0001496 |
|
|
Created new branch bug-1473 (on github) and merged in @jandd's pull request. |
|
|
I did a review of the code changes, and according to https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html (under "Doing things one usually doesn’t want to do") the code change should change the digest algorithm to SHA256 if the GPG version does support SHA256 at all. Since another visit to the signer is needed for other reasons anyway, I asked @egal to check the GPG version on the server. Assuming the GPG version does support SHA256, the review is PASSED |
|
|
According to @egal, the signer has GPG 1.4.9 installed, and reports SHA256 (as well as SHA512) as supported algorythm. |
|
|
The proposed change is now installed on <https://test.cacert.org>. Please test it and report your results here or on <cacert-devel@lists.cacert.org> |
|
|
I made a test run myself: - Create a new key with GPG, with data matching my testserver account - Let the testserver sign the new key - Import the signature into GPG - Using "gpg -a --export | gpg --list-packets --verbose" to show the details of the signature. The relevant signature packet is shown as: :signature packet: algo 17, keyid 4BE7348177F751AC version 4, created 1628431932, md5len 0, sigclass 0x10 digest algo 8, begin of digest 74 fe hashed subpkt 2 len 4 (sig created 2021-08-08) critical hashed subpkt 3 len 4 (sig expires after 1y1d0h0m) hashed subpkt 26 len 29 (policy: http://www.cacert.org/cps.php) subpkt 16 len 8 (issuer key ID 4BE7348177F751AC) data: 0ACD98E61F728EDC70E03D59A4401C824C8BC30C data: 6BB54FAA8D31E218A12A760CCBA4D42F5170237C According to <https://datatracker.ietf.org/doc/html/rfc4880#section-9.4> "digest algo 8" stands for SHA256, which is the expected result. Note that there are two more signature packets in the output, using SHA1 (or "digest algo 2"). IMHO these are the self signatures of the testserver's key. If anyone knows anything other please let me know! |
|
|
The user Chris Jacobs (his Email address replaced with u@org.nl) reports: PGP certification: The cacert signature still gives an invalid digest-algorithm in Kleopatra. > This is the info about the signatures: > > {quote} > > PS C:\Users\chris> gpg --list-sigs > C:/Users/chris/AppData/Roaming/gnupg/pubring.kbx > ------------------------------------------------ > pub dsa1024 2003-07-11 [SCA] [expires: 2033-07-03] > A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58 > uid [ full ] CA Cert Signing Authority (Root CA) > <gpg@cacert.org> > sig 3 D2BB0D0165D0FD58 2003-07-11 CA Cert Signing Authority > (Root CA) <gpg@cacert.org> > sig N 0A8DCE0E49E78923 2021-09-16 Christiaan Theodoor Maria > Jacobs <u@org.nl> > sub elg2048 2003-07-11 [E] [expires: 2033-07-03] > sig D2BB0D0165D0FD58 2003-07-11 CA Cert Signing Authority > (Root CA) <gpg@cacert.org> > > pub rsa2048 2019-11-18 [SC] > 77F2139E41FE00A28ABB9FF70A8DCE0E49E78923 > uid [ultimate] Christiaan Theodoor Maria Jacobs > <u@org.nl> > sig 3 0A8DCE0E49E78923 2021-09-02 Christiaan Theodoor Maria > Jacobs <u@org.nl> > sig P D2BB0D0165D0FD58 2022-09-20 CA Cert Signing Authority > (Root CA) <gpg@cacert.org> > sub rsa2048 2019-11-18 [E] > sig 0A8DCE0E49E78923 2021-09-02 Christiaan Theodoor Maria > Jacobs <u@org.nl> > check-sigs gives better info than list-sigs: > > {quote} > > PS C:\Users\chris> gpg --check-sigs > C:/Users/chris/AppData/Roaming/gnupg/pubring.kbx > ------------------------------------------------ > pub dsa1024 2003-07-11 [SCA] [expires: 2033-07-03] > A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58 > uid [ full ] CA Cert Signing Authority (Root CA) > <gpg@cacert.org> > sig!3 D2BB0D0165D0FD58 2003-07-11 CA Cert Signing Authority > (Root CA) <gpg@cacert.org> > sig! N 0A8DCE0E49E78923 2021-09-16 Christiaan Theodoor Maria > Jacobs <u@org.nl> > sub elg2048 2003-07-11 [E] [expires: 2033-07-03] > sig! D2BB0D0165D0FD58 2003-07-11 CA Cert Signing Authority > (Root CA) <gpg@cacert.org> > > pub rsa2048 2019-11-18 [SC] > 77F2139E41FE00A28ABB9FF70A8DCE0E49E78923 > uid [ultimate] Christiaan Theodoor Maria Jacobs > <u@org.nl> > sig!3 0A8DCE0E49E78923 2021-09-02 Christiaan Theodoor Maria > Jacobs <u@org.nl> > gpg: Note: third-party key signatures using the SHA1 algorithm are rejected > sig% P D2BB0D0165D0FD58 2022-09-20 [Ongeldig digest-algoritme] > sub rsa2048 2019-11-18 [E] > sig! 0A8DCE0E49E78923 2021-09-02 Christiaan Theodoor Maria > Jacobs <u@org.nl> |
|
|
No need to keep this private since 0001496 is a duplicate (and public) case... |
|
|
Any other test reports? |
|
|
I'll take 0001496:0005934 from 0001496 as a test report, though it is not fully clear to me exactly what code change has been tested there... Nevertheless, concerning the very minor code changes, I'll hand this over to critical for installation. |
|
|
Since nobody has commented here or in https://bugs.cacert.org/view.php?id=1496 since 2022-09-21, I am assuming there has been no progress. In the meantime, it seems the gpg signer has completely broken down. Or has it been silently disabled? gpg key signature requests are now only queued, and never completed. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2019-12-18 19:29 | gleurent | New Issue | |
| 2019-12-18 19:29 | gleurent | Tag Attached: GPG | |
| 2019-12-18 19:29 | gleurent | File Added: SHA1_CPC.pdf | |
| 2020-01-06 11:39 | Ted | Assigned To | => Ted |
| 2020-01-06 11:39 | Ted | Status | new => confirmed |
| 2020-01-06 11:39 | Ted | Note Added: 0005858 | |
| 2020-04-12 14:38 | gleurent | Note Added: 0005875 | |
| 2020-05-13 13:34 | gleurent | Note Added: 0005884 | |
| 2020-05-16 22:19 | jandd | Note Added: 0005886 | |
| 2020-05-16 22:20 | jandd | File Added: 0001-Set-GPG-digest-algorithm-to-SHA256.patch | |
| 2020-05-16 22:20 | jandd | Assigned To | Ted => egal |
| 2020-05-16 22:20 | jandd | Status | confirmed => needs review & testing |
| 2020-05-17 10:21 | egal | Note Added: 0005887 | |
| 2020-05-17 10:22 | egal | Assigned To | egal => Ted |
| 2020-12-15 13:38 | gleurent | Relationship added | related to 0001496 |
| 2020-12-26 17:02 | jandd | Note Added: 0005935 | |
| 2021-08-07 19:33 | Ted | Note Added: 0006065 | |
| 2021-08-07 20:04 | Ted | Note Added: 0006068 | |
| 2021-08-07 20:05 | Ted | Note Edited: 0006068 | |
| 2021-08-08 12:28 | Ted | Note Added: 0006072 | |
| 2021-08-08 12:28 | Ted | Reviewed by | => Ted |
| 2021-08-08 15:05 | Ted | Note Added: 0006073 | |
| 2021-08-08 15:43 | Ted | Note Added: 0006074 | |
| 2022-09-21 12:00 | alkas | Note Added: 0006132 | |
| 2022-09-21 12:13 | alkas | Note Edited: 0006132 | |
| 2022-09-21 19:44 | Ted | View Status | private => public |
| 2022-09-21 19:44 | Ted | Reviewed by | Ted => Ted |
| 2022-09-21 19:44 | Ted | Note Added: 0006133 | |
| 2022-09-21 19:45 | Ted | Relationship added | related to 0001500 |
| 2022-09-21 19:57 | Ted | Note Added: 0006135 | |
| 2022-09-22 20:07 | Ted | Status | needs review & testing => ready to deploy |
| 2022-09-22 20:07 | Ted | Note Added: 0006136 | |
| 2024-10-05 07:37 | NoSubstitute | Note Added: 0006276 |
