Long-feared attack blows apart fragile system of trust

A certificate spamming attack against two high-profile contributors to the OpenPGP community has exposed the fragile foundations of trust that underpin the key encryption technology.

The attack exploited security shortcomings in the OpenPGP protocol itself in order to ‘poison’ OpenPGP certificates maintained by two high profile members, Robert Hansen and Daniel Kahn Gillmor.

As-yet unidentified attackers are spamming targeted GnuPG contributors – specifically Hansen and Gillmor – with huge numbers of extra signature attestations, throwing a spanner in the works of the whole system in the process.

Byzantine architectures

GnuPG is used for digitally signing software packages, as well as encryption.

The attack has resulted in persistent denial of service (DoS) against local GnuPG installations when processing a poisoned key. Users who attempt to import a poisoned certificate into a vulnerable OpenPGP/GnuPG installation will break their installation.

Poisoned certificates, currently at only a few, are already on the SKS keyserver network. The attack is alarmingly straightforward, heightening fears that the attacker, or even copycats, might easily launch more widespread follow-up DoS assaults.

The security issues exposed by the attack are not easy to fix. In a post on GitHub, Hansen notes that the keyserver software at risk is both complex (or “byzantine” as he puts it) and unmaintained.

Look me up

Keyserver software was developed in the 1990s as a means to facilitate the discovery and distribution of public certificates, acting as a telephone directory – albeit one that offers no assurance about the accuracy of the data it contains.

The SKS keyserver network is a decentralized index. Poisoned certificates cannot be deleted from the keyserver network – a design feature initially added to guard against the possibility that governments might attempt to force keyserver operators to replace certificates with different ones of their choosing.

Hansen, a GnuPG contributor, expressed doubts whether the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately, he advised.

“This attack cannot be mitigated by the SKS keyserver network in any reasonable time period,” Hansen writes. “It is unlikely to be mitigated by the OpenPGP Working Group in any reasonable time period.

“Future releases of OpenPGP software will likely have some sort of mitigation, but there is no time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network,” he concludes.

Cryptographer Matthew Green acknowledges the seriousness of the situation while expressing the hope that Hansen stays on board.

“There’s been a debate in the crypto community about whether the OpenPGP infrastructure is worth carrying on or whether it should be thrown out and replaced,” Green commented in the course of a Twitter thread on the attack. “This attack is obviously a very powerful argument for the latter. But it’s also a crappy thing to do to people.”

“I’d propose that making [Gillmor] think about walking away from the ecosystem is maybe part of the attacker’s goal. I hope he doesn’t,” Green added.

Years and years

Hansen admits that the inherent flaws of the keyserver system – exposed by the latest attack – come as little surprise to contributors, who have known about them for years.

Hansen explained: “In the early 1990s this design seemed sound. It is not sound in 2019. We’ve known it has problems for well over a decade.”

Gillmor, the second target of the attack, notes that certificate flooding attacks have been recorded before including spam on Werner Koch’s key back in January 2018. It’s only the “scale of spam attached to certificates recently appears to be unprecedented”.

As a result of the attack, Gillmor’s Enigmail has become unusable and GnuPG can’t import his certificate from the keyservers, among other problems. Gillmor laments that his “public cryptographic identity has been spammed to the point where it is unusable in standard workflows”.

“This is a mess, and it’s a mess a long time coming,” Gillmor said. “The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on, because people are deliberately abusing those keyservers.

“We need significantly more defensive programming, and a better set of protocols for thinking about how and when to retrieve OpenPGP certificates,” he added.

In a blog post, Gillmor goes on to suggest various workarounds and mitigations, including using abuse-resistant keystores to refresh certificates.

Trust no one

Professor Alan Woodward, a computer scientist at the University of Surrey, described the attack as a serious blow on trust in the network.

“The whole network is based upon trust essentially, so it’s about how do you rebuild trust after it was found that the servers contained poisoned certificates,” Prof. Woodward told The Daily Swig.

“I suspect it’s not salvageable if only because some of the prime movers behind its continued existence appear to have lost faith in the system.”

Weaknesses in the current system have been know about for years. Mitigations to defend against the current attack are tricky, and a better approach might be rebuild systems from the ground up, according to Prof. Woodward.

“I’m not sure how many people will be confident of altering their GnuPG config files, so some of the mitigations against this attack are likely to be beyond most general users,” Prof. Woodward explained.

“I suspect we’ll see alternative networks begin and those who start them will do so outside of the existing network and try to build trust in these new key servers. Hopefully the new keyservers can be shown to be more robust, apart from the network that was attacked, and hence that will help build trust anew,” he added.

RELATED More than half of popular email clients are vulnerable to signature spoofing