Cleaning a broken GnuPG (gpg) key
I've long said that the main tools in the Open Source security space, OpenSSL and GnuPG (gpg), are broken and only a complete re-write will solve this. And that is still pending as nobody came forward with the funding. It's not a sexy topic, so it has to get really bad before it'll get better.
Gpg has a UI that is close to useless. That won't substantially change with more bolted-on improvements.
Now Robert J. Hansen and Daniel Kahn Gillmor had somebody add ~50k signatures (read 1, 2, 3, 4 for the g{l}ory details) to their keys and - oops - they say that breaks gpg.
But does it?
I downloaded Robert J. Hansen's key off the SKS-Keyserver network.
It's a nice 45MB file when de-ascii-armored (gpg --dearmor broken_key.asc ; mv broken_key.asc.gpg broken_key.gpg
).
Now a friendly:
pub rsa3072/0x1DCBDC01B44427C7
erzeugt: 2015-07-16 verfällt: niemals Nutzung: SC
Vertrauen: unbekannt Gültigkeit: unbekannt
sub ed25519/0xA83CAE94D3DC3873
erzeugt: 2017-04-05 verfällt: niemals Nutzung: S
sub cv25519/0xAA24CC81B8AED08B
erzeugt: 2017-04-05 verfällt: niemals Nutzung: E
sub rsa3072/0xDC0F82625FA6AADE
erzeugt: 2015-07-16 verfällt: niemals Nutzung: E
[ unbekannt ] (1). Robert J. Hansen <rjh@sixdemonbag.org>
[ unbekannt ] (2) Robert J. Hansen <rob@enigmail.net>
[ unbekannt ] (3) Robert J. Hansen <rob@hansen.engineering>
User-ID "Robert J. Hansen <rjh@sixdemonbag.org>": 49705 Signaturen entfernt
User-ID "Robert J. Hansen <rob@enigmail.net>": 49704 Signaturen entfernt
User-ID "Robert J. Hansen <rob@hansen.engineering>": 49701 Signaturen entfernt
pub rsa3072/0x1DCBDC01B44427C7
erzeugt: 2015-07-16 verfällt: niemals Nutzung: SC
Vertrauen: unbekannt Gültigkeit: unbekannt
sub ed25519/0xA83CAE94D3DC3873
erzeugt: 2017-04-05 verfällt: niemals Nutzung: S
sub cv25519/0xAA24CC81B8AED08B
erzeugt: 2017-04-05 verfällt: niemals Nutzung: E
sub rsa3072/0xDC0F82625FA6AADE
erzeugt: 2015-07-16 verfällt: niemals Nutzung: E
[ unbekannt ] (1). Robert J. Hansen <rjh@sixdemonbag.org>
[ unbekannt ] (2) Robert J. Hansen <rob@enigmail.net>
[ unbekannt ] (3) Robert J. Hansen <rob@hansen.engineering>
Command being timed: "gpg --no-default-keyring --keyring ./broken_key.gpg --batch --quiet --edit-key 0x1DCBDC01B44427C7 clean save quit"
User time (seconds): 3911.14
System time (seconds): 2442.87
Percent of CPU this job got: 99%
Elapsed (wall clock) time (h:mm:ss or m:ss): 1:45:56
Average shared text size (kbytes): 0
Average unshared data size (kbytes): 0
Average stack size (kbytes): 0
Average total size (kbytes): 0
Maximum resident set size (kbytes): 107660
Average resident set size (kbytes): 0
Major (requiring I/O) page faults: 1
Minor (reclaiming a frame) page faults: 26630
Voluntary context switches: 43
Involuntary context switches: 59439
Swaps: 0
File system inputs: 112
File system outputs: 48
Socket messages sent: 0
Socket messages received: 0
Signals delivered: 0
Page size (bytes): 4096
Exit status: 0
And the result is a nicely useable 3835 byte file of the clean public key.
If you supply a keyring instead of --no-default-keyring
it will also keep the non-self signatures that are useful for you (as you apparently know the signing party).
So it does not break gpg. It does break things that call gpg at runtime and not asynchronously. I heard Enigmail is affected, quelle surprise.
Now the main problem here is the runtime. 1h45min is just ridiculous. As Filippo Valsorda puts it:
Someone added a few thousand entries to a list that lets anyone append to it. GnuPG, software supposed to defeat state actors, suddenly takes minutes to process entries. How big is that list you ask? 17 MiB. Not GiB, 17 MiB. Like a large picture. https://dev.gnupg.org/T4592
If I were a gpg / SKS keyserver developer, I'd
- speed this up so the edit-key run above completes in less than 10 s (just getting rid of the lseek/read dance and deferring all time-based decisions should get close)
- (ideally) make the drop-sig import-filter syntax useful (date-ranges, non-reciprocal signatures, ...)
- clean affected keys on the SKS keyservers (needs coordination of sysops, drop servers from unreachable people)
- (ideally) use the opportunity to clean all keyserver filesystem and the message board over pgp key servers keys, too
- only accept new keys and new signatures on keys extending the strong set (rather small change to the existing codebase)
That way another key can only be added to the keyserver network if it contains at least one signature from a previously known strong-set key. Attacking the keyserver network would become at least non-trivial. And the web-of-trust thing may make sense again.
Updates
09.07.2019
GnuPG 2.2.17 has been released with another set of quickly bolted together fixes:
* gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf. [#4607] * gpg: If an imported keyblocks is too large to be stored in the keybox (pubring.kbx) do not error out but fallback to an import using the options "self-sigs-only,import-clean". [#4591] * gpg: New command --locate-external-key which can be used to refresh keys from the Web Key Directory or via other methods configured with --auto-key-locate. * gpg: New import option "self-sigs-only". * gpg: In --auto-key-retrieve prefer WKD over keyservers. [#4595] * dirmngr: Support the "openpgpkey" subdomain feature from draft-koch-openpgp-webkey-service-07. [#4590]. * dirmngr: Add an exception for the "openpgpkey" subdomain to the CSRF protection. [#4603] * dirmngr: Fix endless loop due to http errors 503 and 504. [#4600] * dirmngr: Fix TLS bug during redirection of HKP requests. [#4566] * gpgconf: Fix a race condition when killing components. [#4577]
Bug T4607 shows that these changes are all but well thought-out. They introduce artificial limits, like 64kB for WKD-distributed keys or 5MB for local signature imports (Bug T4591) which weaken the web-of-trust further.
I recommend to not run gpg 2.2.17 in production environments without extensive testing as these limits and the unverified network traffic may bite you. Do validate your upgrade with valid and broken keys that have segments (packet groups) surpassing the above mentioned limits. You may be surprised what gpg does. On the upside: you can now refresh keys (sans signatures) via WKD. So if your buddies still believe in limiting their subkey validities, you can more easily update them bypassing the SKS keyserver network. NB: I have not tested that functionality. So test before deploying.
10.08.2019
Christopher Wellons (skeeto) has released his pgp-poisoner tool. It is a go program that can add thousands of malicious signatures to a GNUpg key per second. He comments "[pgp-poisoner is] proof that such attacks are very easy to pull off. It doesn't take a nation-state actor to break the PGP ecosystem, just one person and couple evenings studying RFC 4880. This system is not robust." He also hints at the next likely attack vector, public subkeys can be bound to a primary key of choice.
Comments
Display comments as Linear | Threaded
Alfonso Perrez on :
The gnupg dev just added a flag to import-self-sigs-only. https://dev.gnupg.org/T4591
That is probably what qualifies as another "bolted-on improvement".
dkg is not happy either: "Adding a new option to an already-crowded space is not the right solution. [T]he right solution is for gpg to be more defensive about the OpenPGP packets it receives, regardless of who[m] it receives them from."
@gnomon@mastodon.social on :
Wrote a brief note about this post over at https://mastodon.social/users/gnomon/statuses/102372680467099148
Neal on :
You might want to check out Sequoia, which is a complete rewrite being developed by three former GnuPG devs, and is being funded by pep.
Daniel Lange on :
I'm following what Kai, Justus and you are doing.
There's lots of other activity in the space, too, which I'm following the same:
Saltpack, opmsg, minisign, signify etc.
From a strategic point of view I'm not convinced of any approach that got seeded so far.
In the Sequoia case the choice of license (GPLv3), implementation language (Rust) and technical approach are all - let's say - "strongly opinionated" (that's deliberate, the team has social goals in addition to technical ones). That may prevail but it makes your life much harder than solving the technical and UI problems in a more focussed approach.
You did a clever move with Hagrid and keys.openpgp.org. Excellent timing. Again, I'd have chosen a different approach as I find the identity attestation part of pgp the most valuable and you basically break that (cf. my item list of todos in the article). You reduce pgp to a "key for email" thing. Which has failed in easycrypt and many approaches before that. I'd consider changing the approach when the same thing has failed thrice in a row. Heck, people are implementing WKD only now as keyservers crumble. Not because anybody thought it was a good specification or a significant use case.
My suspicion is that with the attestation element of pgp keys gone, the remainder is so unattractive both from technical (lots of historic baggage ("technical debt", "conceptual debt")) and marketing perspectives ("brand", "experience") that people will move to minisign, signify etc. in the only real use case gpg currently owns. And then there is no existing user base anymore and no growth story either. Forget the 59ct email encryption app, nobody buys that. And when that has become common knowledge the venture capital will go elsewhere. And we'd be back to square one.
So in a a way you may likely be adding more nails to pgp's coffin.
But you currently ride the wave and have good momentum. I hope Sequoia will survive the ride in good shape. And if things turn out the way I anticipate, I hope the team will try a less opinionated approach next time.
Paul Boddie on :
Please consider writing a separate article instead of updating the same ones over and over again (which I end up seeing in Planet Debian). It was by reading John Goerzen's rather considered article on the general topic of PGP (https://changelog.complete.org/archives/10010-alas-poor-pgp) that I discovered Sequoia, and its existence immediately contradicts your opening claim about nobody attempting to rewrite the tools. Such inconsistencies undermine your message.
However, I do appreciate that unlike "The PGP Problem" (referenced by Goerzen and in an update to another of your articles) your observations have an empirical element and refrain from "witty" 1990s popular culture references. I think that commentators on these topics should dial back the ridicule and focus more on constructive remedies if they really wish to get their message across.
In any case, thank you for writing about these topics.
Paul Battany on :
Just to let you know, John Coggeshall has published an article on Sequoia for LWN this week at https://lwn.net/SubscriberLink/830902/b751810a99460a39/
The TL;DR is: it is a rust library aimed at developers. No real world use yet.
Vera Orlova on :
PSA: If anyone's email is broken because their GnuPG keyring automatically fetched a poisoned key (ie: Tor Browser key) following the certificate flooding attacks last month (CVE-2019-13050), here's a guide on how you can fix your gpg client. Thanks!