About the supposed factoring of a 4096 bit RSA key(blog.hboeck.de) |
About the supposed factoring of a 4096 bit RSA key(blog.hboeck.de) |
The RSA subkey that was factored has an invalid self-signature in hpa's public key[1], which means that it wasn't really hpa who added the subkey. Since the sks-keyserver pool doesn't verify signatures[2], anyone could have inserted that subkey. So anyone could have purposefully picked an exploitable RSA subkey, added a fake signature to it, and uploaded it to the sks-keyserver pool.
Luckily, GPG will drop the subkey when retrieving hpa's public key since it doesn't have a valid self-signature. But for anyone scanning all the public keys without verifying signatures (for research, etc.), this key might get recognized and cause a shitstorm. Which is exactly what has happened.
So far, there's no evidence that there is a conspiracy to weaken RSA keys. There is only evidence that someone inserted a bogus subkey into hpa's public key. There will be evidence of a conspiracy if we find a weak RSA key in the strongset that has a valid self-signature.
[1]: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...
[2]: https://lists.gnupg.org/pipermail/gnupg-devel/2015-March/029...
"The only case where this could matter would be a broken implementation of the OpenPGP key protocol that does not check if subkeys really belong to a master key."
I'd be curious to explore that further.
This kernel developer has been targeted in the past:
http://arstechnica.com/security/2013/09/who-rooted-kernel-or...
"During that time, attackers were able to monitor the activities of anyone using the kernel.org servers known as Hera and Odin1, as well as personal computers belonging to senior Linux developer H. Peter Anvin. The self-injecting rootkit known as Phalanx had access to a wealth of sensitive data, possibly including private keys used to sign and decrypt e-mails and remotely log in to servers. A follow-up advisory a few weeks later opened the possibility that still other developers may have fallen prey to the attackers."
Edit: The key in question was created the day before this post by HPA regarding the compromise:
Relevant GPG thread: https://lists.gnupg.org/pipermail/gnupg-users/2015-May/05354...
Relevant SKS thread: https://lists.nongnu.org/archive/html/sks-devel/2015-05/msg0...
913ff626efddfb f8ae8f1d40da8d13 a90138686884bad1
9db776bb4812f7e3 b2
c37b8cca2eb4ac 1e889d1027bc1ed6 664f3877cd7052c6
db5567a3365cf7e2 c6
(The "easily factorable" number has two bytes which are represented as "bad1" in hex).
But thinking about the 256 bits, that's exactly the size of a block on which a typical symmetrical cypher can operate, which suggests some kind of a bug, although the offset of 161 byte is a bit strange.
The human would probably just change a few bits to achieve the same effect, not 256, unless he wanted to encode some message, and it doesn't look so. But see also the post of lawnchair_larry here.
But: Mail clients should use 78 chars per text line, and GPG encodes base64 in lines of 64 chars length, so ignore my theory ;-).
But if they come from some other key unmodified it would be possible to scan for the match, and it's a fast operation, as soon as we have the keys in which we'd like to search.
Edit: further contributing to the discussion, more anonymous downvotes. Great.
> "Update II : Amusingly enough, it seems Hacker News hand-diddled their story list to remove this discussion. Way to go Ydumbinator crew!" [0]
[0]: http://trilema.com/2015/full-disclosure-4096-rsa-key-in-the-...
http://www.righto.com/2013/11/how-hacker-news-ranking-really...
Compare the gradual slide from the peak of other articles from the same time as the one in question:
http://hnrankings.info/9560839,9561606,9561693,9561599,95619...
Moderated forums aren't censored, but they do get... moderated. What else did you expect?
[1] He's been scraping the profiles of young women (specifically) and posting links, names, and hometowns on his blog. Yes, as technologists, we know that this kind of indexing is trivial. That's no reason, as a decent human being, to terrorize innocent people.
Most of the publicly known early adopters don't spend as much (or any) time trolling about (and getting trolled) on IRC.
The most you can do, after having been educated/raped, is picking the what and the how for other, later, virgins.
Or they have read his Guide To Beating Women blog post:
http://trilema.com/2011/cum-se-bate-femeia/
Or perhaps they have read how his site for betting with bitcoin screwed someone over for about $7,000 in bitcoin:
If you're skeptical of numbers on webpages (c.f. "EmptyGox"), MPEx's trivially traceable addresses[2] currently contain around five thousand coins; tracking down the rest is left as an exercise for the skeptical sleth.
CL-USER> (* 1/2 (expt 10 9)
(parse-float "0.00029087" :type 'rational))
145435