Practical Collision Attack Against Long Key IDs in PGP
4 months ago
- #Cryptography
- #PGP
- #Security
- A Hacker News user claimed that 64-bit PGP key fingerprints do not include collisions, based on empirical evidence.
- A proof of concept demonstrated a collision attack on 64-bit 'Long Key IDs' used by OpenPGP and GnuPG.
- The attack exploited the Birthday Bound principle, requiring about 2^32 attempts for a 50% collision probability.
- The full attack took approximately 3 days on a laptop, with key steps including generating keypairs, computing Key IDs, and sorting results.
- Colliding Key IDs could allow an attacker to substitute malicious keys, leading to potential security breaches and plausible deniability.
- The article emphasizes the importance of not making empirical claims about cryptographic security without proper understanding.