The web of trust has grown steadily over the last 20 years and yet the tooling that supports it has remained stagnant despite staggering hardware advancement. Choices that seemed reasonable 20 years ago (32bit key ids or even 64bit key ids) are obsolete. Using modern GPUs, we have found collisions for every 32bit key id in the strong set, with matching signatures and key-sizes (e.g. RSA 2048). Although this does not break the encryption the web of trust is built on, it further erodes the usability of the web of trust and increases the chance of human error. We will be releasing the tool we developed to find fingerprint collisions. Vanity GPG key anyone?
Richard Klafter is a senior software engineer at Optimizely specializing in web security. In his free time you’ll find him writing new software or breaking existing software. He coauthored scallion (https://github.com/lachesis/scallion), a vanity address generator for Tor’s hidden services.
Eric Swanson is a freelance software developer with a passion for netsec. He coauthored scallion, a vanity address generator for Tor’s hidden services.