Poison certs imperils GnuPG checking of Linux software

An attack has been unleashed against the global synchronising keyserver (SKS) network used by the popular OpenPGP encryption standard, with developers saying there is currently no mitigations available and that the problem is likely to get worse.

By adding large amounts of undeletable signatures to certificates on keyservers, it is possible to cause OpenPGP implementations to stop working.

The attack threatents to make the GnuPG implementation of OpenPGP unusuable, which would have devastating consequences for open source users.

GnuPG is used to verify downloaded software packages for Linux-based operating systems, and attackers could attempt to poison a vendor's public certificate and upload it to the keyserver network.

Doing so would make GnuPG choke, making it impossible to verify the authenticity of downloaded packages.

Robert Hansen (rjh) who maintains the GnuPG frequently asked questions list and is the unofficial crisis communicator for the project said that unknown attackers had exploited a defect in the OpenPG protocol in order to poison his and high-profile contributor Daniel Kahn Gillmor's (dkg) certificates.

Anyone who imports rjh and dkg's poisoned OpenPGP certificates are very likely to break their installations, Hansen said.

The flaw stems from a design decision taken in the early 1990s to make the keyserver network censorship resistant, in case repressive regimes were to force operators to replace certificates on servers with ones of a government's choosing.

For that reason, the SKS network was designed so that information could be added to certificates, but not deleted ever. Certificates can't be deleted either from the SKS network of servers.

Hansen said the keyserver network handles digital certificates with up to about 150,000 signatures.

The GnuPG open source implementation of OpenPGP cannot handle cerificates with that many signatures however.

"Any time GnuPG has to deal with such a spammed certificate, GnuPG grinds to a halt. It doesn't stop, per se, but it gets wedged for so long it is for all intents and purposes completely unusable.

My public certificate as found on the keyserver network now has just short of 150,000 signatures on it," Hansen said.,

He warned that the verifying signatures could make GnuPG attempt to deal with spammed certificates, even though they are not imported, causing people's installations to break.

Things will get worse; no fix on the horizon

While the notion of immutable certificate storage seemed sound at the time, in 2019 it threatens OpenPGP's future as there is no way to fix the problem, bar a redesign of the software.

Due to the decision to make data on the keyserver network immutable, spammed certificates cannot be deleted from it.

Hansen expects more certificates to become poisoned over time, with the problem being compounded by booby-trapped credentials being difficult to detect until someone tries to import them.

The problem has been known for a decade but it hasn't been fixed due to what Hansen say are powerful technical and social factors inhibiting further keyserver development.

SKS keyserver software was developed in an idiosyncratic dialect of an unusual programming language called OCaml by Yaron Minsky as part of a PhD thesis. 

The software is unmaintained with nobody in the keyserver community feeling qualified to do a serious overhaul of the code base written in an obscure programming language with strange customs.

Furthermore, the issue isn't due to a bug as such, but a design goal that needs to be changed. Doing so would mean ripping out a large chunk of the current code base and replacing it with software that behaves very diffierently.

Likewise, the keyserver network is designed not to have a centralised authority, again to make it resistant to government control. This makes changing design goals even harder than they normally are, Hansen said.

Currenty, the only mitigation for users is not to retrieve data from the SKS keyserver network, Hansen said.

The attack has angered the OpenPGP community, which suspects it was done as an experiment.

Gillmor called the attack "a pretty shitty thing to do" and said it had caused him to consider leaving the project.

Hansen using stronger language in a message to the attacker:

"I do not hate you and I do not wish any harm to befall you.

But if you get hit by a bus while crossing the street, I'll tell the driver everyone deserves a mulligan once in a while.

You fool. You absolute, unmitigated, unadulterated, complete and utter, fool.

Peace to everyone — including you, you son of a bitch." he wrote.