Decade-old flaw in PGP is finally being exploited

The developers of Pretty Good Privacy (PGP), also known as asymmetric cryptography - the industry standard for secure communications - have revealed that a core feature of the technology is 'devastatingly' and 'irreversibly' under attack from unknown hackers.

More specifically, hackers are exploiting an issue with the OpenPGP, the rules which govern PGP certificates much in the same way HTML specifies how to write a web page. This protocol applies to a user's public keys stored in Synchronising Key Servers (SKS), like a telephone directory for PGP public keys. The issue has been known to the developers for over a decade.

Hackers are poisoning public keys, otherwise known as certificates, with large amounts of signatures (alterations to the certificate's content) which is breaking the GnuPG software used by individuals to store their own and others' certificates.

The OpenPGP protocol allows unlimited alterations to public certificates which make the keys easier to use. Certificates "have a list of attestations: statements from other people, represented by their own public certificates, that this certificate really belongs to the individual in question", explained PGP developer Robert J. Hansen.

"These attestations - what we call certificate signatures - can be made by anyone for any purpose," Hansen added according to his run-down of the discovery. "And once made, they never go away. Ever. Even when a certificate signature gets revoked the original remains on the certificate: all that happens is a second signature is affixed saying 'don't trust the previous one I made'."

OpenPGP allows unlimited signatures and SKS allows up to 150,000, but the GnuPG software doesn't nearly support that many. When the software loads a certificate poisoned with an unruly number of signatures, it grinds the app to a halt, essentially breaking it.

SKS is used by many users around the world, primarily developers working on Linux-based operating systems so they can easily verify a downloaded package from a legitimate developer. Hansen's own key, at the time of writing, has been under attack and now features just under 150,000 signatures, meaning anyone that tries to load his certificate in GnuPG will face the same demise.

"We've known for a decade this attack is possible. It's now here and it's devastating," said Hansen. "There are a few major takeaways and all of them are bad."

Hansen said these include:

• If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation.
• Poisoned certificates cannot be deleted from the keyserver network.
• The number of deliberately poisoned certificates, currently at only a few, will only rise over time.
• We do not know whether the attackers are intent on poisoning other certificates.
• We do not even know the scope of the damage.

Hansen pointed out that upgrades to Linux systems have become impossible because developers cannot verify the authenticity of download packages without choking on the new certificate import. "It is not hard to imagine how motivated adversaries could employ this against a Linux-based computer network," he added.

Hansen said the global keyserver network is 'unsalvageable' and high-risk users should stop using it immediately. He does offer some possible solutions such as deleting and reloading certificates but says this may not work and users may have to completely wipe their keychain and rebuild from scratch.

The post gets increasingly emotive the further it reads, Hansen cites a blog post from Daniel Kahn Gillmor, another lead developer of PGP who wrote a misery-fuelled blog post, the sentiments of which were shared by Hansen.

"This is a mess, and it's a mess a long time coming," said Gillmor. "The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on, because people are deliberately abusing those keyservers. We need significantly more defensive programming, and a better set of protocols for thinking about how and when to retrieve OpenPGP certificates.

"To have my own certificate directly spammed in this way felt surprisingly personal, as though someone was trying to attack or punish me, specifically. I can't know whether that's actually the case, of course, nor do I really want to.

"If you're reading this, and you set this off, and you selected me specifically because of my role in the OpenPGP ecosystem, or because I wrote the abuse-resistant-keystore draft, or because I'm part of the Autocrypt project, then you should know that I care about making this stuff work for people."

The SKS is being abused and because the algorithm which powers it was written by a PhD student for his thesis, using a highly complex language, Hansen said no-one in the community has the confidence to tackle and change it.

Readers shouldn't confuse this vulnerability with a vulnerability in PGP, the core encryption technology is still working as normal and as secure as before.