It is currently 26-09-2017 15:47

Discovered a fake key of Linus Torvalds and other Linux developers

Discovered a fake key of Linus Torvalds and other Linux developers

by sigismund » 2016-08-17 18:02:56


the Incident confirms the need to use the full 256-bit key fingerprints.


The problem of short key IDs PGP reappeared on the agenda after the detection of false keys of Linus Torvalds, Greg Croy-Hartman (Greg Kroah-Hartman) and other developers of the Linux kernel.

"It is well known that PGP is vulnerable to attacks through the identification of conflicts of interest, and many experiments confirm this. However, in June began the real attack. Some developers have discovered on the key server fakes its keys with the same names, email addresses and even "the same" signatures to generate an even larger number of fake keys", - reported in the mailing-list for developers of the Linux kernel.

For verification of download archives with releases of the Linux kernel, each kernel receives PGP-signature responsible for the release of the developer (usually Torvalds or Croy-Hartman). Short 8-character identifiers of the detected false keys coincide with these keys Torvalds and Croy-Hartman, so for verification it is better to check out the full 256-bit key fingerprints, not short.

Fake key Torvalds as follows: 0F6A 1465 32D8 69AE E438 F74B 6211 AA3B [0041 1886]. The real key: ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 [0041 1886]. Fake key Croy-Hartman: 497C 48CE 16B9 26E9 3F49 2736 6301 5DEA [6092 693E] the Real key: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 [6092 693E].
sigismund
moderators
Сообщений: 788
Депозит: 0 BTC

Rating: 5