Global SKS network facing "devastating attack"

The global synchronising keyserver (SKS) network used by the OpenPGP protocol is under a “devastating” attack that threatens to make Gnu Privacy Guard (GnuPG) implementations of the protocol unusable.

That’s according to Robert J Hansen, who disclosed in a security advisory that the attack — which commenced in the last week of June — involved exploiting a defect in the OpenPGP protocol to poison certificates from Hansen and another high-profile contributor to the OpenPGP community, Daniel Kahn Gillmor.

Anyone attempting to import a poisoned certificate into a vulnerable OpenPGP installation, involving the GnuPG open source implementation, will likely break the installation in hard-to-debug ways, Hansen said.

The vulnerability is traced to the decision made in the early 1990s to ensure that keyservers would never delete information in order to prevent repressive regimes to force keyserver operators to replace certificates with ones of the government’s choosing.

This decision means that attestations appended to public certificates can never be deleted, Hansen said. The OpenPGP specification puts no limitation on how many signatures can be attached to a certificate — and while keyserver networks can handle certificates with up to about 150,000 signatures, GnuPG grinds to a halt when processing a spammed certificate.

Hansen’s poisoned public certificate as found on the keyserver network now has just under 150,000 signatures on it, and poisoned certificates cannot be deleted and will only rise over time.

While the OpenPGP community has known about the vulnerability for over a decade, the complex nature of the issue and the challenges involved with solving it have prevented a fix from being developed. Doing so would require the wholesale replacement of large sections of the current code base and fundamentally changing the way OpenPGP operates.

“The number one use of OpenPGP today is to verify downloaded packages for Linux-based operating systems, usually using a software tool called GnuPG. If someone were to poison a vendor’s public certificate and upload it to the keyserver network, the next time a system administrator refreshed their keyring from the keyserver network the vendor’s now-poisoned certificate would be downloaded,” Hansen said.

“At that point upgrades become impossible because the authenticity of downloaded packages cannot be verified. Even downloading the vendor’s certificate and re-importing it would be of no use, because GnuPG would choke trying to import the new certificate. It is not hard to imagine how motivated adversaries could employ this against a Linux-based computer network.”

Hansen said he personally does not believe the global keyserver network is salvageable, and urged high-risk users to stop using the keyserver network immediately. He also had harsh words for the person or people responsible for the attack.

“I have never in my adult life wished violence on any human being. I have witnessed too much of it and its barbaric effects, stood by the graves of too many people cut down too young. I do not hate you and I do not wish any harm to befall you,” he said.

“But if you get hit by a bus while crossing the street, I'll tell the driver everyone deserves a mulligan once in a while. You fool. You absolute, unmitigated, unadulterated, complete and utter, fool. Peace to everyone — including you, you son of a bitch.”

Image credit: ©stock.adobe.com/au/Parris Cope