Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

keys hosted on keyserver are subject to flooding attack #85

Open
dkg opened this issue Apr 3, 2019 · 2 comments
Open

keys hosted on keyserver are subject to flooding attack #85

dkg opened this issue Apr 3, 2019 · 2 comments

Comments

@dkg
Copy link

dkg commented Apr 3, 2019

It's possible to attach arbitrary third-party certifications to an already-validated OpenPGP certificates that are published on hkps://keys.mailvelope.com simply by uploading the augmented certificate to the "Manage Keys" web form. Some OpenPGP keyserver clients will reject too-large certificates when fetched from a keyserver.

This means that an anonymous user can attach garbage to an OpenPGP certificate, potentially bloating it in size beyond what clients will accept. If there is a limit to the quantity of third party certifications attachable to any given certificate, then the anonymous user can fill that limit, obstructing anyone else from attaching certifications.

This is a similar attack to one of the attacks that have been mounted against certificates hosted by the SKS keyserver network.

To fix the problem robustly, you'll either need to stop accepting third-party certifications entirely, or figure out some authorization scheme about which third-party certifications are acceptable for any given certificate. I'm happy to demonstrate the attack for any of the Mailvelope developers privately, and to talk over the options for mitigation of the issue.

sorry to be the bearer of bad news!

@dkg
Copy link
Author

dkg commented Apr 4, 2019

One possible mitigation is to only accept first-party attested third-party certifications. (i wrote the linked draft after some discussion with other interested folks earlier today -- feel free to suggest improvements if you think it's off-base)

(2019-04-15: edited to update the link to the latest draft)

@toberndo
Copy link
Member

Flooding attacks mitigation is now implemented with e419922

Added the following section to the README:

Abuse resistant key server

The key server implements mechanisms described in the draft Abuse-Resistant OpenPGP Keystores to mitigate various attacks related to flooding the key server with bogus keys or certificates. The filtering of keys can be customized with environment variables.

In detail the following key components are filtered out:

  • user attribute packets
  • third-party certificates
  • certificates exceeding 8383 bytes
  • certificates that cannot be verified with primary key
  • unhashed subpackets except: issuer, issuerFingerprint, embeddedSignature
  • unhashed subpackets of embedded signatures
  • user IDs without email address
  • user IDs exceeding 1024 bytes
  • user IDs that have no self certificate or revocation signature
  • subkeys exceeding 8383 bytes
  • above 5 revocation signatures. Hardest, earliest revocations are kept.
  • superseded certificates. Newest 5 are kept.

A key is rejected if one of the following is detected:

  • primary key packet exceeding 8383 bytes
  • primary key packet is not version 4
  • key without user ID
  • key with more than 20 email addresses
  • key with more than 20 subkeys
  • key size exceeding 32768 bytes
  • new uploaded key is not valid 24h in the future

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants