SKS Keyserver Network Under Attack

Robert J. Hansen, maintainer of the GnuPG FAQ, announced that in the last week of June 2019, unknown attackers launched a certificate-spamming attack...

SKS Keyserver Network Under Attack

Robert J. Hansen, maintainer of the GnuPG FAQ, announced that in the last week of June 2019, unknown attackers launched a certificate-spamming attack against the SKS Keyserver Network. More specifically, it targeted two main contributors to the OpenPGP community, according to a post on GitHub Gist. Hansen himself (also known as "rjh") was one of the victims, while the second was Daniel Kahn Gillmor (also known as "dkg").

The attack exploited a deficiency in the OpenPGP protocol to "poison" Hansen and Gillmor's OpenPGP certificates.

According to Hansen's statement on the matter:

Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned. 

Unfortunately for PGP users, this attack cannot be alleviated by the SKS keyserver network within the foreseeable future; nor is it likely to be solved by the OpenPGP Working Group in any acceptable period of time. While there might be a solution to the problem included with future releases of OpenPGP software, there is no guaranteed timespan in which this will happen. The only conclusion at present is that users will have to stop retrieving data from the SKS keyserver network, lest they risk having their keys stolen (or worse). More details about this attack can be found at CVE-2019-13050: Certificate spamming attack against SKS key servers and GnuPG.

SKS openPGP keyserver

Given that many onion sites rely on PGP for authentication and encryption, this could potentially create huge risk factors for those who use it regularly (especially as a method of communicating confidential information). For the time being, until the flaws are corrected, it seems that PGP users will have to find some other workaround.

According to Hansen, on the official GitHub Gist:

At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately.

Users who are confident editing their GnuPG configuration files should follow the following process:

  1. Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
  2. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.
  3. Add keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion so Tor gets used whenever it’s available. Onion address proof
  4. Run killall -HUP dirmngr so the change comes to force if dirmngr was already running.

keys.openpgp.org is a new experimental keyserver which is not part of the keyserver network and has some features which make it resistant to this sort of attack. It is not a drop-in replacement: it has some limitations (for instance, its search functionality is sharply constrained). However, once you make this change you will be able to run gpg --refresh-keys with confidence.

keys openpgp.org

Hansen also suggests that if you know which certificate is poisoned, you can try to delete it. Following that, if your OpenPGP installation works, then the problem is solved (in your individual case at least). Subsequently, you should get hold of an unpoisoned copy of the certificate and import it. On the other hand, if you don't know which one has been poisoned, it's best to get a list of all your certificate IDs, delete the keyrings entirely, and rebuild using verified legitimate copies of the certificates.

Gillmor addressed this attack on his official blog, saying:

I've spent a significant amount of time over the years trying to push the ecosystem into a more responsible posture with respect to OpenPGP certificates, and have clearly not been as successful at it or as fast as I wanted to be. Complex ecosystems can take time to move.

To have my own certificate directly spammed in this way felt surprisingly personal, as though someone was trying to attack or punish me, specifically. I can't know whether that's actually the case, of course, nor do I really want to. And the fact that Robert J. Hansen's certificate was also spammed makes me feel a little less like a singular or unique target, but I also don't feel particularly proud of feeling relieved that someone else is also being "punished" in addition to me.

In the meantime, PGP users should tread with caution and follow the advice of the experts. Lamentably, it seems that there is no perfect resolution at the present time, and the consequences of this attack are likely to be catastrophic.