From: christopher@nescio.zerberus.de (Christopher Creutzig)

I think I have realized a serious flaw in PGPs key-handling. This may lead to people using and signing bogus keys despite the usual security measures.

The problem is that PGP fails to differentiate between two keys sharing the same 64-bit-Key-ID. It is not a real problem to generate a key with a given key-ID (just take a prime, invert the desired key-ID modulo this prime and look for another prime whose lower bits are the same as in the number you just calculated), so the following attack would be possible:

PGP checks specifically for the case of keys whose IDs match but the keys themselves differ. It has always been obvious that keys can easily be synthesized with given IDs. I added this warning in version 2.0 about four years ago, in the keyadd code: "\n\007Warning: Key ID %s matches key ID of key already on key ring '%s', but the keys themselves differ. This is highly suspicious. This key will not be added to ring. Acknowledge by pressing return: "

If the owner of the correct key does not give a fingerprint, but rather a disk with the correct key to the person you are trying to fool, his or her pgp won't ring alarm bells when reading the key (apart from possibly a failed signature), but rather will tell him the key is already there.

As you can see, it does in fact literally ring an alarm bell - the "\007" above is the ASCII bell character. Disclaimer: I have not worked on PGP since version 2.0 so possibly my code has been changed or eliminated, but I think that is unlikely. Hal Finney