Hacker News new | past | comments | ask | show | jobs | submit login

So how do I know if my key ID is 32 bit?



It's not a property of the key itself, it's about how we communicate about keys.

For example, consider the key of Ryan Lackey, who posts here on HN. Some people (and software) might refer to that key as D2E0301F, which is its 32-bit key ID. A more secure way to refer to the same key is

B8B8 3D95 F940 9760 C64B DE90 07AD BE07 D2E0 301F

which is called the fingerprint of the key. Both of these forms exist for every PGP key. Notice that the 32-bit key ID is the rightmost 32 bits of the fingerprint (D2E0 301F → D2E0301F. The problem with this is that it is easy (according to the linked article, now takes only four seconds) to make some other key that will also have 32-bit key ID D2E0301F, so if you tried to find or verify Ryan's key using only that ID, someone could trick you into using a fake one.

Another form sometimes used today is the 64-bit key ID, which is the rightmost 64 bits of the fingerprint (in Ryan's case, 07AD BE07 D2E0 301F → 07ADBE07D2E0301F).

Key IDs and key fingerprints have always both been part of PGP, but the idea was that you might use the key ID to download or talk about the key, and then use the fingerprint to verify that you had the right one. Some people have been skipping the second step, or might not even know it was ever there.


By its length, obviously. If something it 8 hex digits, it's 32-bit.

Key IDs are just a part of the fingerprint, last 8 hex digits of the full 160-bit one. That is, the 32-bit ID is "2A8E4C02" while the full hash is "67819B343B2AB70DED9320872C6464AF2A8E4C02". The problem is, as article shows, finding another SHA-1 hash that ends with the same digits is relatively easy.

Fortunately, as I've heard, there are no known (at least, no publicly known) second preimage attacks on SHA-1, so comparing whole hashes should be fine for a time being. But as I'M NOT A CRYPTOGRAPHER, please consult a cryptographer on this and take my words with a grain of salt.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: