Analyzing dumps (Was: 6 million)

[Kiss Gabor (Bitman)]

On Sat, 2 May 2020, Wiktor Kwapisiewicz wrote:

> On 02.05.2020 07:55, Gabor Kiss wrote:
> > I would create such a programs from the scratch but I cannot
> > find even the format description of the dump file. :-(
> 
> Last time I checked dumps where just packet piles so any OpenPGP tool
> could read it.

Thanks again for the hint.

I wrote a small Perl script to see what is in dump files
at http://keys.niif.hu/keydump/. (Server is managed by me.)

I found broken dumps. Certain RFC-4880 packets are truncated. For example
let's see signatures of key 0x7cec0e7c93115f7e:

00483ad0     89 01 22 04 10 01 02  00 0c 05 02 44 cf db 85  |..."........D...|
00483ae0  05 03 00 93 89 01 22 04  10 01 02 00 0c 05 02 4d  |......"........M|

We can see a signature packet starting at 00483ad1.
(89 01 22 is a typical old style packet header.) Its length should be
0x122 octets however it breaks in middle of the second subpacket starting
at 00483ae0. A new packet starts at 00483ae4 but my simple parser cannot
detect this and gets confused.
(Unfortunately such a truncated packet may block the import procedure
also on a newly set up key server, I guess.)

I cannot imagine how this dump could be created.
Could the attacker upload broken packets or is it "sks dump"
who garbled the dump file? Or file became bad during
compression/decompression?

Another observation: some keys have enermous amount of signatures.
"Yegor Timoshenko <address@hidden>" may be a recorder
with 174612 sigs. This is one of the poisoned keys, isn't it?

Gabor
-- 
No smoke, no drugs, no vindoze.