GnuPG Smartcard and Authentication Key
volker at ixolution.de
Fri Jun 2 23:13:10 CEST 2006
* On Sun, 28 May 2006 23:12:34 +0200,
* Volker Dormeyer <volker at ixolution.de> wrote:
* On Sun, 28 May 2006 16:30:55 -0400,
* David Shaw <dshaw at jabberwocky.com> wrote:
> On Sun, May 28, 2006 at 08:24:14PM +0200, Volker Dormeyer wrote:
>> Hello all,
>> recently I received a message which is encrypted with my public
>> authentication key instead of my encryption key.
>> I wonder how this can happen, because I thought GnuPG does not use the
>> authentication key as encryption key. Am I wrong?
>> Further, I am not able to decrypt the message. I tried it manually with
>> "--try-all-secrets", but it doesn't seem to work. Basically it should
>> work. I mean, I have the authentication private key.
> This is unfortunately turning into a FAQ. Basically, you've run into
> an old PGP bug. It was recently fixed (I don't recall exactly in what
> version), but there are countless installations of PGP that predate
> the fix.
> This is what I read in the gnupg-users archive before I send the
> question. I have to admit, I do not understand exactly, because I know
> that the user who sent me the message is using GnuPG. It shows
> -----BEGIN PGP MESSAGE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
Just thought a bit about it...
Is it possible, that GnuPG prior to version 1.4 was not able to
interpret those "key flags"? I didn't use an authentication with
versions prior to 1.4 for myself.
> in the ASCII armored cipher text.
> OpenPGP keys have "key flags" that indicate what a key is to be used
> for (encryption, signing, or authentication). GnuPG honors these
> flags and will not encrypt to any key that isn't marked for
> encryption. The bug is that PGP is not properly looking at the key
> and will happily encrypt to a signing or authentication key.
> I am aware of the different "key flags". This was the reason why I
> wondered how this could be happen.
> As to what you can do about it, your best bet is to contact the sender
> and ask for a retransmission encrypted to the proper key. It might be
> possible to write a program that can essentially trick the smartcard
> into decrypting the message by pretending it is a signature that needs
> to be verified but it depends on how exactly the card handles
> signatures. In any event, no such program exists today.
Volker Dormeyer <volker at ixolution.de>
Join the Fellowship and protect your Freedom! (http://www.fsfe.org)
More information about the Gnupg-users