Problems with private keyring?
Florian Weimer
fw@deneb.enyo.de
Thu Mar 22 20:34:21 2001
Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> writes:
> If you're paranoid, you can apply the following patch (for RSA keys,
> DSA keys have to wait until tomorrow). It should fix the problem (if
> a problem exists at all).
Additional information has become available:
http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf
Even in English:
http://www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf
The first attack is targeted at the unprotected public key contained
in the secret key packet. The public key is changed by the attacker,
and when the victim computes a (broken) signature using the broken
public and secret (protected by the passphrase) key combination, the
attacker can recover the secret portion of the signature. A very
interesting attack, which is primarly targeted at DSA keys (GnuPG is
vulnerable to this with DSA keys, but not with RSA keys).
The paper describes two additional attacks against RSA keys which
affect GnuPG as well. I missed these attacks browsing the Czech
version of the paper, and my previous claims that an unpatched GnuPG
version was not vulnerable is *false*. Sorry about that. The
additional checks introduced by my patch are very similar to the
checks Klima and Rosa propose. A slightly updated and signed version
is available at:
http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff
http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff.asc
Unfortunately, the situation with DSA signatures is much, much worse.
IMHO, the protected data is probably not sufficient to validate the
unprotected data, so the way the secret key is stored has to be
changed completely. This is going to introduce incompatibilities, and
I don't think I'm in a position to do this, so no further patches from
me, sorry. :-/