PGP Bug Solution?

Mon Mar 26 14:28:11 2001

Arno Wagner <wagner@tik.ee.ethz.ch> writes:

> > If that is the case, could not GPG attempt to validate a signature

> > when created, and ring alarm bells if the signature does not verify?

> 

> The problem here is that somebody that can write the private key can 

> most likely also write the public key. As far as I understand it, 

> the public key might require more than the change of the modulus 

> (does it? not sure), but it should be computationally feasible 

> to create a public key that will check out. 

It is possible that such an attack against OpenPGP DSA keys exists.

> So signatures will only fail at sites that have the correct public key. 

> I am not sure such a check would add to the security. 

However, with RSA keys, it's possible to reconstruct the public key
from the encrypted secret key and to perform some integrity checks
which detect tampered encrypted secret keys.

With RSA keys, the verification of computed signatures is a must
because computation errors can easily lead to a factorization of the
modulus.

-- 
Florian Weimer 	                  Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898