Problems with private keyring?

Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE
Wed Mar 21 23:54:04 CET 2001


"Pawe³ Brodacki" <p_brodacki at gask.pl> writes:

>         I did not find any post about it here, so I would like to ask about 
> what I've found here: http://www.i.cz/en/onas/tisk4.html. Two Czechs
> claim they can extract private keys from GPG (and PGP) rings.       

If you're paranoid, you can apply the following patch (for RSA keys,
DSA keys have to wait until tomorrow).  It should fix the problem (if
a problem exists at all).

In general, GnuPG should stop operation if public and secret keys do
not match (currently, only a warning is printed), and generated
signatures should be checked using the public key (this protects
against bugs in the MPI implementation as well).


Index: rsa.c
===================================================================
RCS file: /var/cvs/rus-cert/gnupg/cipher/rsa.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 rsa.c
--- rsa.c	2000/11/22 13:19:35	1.1.1.1
+++ rsa.c	2001/03/21 22:29:42
@@ -165,18 +165,50 @@
 
 /****************
  * Test wether the secret key is valid.
- * Returns: true if this is a valid key.
+ * Returns: zero if this is a valid key.
  */
 static int
 check_secret_key( RSA_secret_key *sk )
 {
-    int rc;
-    MPI temp = mpi_alloc( mpi_get_nlimbs(sk->p)*2 );
+    int rc = 1;
+    MPI temp    = mpi_alloc_secure ( mpi_get_nlimbs(sk->p) + mpi_get_nlimbs(sk->q) );
+    MPI p_1     = mpi_copy (sk->p); /* (p-1) */
+    MPI q_1     = mpi_copy (sk->p); /* (q-1) */
+    MPI p_1_q_1 = mpi_alloc_secure ( mpi_get_nlimbs(sk->p) + mpi_get_nlimbs(sk->q) ); /* (p-1)(q-1) */
 
+    /* Calculate (p-1)(q-1) */
+    mpi_sub_ui(p_1, p_1, 1);
+    mpi_sub_ui(q_1, q_1, 1);
+    mpi_mul(p_1_q_1, p_1, q_1);
+
+    /* Check pq = n. */
     mpi_mul(temp, sk->p, sk->q );
-    rc = mpi_cmp( temp, sk->n );
+    if( 0 != mpi_cmp(temp, sk->n ) )
+	goto end;
+	
+    /* Check gcd(e, (p-1)(q-1)) = 1. */
+    if( ! mpi_gcd(temp, sk->e, p_1_q_1) )
+	goto end;
+
+    /* Check de == 1 (mod (p-1)(q-1)), i.e. d = e^-1. */
+    mpi_mulm(temp, sk->d, sk->e, p_1_q_1);
+    if( 0 != mpi_cmp_ui(temp, 1))
+	goto end;
+
+    /* Check up == 1 (mod q). */
+    mpi_mulm(temp, sk->u, sk->p, sk->q);
+    if( 0 != mpi_cmp_ui(temp, 1))
+	goto end;
+
+    /* Success.  Fall through to deallocation code. */
+    rc = 0;
+
+ end:
     mpi_free(temp);
-    return !rc;
+    mpi_free(p_1);
+    mpi_free(q_1);
+    mpi_free(p_1_q_1);
+    return rc;
 }
 
 

-- 
Florian Weimer 	                  Florian.Weimer at RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898



More information about the Gnupg-devel mailing list