PGP Bug Solution?

Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE
Mon Mar 26 15:28:11 CEST 2001

Arno Wagner <wagner at> writes:
> > If that is the case, could not GPG attempt to validate a signature
> > when created, and ring alarm bells if the signature does not verify?
> The problem here is that somebody that can write the private key can 
> most likely also write the public key. As far as I understand it, 
> the public key might require more than the change of the modulus 
> (does it? not sure), but it should be computationally feasible 
> to create a public key that will check out. 

It is possible that such an attack against OpenPGP DSA keys exists.

> So signatures will only fail at sites that have the correct public key. 
> I am not sure such a check would add to the security. 

However, with RSA keys, it's possible to reconstruct the public key
from the encrypted secret key and to perform some integrity checks
which detect tampered encrypted secret keys.

With RSA keys, the verification of computed signatures is a must
because computation errors can easily lead to a factorization of the

Florian Weimer 	                  Florian.Weimer at RUS.Uni-Stuttgart.DE
University of Stuttgart 
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

More information about the Gnupg-devel mailing list