ROCA detection in GnuPG

Kristian Fiskerstrand kristian.fiskerstrand at
Tue Oct 17 13:52:50 CEST 2017

On 10/17/2017 09:01 AM, Werner Koch wrote:
> I wondered on how to best implement this in GnuPG: We have no central
> place to test _public_ keys and thus a check needs to be implemented in
> gpgsm, and gpg.  I expect that OpenSSH will provide a tool to check ssh
> public keys, thus there is no need for us to do that in gpg-agent.

I'm somewhat ambivalent on this issue as well, on one side we likely
want to implement all kinds of protection methods we're aware of and can
possibly fathom, even if it increases import time and complexity, and on
the other side, and at least the details I've seen is that this attack
is very specific for the bias of the implementation of the Infineon
library, whereby the remainder from division on small primes can be
reasonably identified. This means any protection for the overall
userbase would be marginal, as it isn't a generic class or a new attack
on RSA. For that reason alone, a stand-alone tool for testing is better
than a test that always happens in gnupg.

But the greater concern is, given users apparent behavior, will they
consider this a proof of good entropy of the key as long as it is not
rejected, and we're entering into territory with even more technical /
algorithmical focus whereby the real improvements to security likely
relates to proper definition of threat models and operational security
considerations to begin with.

Kristian Fiskerstrand
Twitter: @krifisk
Public OpenPGP keyblock at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
"Whatever you do in life, surround yourself with smart people who'll
argue with you."
John Wooden

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-devel mailing list