ROCA detection in GnuPG
Werner Koch
wk at gnupg.org
Tue Oct 17 21:19:38 CEST 2017
On Tue, 17 Oct 2017 16:33, fgrieu at gmail.com said:
> The ROCA test can have false positives, with probability 1/238878720
> that a perfectly fine RSA key raise alarm. See details at
Indeed. Thus we should not reject such a key but at best print a
warning.
What I did today is a new option --with-key-screening, which can be used
to detect such keys by doing a keylisting in gpg and gpgsm. It is in
master and allows for fast scanning:
$ gpg -k --with-key-screening --with-colons | gawk -F: \
'$1~/pub|sub|sec|ssb|crt/ && $18~/\<6001\>/ {found=1;next};
$1=="fpr" && found {print $10}; {found=0}'
The same works for gpgsm. Note that we need gawk due to the "\<" in the
r.e. This adds a framework which should make it easy to add such scans
in the future. Note that this does not only work with "-k" but also
with "--import-options show-only --import" to avoid the need for
importing a key.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20171017/40df8634/attachment-0001.sig>
More information about the Gnupg-devel
mailing list