Relax :-) [was: Re: openpgp bug]

Nils Ellmenreich Nils@infosun.fmi.uni-passau.de
Thu Mar 22 18:33:02 2001 


>>>"FW" == Florian Weimer <fw@deneb.enyo.de> writes:


 FW> GnuPG is *not*
 FW> vulnerable to the described attack if you use RSA keys.  At the
 FW> moment, I'm not sure if the attack works against DSA keys; GnuPG

I don't quite understand your point. The document describes attacks
against RSA signature keys in format v3 and v4 and DSA signature keys
v4. The last one is being used in GnuPG by default, RSA v3 keys could be
imported from PGP. The attack was performed using PGP 7.0.3 and seems to
work because of insufficient integrity checking - PGP did not notice
that the private key was tampered with.

However, the authors describe simple integrity checks that can prevent
this attack. OpenPGP does not specify any of them, so the standard might
have to be revised. PGP 7.0.3 does some, but apparently not
enough. After having had a brief look at the GnuPG source, it seems to
me that GnuPG does some basic integrity checking. More detailed
inspection will show whether or not it's enough, and therefore, whether
GnuPG is vulnerable at all. I expect Werner will do this after he has
returned.

To sum it all up (at least, from my view ;-):

1. So far, it is unclear whether GnuPG is affected at all.

   We'll know in a few days.

2. An attack would probably be noticed.

   The attack requires the modification of the private key ring and the
   subsequent capture of a signed message. It may then lead to to
   compromise of the signature key. The attack will not go unnoticed
   because signatures with the modified key won't verify.

3. You have to protect your private key anyway. Then you're safe from
   this. 

   It is crucial to the security of an public key cryptosystem that you
   guard your secret key. If you prevent the attacker from accessing
   your private key, this attack won't work. However: as stated in other
   mails, if the attacker has access to your system in order to modify
   your key, has has other, possibly simpler ways of comprimising your key.

Therefore, the attack, if possible on GnuPG at all, has minor
impact. You do guard your private key, right? :-) I perfectly know that
people are using GnuPG on multiuser systems where they can't really
protect their private key. That's ok, but they have to know that they're
risking a compromise anyway, regardless of this attack.

So, the bottom line is that on a multiuser system, the use of GnuPG/PGP
has already not been very secure (and probably will never be). This
attack has made it even a little bit less secure, but didn't change the
situation fundamentally.

I expect for the future that OpenPGP implementations will improve their
integrity checks for key data (and maybe even change the packet format)
to prevent attacks like this one.

Besides, it would have been nice of the authors if they had contacted
OpenPGP developers ahead of time - and not making a press conference
right at the start of CeBIT, only to present details of their attack a
few days later.

Cheers, Nils
-- 
Nils Ellmenreich, Lst. f. Programmierung, Universitaet Passau, Germany