Relax :-) [was: Re: openpgp bug]

Nils Ellmenreich
Thu Mar 22 18:33:02 2001

>>>"FW" == Florian Weimer <> writes:
FW> GnuPG is *not* FW> vulnerable to the described attack if you use RSA keys. At the FW> moment, I'm not sure if the attack works against DSA keys; GnuPG I don't quite understand your point. The document describes attacks against RSA signature keys in format v3 and v4 and DSA signature keys v4. The last one is being used in GnuPG by default, RSA v3 keys could be imported from PGP. The attack was performed using PGP 7.0.3 and seems to work because of insufficient integrity checking - PGP did not notice that the private key was tampered with. However, the authors describe simple integrity checks that can prevent this attack. OpenPGP does not specify any of them, so the standard might have to be revised. PGP 7.0.3 does some, but apparently not enough. After having had a brief look at the GnuPG source, it seems to me that GnuPG does some basic integrity checking. More detailed inspection will show whether or not it's enough, and therefore, whether GnuPG is vulnerable at all. I expect Werner will do this after he has returned. To sum it all up (at least, from my view ;-): 1. So far, it is unclear whether GnuPG is affected at all. We'll know in a few days. 2. An attack would probably be noticed. The attack requires the modification of the private key ring and the subsequent capture of a signed message. It may then lead to to compromise of the signature key. The attack will not go unnoticed because signatures with the modified key won't verify. 3. You have to protect your private key anyway. Then you're safe from this. It is crucial to the security of an public key cryptosystem that you guard your secret key. If you prevent the attacker from accessing your private key, this attack won't work. However: as stated in other mails, if the attacker has access to your system in order to modify your key, has has other, possibly simpler ways of comprimising your key. Therefore, the attack, if possible on GnuPG at all, has minor impact. You do guard your private key, right? :-) I perfectly know that people are using GnuPG on multiuser systems where they can't really protect their private key. That's ok, but they have to know that they're risking a compromise anyway, regardless of this attack. So, the bottom line is that on a multiuser system, the use of GnuPG/PGP has already not been very secure (and probably will never be). This attack has made it even a little bit less secure, but didn't change the situation fundamentally. I expect for the future that OpenPGP implementations will improve their integrity checks for key data (and maybe even change the packet format) to prevent attacks like this one. Besides, it would have been nice of the authors if they had contacted OpenPGP developers ahead of time - and not making a press conference right at the start of CeBIT, only to present details of their attack a few days later. Cheers, Nils -- Nils Ellmenreich, Lst. f. Programmierung, Universitaet Passau, Germany