Relax :-) [was: Re: openpgp bug]

Florian Weimer fw@deneb.enyo.de
Thu Mar 22 21:10:01 2001


Nils@infosun.fmi.uni-passau.de (Nils Ellmenreich) writes:


> FW> GnuPG is *not*
> FW> vulnerable to the described attack if you use RSA keys. At the
> FW> moment, I'm not sure if the attack works against DSA keys; GnuPG
>
> I don't quite understand your point. The document describes attacks
> against RSA signature keys in format v3 and v4 and DSA signature keys
> v4. The last one is being used in GnuPG by default, RSA v3 keys could be
> imported from PGP. The attack was performed using PGP 7.0.3 and seems to
> work because of insufficient integrity checking - PGP did not notice
> that the private key was tampered with.
Sorry. I missed the second and third attack, and my claim that GnuPG is not vulnerable is indeed *false*.
> 1. So far, it is unclear whether GnuPG is affected at all.
It is affected by all attacks. The following patch should address the problem with RSA keys: http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff.asc The additional checks should make an attack considerably more complicated. (This patch is quite similar to yesterday's wild guess.) However, the situation with DSA is quite hopeless. A short German summary of the situation is available at: http://cert.uni-stuttgart.de/ticker/article.php?mid=293
> 2. An attack would probably be noticed.
Software failures are so common that they are ignored. :-/
> Besides, it would have been nice of the authors if they had contacted
> OpenPGP developers ahead of time - and not making a press conference
> right at the start of CeBIT, only to present details of their attack a
> few days later.
Perhaps the attack was presented at the Minneapolis IETF meeting. There was some discussion about this attack, but I don't know if the attendents had access to the paper.