Translation: Key Management - BSI had send private key instead of public key

Keine Eile keine-eile at
Thu Nov 18 08:58:05 CET 2021

**Translated by Google**

BSI sends private PGP keys
Public and private keys apparently also confused the BSI. That sent a private key, but with password protection.

An exclusive message from Hanno Böck will be published on November 15, 2021, 2:30 p.m.

Is it a public key or a private key? Public key encryption is confusing.
The use of mail encryption by means of the OpenPGP standard is often considered to be complicated, which is one of the reasons why it has so far not been able to gain broad acceptance. This was apparently also confusing for the Federal Office for Information Security (BSI): It accidentally sent a private PGP key.

Someone had asked the BSI's contact e-mail address for product approval to send them a PGP key in order to be able to communicate with the authorities in encrypted form. In response, however, the person received a private PGP key rather than a public PGP key, as expected.

The BSI confirmed the incident to "In fact, a file was sent that contained a corresponding private key."

Luck in misfortune: a hopefully secure password
PGP-based encryption works with so-called public key cryptography. Different keys are used for encryption and decryption. The public key can be sent to communication partners who can use it to encrypt. You have to keep the private key to yourself, it is used for decryption.

Bad luck for the BSI: The private key sent was password-protected. The severity of the incident therefore depends on how secure the password is. Password-protected private keys can sometimes be cracked with a brute force attack, but this is only practicable with rather weak passwords.

The BSI informed "that the mentioned password protection fulfills a very high level. In addition, attachments requiring protection are also encrypted with chiasmus. The BSI is therefore currently assuming that there is no specific risk to information security."

BSI was still using keys months after the incident
At first, the incident was not taken seriously at the BSI. The person to whom the key was sent immediately informed the authorities. But the BSI continued to use the key for several months.

It was only after a request from to the BSI's press office that the key was replaced. "A new PGP key was immediately generated for the mailbox mentioned," replied the BSI. "The associated public key and a revocation certificate for the old PGP key will now be successively distributed to the respective contact person."

More information about the Gnupg-users mailing list