Bugtraq mailing list archives
Yes, they have found a serious PGP vulnerability...sort of
From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Tue, 20 Mar 2001 21:16:08 +0100
ICZ has published some real information about their new attack against (Open)PGP. Their annoucement, in the English language, can be found at http://www.i.cz/en/onas/tisk4.html. They say they will make a research paper available at http://www.i.cz/ soon. They stress how bad the problem is but there is an important detail you should not miss: in order to exploit the vulnerability, you must be able to modify a file containing your victim's encrypted private key in a special way (and get one message signed with that "bugged" key). Well, it is true such a thing can often be "performed without knowledge of the user's passphrase" ("behind the user's back" is a more colourful phrase used in the Czech version of the press release) but if anyone can modify your files without your consent, he can *probably* steal your private key and other sensitive data in 42 different ways. The vulnerability is said to be inherent to the OpenPGP format. It seems that the integrity of OpenPGP encrypted private ("secret" in somewhat confusing RFC 2440 lingo) key blocks is protected by a rather lame 16-bit checksum only (see RFC 2440, section 5.5.3. Secret Key Packet Formats), and I guess the problem lies here. Perhaps their attack is something like a combination of the attack against Chinese remainder theorem-based implementations of RSA in the presence of computational errors and the SSH1 CRC compensation attack. Anyway, there is *probably* a rather simple defence: make your software check generated digital signatures against corresponding public keys automatically. It is unlikely an attacker could find a (feasible) way to modify both an unencrypted public key and a private key encrypted using an unknown passphrase to pass such a check. As a free bonus, you will make your software more resistant to the fault cryptanalysis in general. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Yes, they have found a serious PGP vulnerability...sort of Pavel Kankovsky (Mar 21)
- Re: Yes, they have found a serious PGP vulnerability...sort of Florian Weimer (Mar 22)
- Re: Yes, they have found a serious PGP vulnerability...sort of Pavel Kankovsky (Mar 23)
- Re: Yes, they have found a serious PGP vulnerability...sort of Florian Weimer (Mar 23)
- Re: Yes, they have found a serious PGP vulnerability...sort of Lutz Donnerhacke (Mar 23)
- Re: Yes, they have found a serious PGP vulnerability...sort of Pavel Kankovsky (Mar 23)
- <Possible follow-ups>
- Re: Yes, they have found a serious PGP vulnerability...sort of Pavel Kankovsky (Mar 25)
- Re: Yes, they have found a serious PGP vulnerability...sort of Florian Weimer (Mar 22)