Bugtraq mailing list archives
Re: Have they found a serious PGP vulnerability?!
From: Peter Hanecak <hanecak () MEGALOMAN COM>
Date: Wed, 21 Mar 2001 10:36:01 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, On Tue, 20 Mar 2001, Pavel Kankovsky wrote:
No details are available right now and the data included in the article seems to be partially self-contradicting (on the other hand, it can be just a result of standard journalistic post-production). They say there will be a press conference today (March 20) at 15:00 MET where ICZ people will shed more light on this issue.
ICZ's press statement can be found here: http://www.icz.cz/onas/tisk4.html It is in czech.
Personally, I think they have found some new obscure attack (perhaps some side-channel attack) that can be used when some bizzare conditions are met, or maybe they have reinvented the wheel, and have discovered a Trojan horse can steal private keys when PGP decrypts them in order to be able to use them.
If I'm correct, I can summarize information found at http://www.icz.cz/onas/tisk4.html as follows: They found a way how to calculate victims private key from victims encrypted private key file and at least one signad message (signed by that private key). It takes small modification of private key file and about half a second of calculation on commom PC. So to succesfully perform attack their way, you have to: 1) obtain victims private key file 2) obtain at least one message signed by above key 3) have knowleddge and tools those ICZ folks have 4) apply 3 on 1 and 2 Attack takes advantage of missues of crypto algorithms when encrytping private key. They claim OpenPGP spec is responsible for that missuse. If you are intrerested in more information, please contact directly ICZ while I'm not cryptography expert nor profesional translator. Or look for other sources. Sincerely Peter Hanecak - -- =================================================================== Peter Hanecak <hanecak () megaloman com> GPG pub.key: http://www.megaloman.com/gpg/hanecak-megaloman.txt =================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6uHYF1rzDsblwlA8RAlGtAJ4lqqhr17UnfZgn5zqrVqfHXivYwwCfWzkg aSMFFEBe1vkGm/3leID++/8= =gQcT -----END PGP SIGNATURE-----
Current thread:
- Have they found a serious PGP vulnerability?! Pavel Kankovsky (Mar 20)
- Re: Have they found a serious PGP vulnerability?! Peter Hanecak (Mar 21)