Bugtraq mailing list archives

Re: Have they found a serious PGP vulnerability?!

From: Peter Hanecak <hanecak () MEGALOMAN COM>
Date: Wed, 21 Mar 2001 10:36:01 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

On Tue, 20 Mar 2001, Pavel Kankovsky wrote:

No details are available right now and the data included in the article
seems to be partially self-contradicting (on the other hand, it can be
just a result of standard journalistic post-production). They say there
will be a press conference today (March 20) at 15:00 MET where ICZ people
will shed more light on this issue.


ICZ's press statement can be found here:

        http://www.icz.cz/onas/tisk4.html

It is in czech.

Personally, I think they have found some new obscure attack (perhaps some
side-channel attack) that can be used when some bizzare conditions are
met, or maybe they have reinvented the wheel, and have discovered a Trojan
horse can steal private keys when PGP decrypts them in order to be able to
use them.


If I'm correct, I can summarize information found at
http://www.icz.cz/onas/tisk4.html as follows:

They found a way how to calculate victims private key from victims
encrypted private key file and at least one signad message (signed by that
private key). It takes small modification of private key file and about
half a second of calculation on commom PC.

So to succesfully perform attack their way, you have to:
1) obtain victims private key file
2) obtain at least one message signed by above key
3) have knowleddge and tools those ICZ folks have
4) apply 3 on 1 and 2

Attack takes advantage of missues of crypto algorithms when encrytping
private key. They claim OpenPGP spec is responsible for that missuse.


If you are intrerested in more information, please contact directly ICZ
while I'm not cryptography expert nor profesional translator. Or look for
other sources.


Sincerely

Peter Hanecak

- --
===================================================================
  Peter Hanecak <hanecak () megaloman com>
  GPG pub.key: http://www.megaloman.com/gpg/hanecak-megaloman.txt
===================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6uHYF1rzDsblwlA8RAlGtAJ4lqqhr17UnfZgn5zqrVqfHXivYwwCfWzkg
aSMFFEBe1vkGm/3leID++/8=
=gQcT
-----END PGP SIGNATURE-----

Current thread:

Have they found a serious PGP vulnerability?! Pavel Kankovsky (Mar 20)
- Re: Have they found a serious PGP vulnerability?! Peter Hanecak (Mar 21)