Re: Yes, they have found a serious PGP vulnerability...sort of

[Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>]

On 22 Mar 2001, Florian Weimer wrote:

> There's now a Czech paper with technical background:

And an English version at

        http://www.icz.cz/en/pdf/openPGP_attack_ENGvktr.pdf

(From what I have heard, they--meaning ICZ management/marketing rather
than the authors, Mr. Klima and Mr. Rosa, themselves--did not intend
to publish the paper before Friday. Apparently, they figured out that
approach was not good for their reputation.)

> Although I cannot read Czech, their attack seems to be target against
> the public key stored in a secret key packet.  This data is not
> cryptographically protected and can therefore be modified by an
> attacker who has write access to the key ring.  If a signature is
> generated based on the modified public key data, the secret key will
> be exposed.

Yes...for DSA keys, the modification of unencrypted public parameters is
sufficient to carry out the attack (and this means the simple defence I
proposed would not work). For RSA keys, esp. for version 4 of the format,
they have to modify the encrypted information as well, exploiting
weaknesses in the encryption to localize the effect of their changes.
It is not as trivial as the DSA case but some implementations of RSA
signatures (those not checking the keys thoroughly enough) may be
vulnerable as well.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."