Re: Yes, they have found a serious PGP vulnerability...sort of

[Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE>]

Pavel Kankovsky <peak () argo troja mff cuni cz> writes:

> Yes...for DSA keys, the modification of unencrypted public parameters is
> sufficient to carry out the attack (and this means the simple defence I
> proposed would not work). For RSA keys, esp. for version 4 of the format,
> they have to modify the encrypted information as well, exploiting
> weaknesses in the encryption to localize the effect of their changes.
> It is not as trivial as the DSA case but some implementations of RSA
> signatures (those not checking the keys thoroughly enough) may be
> vulnerable as well.

Yes, that's right.  Unfortunatly I missed these attacks, and an
unpatched GnuPG is vulnerable to them.  Sorry about the confusion.

I've written a patch which addresses the problem:

        http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff
        http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff.asc

It introduces additional consistency checks, as suggested by the
authors of the paper.  The checks are slightly different, but they
make the two additional attacks infeasible, I think.  In the future,
it might be a good idea to add a check the generated signature for
validity, this will detect bugs in the MPI implementation which could
result in a revealed secret key, too.

(BTW: Werner Koch, the GnuPG maintainer, is currently not very
well-connected to the Net, so please do not bombard him with e-mail.)

--
Florian Weimer                    Florian.Weimer () RUS Uni-Stuttgart DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898