oss-sec mailing list archives
Libgcrypt and GnuPG 1.4 RNG output prediction
From: Solar Designer <solar () openwall com>
Date: Wed, 17 Aug 2016 19:58:19 +0300
Hi, This was just announced on gnupg-announce and Twitter @gnupg, and I think it should also be in here: https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
Felix Drre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions. Impact ====== All Libgcrypt and GnuPG versions released before 2016-08-17 are affected on all platforms. A first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. This needs more research and I would suggest _not to_ overhasty revoke keys.
Also off Twitter: <@rgacogne> @gnupg @solardiz The CVE number (CVE-2016-6316) seems to have been used to track another security issue rubygem-actionview, is that correct? There does in fact appear to be a CVE ID clash, with: http://www.openwall.com/lists/oss-security/2016/08/11/6 Alexander
Current thread:
- Libgcrypt and GnuPG 1.4 RNG output prediction Solar Designer (Aug 17)
- Re: Libgcrypt and GnuPG 1.4 RNG output prediction Remi Gacogne (Aug 17)
- Re: Libgcrypt and GnuPG 1.4 RNG output prediction Werner Koch (Aug 17)
- Re: Re: Libgcrypt and GnuPG 1.4 RNG output prediction Andrew Gallagher (Aug 18)
- Re: Libgcrypt and GnuPG 1.4 RNG output prediction Solar Designer (Aug 18)
- Re: Re: Libgcrypt and GnuPG 1.4 RNG output prediction Andrew Gallagher (Aug 18)