[19801] in bugtraq
Re: Yes, they have found a serious PGP vulnerability...sort of
daemon@ATHENA.MIT.EDU (Florian Weimer)
Fri Mar 23 06:06:51 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <tgu24la9oc.fsf@mercury.rus.uni-stuttgart.de>
Date: Thu, 22 Mar 2001 20:24:51 +0100
Reply-To: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
From: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
X-To: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
To: BUGTRAQ@SECURITYFOCUS.COM
Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> writes:
> Yes...for DSA keys, the modification of unencrypted public parameters is
> sufficient to carry out the attack (and this means the simple defence I
> proposed would not work). For RSA keys, esp. for version 4 of the format,
> they have to modify the encrypted information as well, exploiting
> weaknesses in the encryption to localize the effect of their changes.
> It is not as trivial as the DSA case but some implementations of RSA
> signatures (those not checking the keys thoroughly enough) may be
> vulnerable as well.
Yes, that's right. Unfortunatly I missed these attacks, and an
unpatched GnuPG is vulnerable to them. Sorry about the confusion.
I've written a patch which addresses the problem:
http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff
http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff.asc
It introduces additional consistency checks, as suggested by the
authors of the paper. The checks are slightly different, but they
make the two additional attacks infeasible, I think. In the future,
it might be a good idea to add a check the generated signature for
validity, this will detect bugs in the MPI implementation which could
result in a revealed secret key, too.
(BTW: Werner Koch, the GnuPG maintainer, is currently not very
well-connected to the Net, so please do not bombard him with e-mail.)
--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
