Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Pavel Kankovsky (peakARGO.TROJA.MFF.CUNI.CZ)
Date: Tue Mar 20 2001 - 14:16:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ICZ has published some real information about their new attack against
    (Open)PGP. Their annoucement, in the English language, can be found at
    http://www.i.cz/en/onas/tisk4.html. They say they will make a research
    paper available at http://www.i.cz/ soon.

    They stress how bad the problem is but there is an important detail you
    should not miss: in order to exploit the vulnerability, you must be able
    to modify a file containing your victim's encrypted private key in a
    special way (and get one message signed with that "bugged" key). Well,
    it is true such a thing can often be "performed without knowledge of the
    user's passphrase" ("behind the user's back" is a more colourful phrase
    used in the Czech version of the press release) but if anyone can modify
    your files without your consent, he can *probably* steal your private key
    and other sensitive data in 42 different ways.

    The vulnerability is said to be inherent to the OpenPGP format. It seems
    that the integrity of OpenPGP encrypted private ("secret" in somewhat
    confusing RFC 2440 lingo) key blocks is protected by a rather lame 16-bit
    checksum only (see RFC 2440, section 5.5.3. Secret Key Packet Formats),
    and I guess the problem lies here. Perhaps their attack is something like
    a combination of the attack against Chinese remainder theorem-based
    implementations of RSA in the presence of computational errors and the
    SSH1 CRC compensation attack.

    Anyway, there is *probably* a rather simple defence: make your software
    check generated digital signatures against corresponding public keys
    automatically. It is unlikely an attacker could find a (feasible) way to
    modify both an unencrypted public key and a private key encrypted using an
    unknown passphrase to pass such a check. As a free bonus, you will make
    your software more resistant to the fault cryptanalysis in general.

    --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."