Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Pavel Kankovsky (peakARGO.TROJA.MFF.CUNI.CZ)
Date: Tue Mar 20 2001 - 14:16:08 CST
ICZ has published some real information about their new attack against
(Open)PGP. Their annoucement, in the English language, can be found at
http://www.i.cz/en/onas/tisk4.html. They say they will make a research
paper available at http://www.i.cz/ soon.
They stress how bad the problem is but there is an important detail you
should not miss: in order to exploit the vulnerability, you must be able
to modify a file containing your victim's encrypted private key in a
special way (and get one message signed with that "bugged" key). Well,
it is true such a thing can often be "performed without knowledge of the
user's passphrase" ("behind the user's back" is a more colourful phrase
used in the Czech version of the press release) but if anyone can modify
your files without your consent, he can *probably* steal your private key
and other sensitive data in 42 different ways.
The vulnerability is said to be inherent to the OpenPGP format. It seems
that the integrity of OpenPGP encrypted private ("secret" in somewhat
confusing RFC 2440 lingo) key blocks is protected by a rather lame 16-bit
checksum only (see RFC 2440, section 5.5.3. Secret Key Packet Formats),
and I guess the problem lies here. Perhaps their attack is something like
a combination of the attack against Chinese remainder theorem-based
implementations of RSA in the presence of computational errors and the
SSH1 CRC compensation attack.
Anyway, there is *probably* a rather simple defence: make your software
check generated digital signatures against corresponding public keys
automatically. It is unlikely an attacker could find a (feasible) way to
modify both an unencrypted public key and a private key encrypted using an
unknown passphrase to pass such a check. As a free bonus, you will make
your software more resistant to the fault cryptanalysis in general.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."