Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Pavel Kankovsky (peakARGO.TROJA.MFF.CUNI.CZ)
Date: Thu Mar 22 2001 - 12:50:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On 22 Mar 2001, Florian Weimer wrote:

    > There's now a Czech paper with technical background:

    And an English version at


    (From what I have heard, they--meaning ICZ management/marketing rather
    than the authors, Mr. Klima and Mr. Rosa, themselves--did not intend
    to publish the paper before Friday. Apparently, they figured out that
    approach was not good for their reputation.)

    > Although I cannot read Czech, their attack seems to be target against
    > the public key stored in a secret key packet. This data is not
    > cryptographically protected and can therefore be modified by an
    > attacker who has write access to the key ring. If a signature is
    > generated based on the modified public key data, the secret key will
    > be exposed.

    Yes...for DSA keys, the modification of unencrypted public parameters is
    sufficient to carry out the attack (and this means the simple defence I
    proposed would not work). For RSA keys, esp. for version 4 of the format,
    they have to modify the encrypted information as well, exploiting
    weaknesses in the encryption to localize the effect of their changes.
    It is not as trivial as the DSA case but some implementations of RSA
    signatures (those not checking the keys thoroughly enough) may be
    vulnerable as well.

    --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."