Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Florian Weimer (Florian.WeimerRUS.UNI-STUTTGART.DE)
Date: Thu Mar 22 2001 - 13:24:51 CST
Pavel Kankovsky <peakargo.troja.mff.cuni.cz> writes:
> Yes...for DSA keys, the modification of unencrypted public parameters is
> sufficient to carry out the attack (and this means the simple defence I
> proposed would not work). For RSA keys, esp. for version 4 of the format,
> they have to modify the encrypted information as well, exploiting
> weaknesses in the encryption to localize the effect of their changes.
> It is not as trivial as the DSA case but some implementations of RSA
> signatures (those not checking the keys thoroughly enough) may be
> vulnerable as well.
Yes, that's right. Unfortunatly I missed these attacks, and an
unpatched GnuPG is vulnerable to them. Sorry about the confusion.
I've written a patch which addresses the problem:
It introduces additional consistency checks, as suggested by the
authors of the paper. The checks are slightly different, but they
make the two additional attacks infeasible, I think. In the future,
it might be a good idea to add a check the generated signature for
validity, this will detect bugs in the MPI implementation which could
result in a revealed secret key, too.
(BTW: Werner Koch, the GnuPG maintainer, is currently not very
well-connected to the Net, so please do not bombard him with e-mail.)
-- Florian Weimer Florian.WeimerRUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898