[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Algorithm Specific Fields for DSA secret keys

To: ietf-openpgp@xxxxxxx
Subject: Re: Algorithm Specific Fields for DSA secret keys
From: Florian Weimer <Florian.Weimer@xxxxxxxxxxxxxxxxxxxx>
Date: 22 Mar 2001 12:49:04 +0100
In-reply-to: <slrn9bjma0.jp.lutz@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <200103212354.PAA12957@xxxxxxxxxx> <tgsnk6qdvx.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <slrn9bjma0.jp.lutz@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

lutz@xxxxxxxxxxx (Lutz Donnerhacke) writes:

> * Florian Weimer wrote:
> >Okay, I missed this one.  I thought the public key components were also
> >cryptographically protected.  May I assume that the i.cz attack is target
> >against the unprotected public key part of the secret key packet?  Such an
> >attack seems feasible.
> 
> If they do so, the attack will be /very/ interesting.

They seem to, see http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf.  It's
informative even if you cannot read Czech (there's one diagram showing
the secret key packet modification, which is quite instructive).  Was
this information available to the Minneapolis meeting?  What were
their conclusions?

The attack is rather obvious, I have to say.  Before I read Hal's
reply, I assumed that all data needed for signature generation was
protected by the passphrase.  I was really surprised when I discovered
that it wasn't (at least in the DSA case, however, if you do RSA using
the Chinese Remainder theorem, it is), and I was far less surprised
when I finally found the paper and confirmed that the attack is
mounted against the unprotected portion of the secret key.

I'm still working on a fix.  The basic question is: Is it possible to
create a set of public DSA parameters which are consistent with the
secret one, without knowing the latter?  If the answer is yes, we have
to modify the OpenPGP format, otherwise, a consistency check is
sufficient to protect against this attack.  (The consistency check
performed by GnuPG is probably not sufficient.)

-- 
Florian Weimer 	                  Florian.Weimer@xxxxxxxxxxxxxxxxxxxx
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Follow-Ups:
- Re: Czech attack to PGP
  - From: Lutz Donnerhacke

References:
- Re: Algorithm Specific Fields for DSA secret keys
  - From: hal
- Re: Algorithm Specific Fields for DSA secret keys
  - From: Florian Weimer
- Re: Algorithm Specific Fields for DSA secret keys
  - From: Lutz Donnerhacke

Prev by Date: Re: Algorithm Specific Fields for DSA secret keys
Next by Date: Re: Czech attack to PGP
Previous by thread: Re: Algorithm Specific Fields for DSA secret keys
Next by thread: Re: Czech attack to PGP
Index(es):
- Date
- Thread