-----BEGIN PGP SIGNED MESSAGE----- Cryptologists from Czech company ICZ detected serious security vulnerability of an international magnitude http://www.i.cz/en/onas/tisk4.html >>A bug has been found in worldwide used security format OpenPGP. The >>bug can lead to discovery of user's private keys used in digital >>signature systems. OpenPGP format is widely used in many >>applications used worldwide, including extremely popular programs >>like PGP(TM), GNU Privacy Guard, and others. The bug detection >>comes on the right time, as Philip Zimmermann, the creator of PGP >>program, has left Network Associates, Inc. and aims to boost >>OpenPGP format in other products for privacy security on Internet. >>From the scientific point of view, the discovery goes far beyond >>actual programs - it has wider theoretical and practical impact.<< >>A slight modification of the private key file followed by capturing >>a signed message is enough to break the private key. These tasks >>can be performed without knowledge of the user's passphrase. After >>that, a special program can be run on any office PC. Based on the >>captured message,the program is able to calculate the user's >>private key in half a second. The attacker can then sign any >>messages instead of the attacked user. Despite of very quick >>calculation, the program is based on a special cryptographic >>know-how. << >>similar vulnerabilities can be expected in other asymmetrical >>cryptographic systems, including systems based on elliptic curves. >><< DSA and RSA keys are reportedly equally vulnerable. DMK Comment: A detailed report was supposed to be "released shortly" but has not appeared so far. The press release does not specify whether diddling the private key results in any error messages. I hope this does not spawn another round of "PGP is cracked/cracking/crackable" media hysteria. The importance of key management has always been critical and this would seem to only add to the reasons why. There are viruses that try to steal PGP's secret key, there are trojans that make it possible to steal PGP's secret key. Storing keys on shared/networked workstations has always been recognized as a problem with PGP. The comp.security.pgp FAQ includes: Can I put PGP on a multi-user system like a network or a mainframe? <http://www.uk.pgp.net/pgpnet/pgp-faq/faq-03.html#3.18> Still...if it's a slow news week..? -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: How long has it been since you backed up your hard drive? iQCVAwUBOrfGwPGfiIQsciJtAQGG2QQA0VRctHwn0Skod1Me0AJOfokvQLBiC2PJ eohcbiSxFP/fag0KA6Ju36EKfhwAnO+DMJBGJD1FNe+r3ozJICFlQ9psi/VH6H4N ZVvM1HT4fEIyLUg7Ih5Z7OZxk16nZMZKtK9HodWjZvgQ/+DIyifCHEp+MyTtHD3Y PSoxp9g721M= =LXaC -----END PGP SIGNATURE----- -- Regards, David Kennedy CISSP Director of Research Services, TruSecure Corp. http://www.trusecure.com Protect what you connect. Look both ways before crossing the Net. * * NOTE: In accordance with Title 17 <U.S.C.> Section 107, this material * is distributed without profit or payment to those who have expressed a * prior interest in receiving this information for non-profit research and * educational purposes only. Provided by G2-Forward.
(ai) Another Instance of the Importance of Safeguarding Private Crypto Keys
David Kennedy CISSP (by way of David Kennedy CISSP <[EMAIL PROTECTED]>) Wed, 21 Mar 2001 13:18:52 -0800