Pavel Kankovsky <[EMAIL PROTECTED]> writes:
> Yes...for DSA keys, the modification of unencrypted public parameters is
> sufficient to carry out the attack (and this means the simple defence I
> proposed would not work). For RSA keys, esp. for version 4 of the format,
> they have to modify the encrypted information as well, exploiting
> weaknesses in the encryption to localize the effect of their changes.
> It is not as trivial as the DSA case but some implementations of RSA
> signatures (those not checking the keys thoroughly enough) may be
> vulnerable as well.
Yes, that's right. Unfortunatly I missed these attacks, and an
unpatched GnuPG is vulnerable to them. Sorry about the confusion.
I've written a patch which addresses the problem:
http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff
http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff.asc
It introduces additional consistency checks, as suggested by the
authors of the paper. The checks are slightly different, but they
make the two additional attacks infeasible, I think. In the future,
it might be a good idea to add a check the generated signature for
validity, this will detect bugs in the MPI implementation which could
result in a revealed secret key, too.
(BTW: Werner Koch, the GnuPG maintainer, is currently not very
well-connected to the Net, so please do not bombard him with e-mail.)
--
Florian Weimer [EMAIL PROTECTED]
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
