Thought I'd pass this along. Not sure if it applies to anyone.
- Critical flaw in GnuPG -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
Madrid, November 28, 2003 - A critical security flaw has been found in the
GnuPG encryption software which could compromise a user's private key in
seconds.
This flaw affects versions 1.0.2 and later of GnuPG which use ElGamal keys
for encryption and signing (type 20). ElGamal keys used for encryption only
(type 16) are not affected by this flaw.
Although use of sign+encrypt keys is not considered good cryptographic
practice, the OpenPGP standard allows them to be used and GnuPG supports
creation and handling of them. Fortunately, these keys are not used very
often nor are they created by default in GnuPG, since -compared to RSA or
DSA keys - they have significant disadvantages with regard to security and
performance. Actually, users must create ElGamal sign+encrypt keys through
specific options in GnuPG.
To avoid being affected by this vulnerability, it is advisable not to
generate ElGamal keys for encryption and signing (type 20), revoke the keys
that are already in use and take into account that all the material signed
and encrypted with them could have been compromised. GnuPG has already
announced that future versions of the program will not allow these keys to
be created.
More information at:
http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html
--
Regards
Chris
A 100% Microsoft free computer
Registered Linux User 283774 http://counter.li.org
7:22pm up 10:18, 2 users, load average: 0.02, 0.09, 0.04
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
