Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

[Werner Koch]

On Wed,  5 Jul 2017 21:39, gnupg-users@gnupg.org said:

>>   libgcrypt v<=?
>
> Probably all versions up to 1.7.7, starting from at least 1.2.0 (which
> is the oldest I could find).

Actaully starting at 1.6.0 which introduced the sliding window method to
catch up performance losses due to other side channel attack
mitigations.  Earlier versions than 1.6 may be affected by other side
channel attacks.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpwU0bZfN68l.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

[Bernhard Reiter]

Am Mittwoch 05 Juli 2017 21:39:26 schrieb Marcus Brinkmann via Gnupg-users:
> Caveat: I have only looked at the code of the oldest and newest
> versions.  Remember that old versions may not even have 64-bit support,
> so they run on different CPU architectures.  But the code is essentially
> the same as the vulnerable code in libgcrypt 1.7.7 for these:

> Probably all versions up to 1.7.7, starting from at least 1.2.0 (which
> is the oldest I could find).

Thanks for your useful examinations.

> >   GnuPG v1.?
> Probably all versions from 1.0.4 up to 1.4.21.  (I could not find 1.0.3,
> which according to the NEWS file is the first version with RSA support).
>
> I made a backport of the patch for GPG 1.4.21 here:
> https://dev.gnupg.org/D438

Yes good, though Werner' s comment there shows that there will be more things 
to consider.

Like:

> I have also found a paper that indicates that the exponent blinding
> defense is not as solid as one might think naively,

> Preprint available at https://eprint.iacr.org/2014/869.pdf

To my conculsion for users so far is:
The side-channel attack from CVE-2017-7526 and related side-channel attacks
and implementation fixes are under active examination by the GnuPG-Dev team.

My current understanding:
To prevent exploitation for GnuPG 1.4: prevent other users on the machine.
To be extra sure: Do not share a machine by VMs (unless they are well 
separated.)
For GnuPG 2.1: Update to a version using libgcrypt 1.7.8 or later
(or alternatively apply the same measures as for GnuPG 1.4).

We should take in depth discussions to gnupg-devel@ I guess.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

[Marcus Brinkmann via Gnupg-users]

On 07/05/2017 04:13 PM, Bernhard Reiter wrote:
> Am Dienstag 04 Juli 2017 18:30:28 schrieb Werner Koch:
>> On Tue,  4 Jul 2017 12:05, joh...@vulcan.xs4all.nl said:
>>> Is 1.4 vulnerable to this attack as well? I know it ows not use
>>> libgcrypt but I'm not sure about the vulnerability.
>>
>> Maybe.  And probably also to a lot of other local side channel attacks.
>
> In general I think it would be useful to have information available that
> shows which versions of GnuPG and libgcrypt are exposed to this or other
> weaknesses and what the consequences are.
>
> People now know which that there are versions
> with this vulnerability and without it.
>
> My concept so far:
> not vulnerable:
>   libgcrypt 1.7.8
>   libgcrypt 1.8 -beta since commit
> Thu, 29 Jun 2017 04:11:37 +0200 (11:11 +0900)
> 8725c99ffa41778f382ca97233183bcd687bb0ce
>
> vulnerable

Caveat: I have only looked at the code of the oldest and newest
versions.  Remember that old versions may not even have 64-bit support,
so they run on different CPU architectures.  But the code is essentially
the same as the vulnerable code in libgcrypt 1.7.7 for these:

>   libgcrypt v<=?

Probably all versions up to 1.7.7, starting from at least 1.2.0 (which
is the oldest I could find).

>   GnuPG v1.?

Probably all versions from 1.0.4 up to 1.4.21.  (I could not find 1.0.3,
which according to the NEWS file is the first version with RSA support).

I made a backport of the patch for GPG 1.4.21 here:

https://dev.gnupg.org/D438

I have also found a paper that indicates that the exponent blinding
defense is not as solid as one might think naively, and in which the
author indicates that OpenSSL defended against these kind of attacks
conclusively in 0.9.8f (Oct 2007). I have only glanced over the claims,
but it's certainly intriguing:

Schindler, W.: Exclusive Exponent Blinding May Not Suffice
to Prevent Timing Attacks on RSA (2015), Bundesamt für Sicherheit in der
Informationstechnik

Preprint available at https://eprint.iacr.org/2014/869.pdf







signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

[Bernhard Reiter]

Am Dienstag 04 Juli 2017 18:30:28 schrieb Werner Koch:
> On Tue,  4 Jul 2017 12:05, joh...@vulcan.xs4all.nl said:
> > Is 1.4 vulnerable to this attack as well? I know it ows not use
> > libgcrypt but I'm not sure about the vulnerability.
>
> Maybe.  And probably also to a lot of other local side channel attacks.

In general I think it would be useful to have information available that 
shows which versions of GnuPG and libgcrypt are exposed to this or other 
weaknesses and what the consequences are.

People now know which that there are versions
with this vulnerability and without it.

My concept so far:
not vulnerable:
  libgcrypt 1.7.8
  libgcrypt 1.8 -beta since commit
Thu, 29 Jun 2017 04:11:37 +0200 (11:11 +0900)
8725c99ffa41778f382ca97233183bcd687bb0ce

vulnerable 
  libgcrypt v<=?
  GnuPG v1.?

Best regards,
Bernhard
-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

[Peter Lebbing]

On 04/07/17 21:03, Johan Wevers wrote:
> Is that going to be fixed, or is 1.4 now really considered EOL?

I think you need to see it in the context of this part of the announcement:

> Allowing execute access to a box with private keys should be considered
> as a game over condition, anyway.  Thus in practice there are easier
> ways to access the private keys than to mount this side-channel attack.

If you're worried about cross-VM crypto attacks, perhaps host your essential
crypto on a box that doesn't host potentially hostile VM's. Security has its
cost, or: there's no such thing as a free lunch.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

[Johan Wevers]

On 04-07-2017 18:30, Werner Koch wrote:

>> Is 1.4 vulnerable to this attack as well? I know it ows not use
>> libgcrypt but I'm not sure about the vulnerability.
> 
> Maybe.  And probably also to a lot of other local side channel attacks.

Is that going to be fixed, or is 1.4 now really considered EOL?

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

[Werner Koch]

On Tue,  4 Jul 2017 12:05, joh...@vulcan.xs4all.nl said:

> Is 1.4 vulnerable to this attack as well? I know it ows not use
> libgcrypt but I'm not sure about the vulnerability.

Maybe.  And probably also to a lot of other local side channel attacks.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgppHKM_tDJyT.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

[Johan Wevers]

On 29-06-2017 9:28, Werner Koch wrote:

> The GnuPG Project is pleased to announce the availability of Libgcrypt
> version 1.7.8.  This release fixes a local side-channel attack.

Is 1.4 vulnerable to this attack as well? I know it ows not use
libgcrypt but I'm not sure about the vulnerability.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

[Werner Koch]

Hi!

The GnuPG Project is pleased to announce the availability of Libgcrypt
version 1.7.8.  This release fixes a local side-channel attack.

Libgcrypt is a general purpose library of cryptographic building blocks.
It is originally based on code used by GnuPG.  It does not provide any
implementation of OpenPGP or other protocols.  Thorough understanding of
applied cryptography is required to use Libgcrypt.


Noteworthy changes in version 1.7.8 (2017-06-29)  [C21/A1/R8]
===

 * Bug fixes:

   - Mitigate a flush+reload side-channel attack on RSA secret keys
 dubbed "Sliding right into disaster".  For details see
 .  [CVE-2017-7526]


Note that this side-channel attack requires that the attacker can run
arbitrary software on the hardware where the private RSA key is used.
Allowing execute access to a box with private keys should be considered
as a game over condition, anyway.  Thus in practice there are easier
ways to access the private keys than to mount this side-channel attack.
However, on boxes with virtual machines this attack may be used by one
VM to steal private keys from another VM.



Download


Source code is hosted at the GnuPG FTP server and its mirrors as listed
at .  On the primary server
the source tarball and its digital signature are:

 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.8.tar.bz2 (2830k)
 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.8.tar.bz2.sig

That file is bzip2 compressed.  A gzip compressed version is here:

 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.8.tar.gz (3398k)
 ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.8.tar.gz.sig

The same files are also available via HTTP:

 https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.8.tar.bz2 
 https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.8tar.bz2.sig
 https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.8.tar.gz 
 https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.8.tar.gz.sig

In order to check that the version of Libgcrypt you downloaded is an
original and unmodified file please follow the instructions found at
.  In short, you may
use one of the following methods:

 - Check the supplied OpenPGP signature.  For example to check the
   signature of the file libgcrypt-1.7.8.tar.bz2 you would use this
   command:

 gpg --verify libgcrypt-1.7.8.tar.bz2.sig libgcrypt-1.7.8.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 - If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file libgcrypt-1.7.8.tar.bz2, you run the command like this:

 sha1sum libgcrypt-1.7.8.tar.bz2

   and check that the output matches the first line from the
   this list:

65a4a495aa858483e66868199eaa8238572ca6cd  libgcrypt-1.7.8.tar.bz2
b1290e278170c638955de430699a425c2121750b  libgcrypt-1.7.8.tar.gz

   You should also verify that the checksums above are authentic by
   matching them with copies of this announcement.  Those copies can be
   found at other mailing lists, web sites, and search engines.
   

Copying
===

Libgcrypt is distributed under the terms of the GNU Lesser General
Public License (LGPLv2.1+).  The helper programs as well as the
documentation are distributed under the terms of the GNU General Public
License (GPLv2+).  The file LICENSES has notices about contributions
that require that these additional notices are distributed.


Support
===

For help on developing with Libgcrypt you should read the included
manual and optional ask on the gcrypt-devel mailing list [1].  A
listing with commercial support offers for Libgcrypt and related
software is available at the GnuPG web site [2].

If you are a developer and you may need a certain feature for your
project, please do not hesitate to bring it to the gcrypt-devel
mailing list for discussion.

Maintenance and development of Libgcrypt is mostly financed by
donations; see .  We currently employ
4 full-time developers, one part-timer, and one contractor to work on
GnuPG and closely related software like Libgcrypt.


Thanks
==

We like to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, and answering questions on the mailing
lists.  Also many thanks to all our donors [3].

H