ietf-openpgp
[Top] [All Lists]

Re: Algorithm Specific Fields for DSA secret keys

2001-03-22 04:49:33
lutz(_at_)iks-jena(_dot_)de (Lutz Donnerhacke) writes:

* Florian Weimer wrote:
Okay, I missed this one.  I thought the public key components were also
cryptographically protected.  May I assume that the i.cz attack is target
against the unprotected public key part of the secret key packet?  Such an
attack seems feasible.

If they do so, the attack will be /very/ interesting.

They seem to, see http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf.  It's
informative even if you cannot read Czech (there's one diagram showing
the secret key packet modification, which is quite instructive).  Was
this information available to the Minneapolis meeting?  What were
their conclusions?

The attack is rather obvious, I have to say.  Before I read Hal's
reply, I assumed that all data needed for signature generation was
protected by the passphrase.  I was really surprised when I discovered
that it wasn't (at least in the DSA case, however, if you do RSA using
the Chinese Remainder theorem, it is), and I was far less surprised
when I finally found the paper and confirmed that the attack is
mounted against the unprotected portion of the secret key.

I'm still working on a fix.  The basic question is: Is it possible to
create a set of public DSA parameters which are consistent with the
secret one, without knowing the latter?  If the answer is yes, we have
to modify the OpenPGP format, otherwise, a consistency check is
sufficient to protect against this attack.  (The consistency check
performed by GnuPG is probably not sufficient.)

-- 
Florian Weimer                    
Florian(_dot_)Weimer(_at_)RUS(_dot_)Uni-Stuttgart(_dot_)DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

<Prev in Thread] Current Thread [Next in Thread>