[This message has also been posted.]
* Florian Weimer wrote:
They seem to, see http://www.i.cz/pdf/pgp/OpenPGP_attack_CZ.pdf. It's
Great work.
informative even if you cannot read Czech (there's one diagram showing
the secret key packet modification, which is quite instructive). Was
Yes, it is.
The attack is rather obvious, I have to say.
Of course, every good idea is obvious afterwards.
I'm still working on a fix.
Assuming a bellcore attack I suggested to check it against the public key,
but there is a problem: If the major modulus of the public key is shrinked
and access to the files is assumed, there is no real reason to modify the
public key accordingly in order to fool even all the certificate checks on
my own keys. So this solution does not work.
For RSA we can fix it by regenerating the public part from the encrypted
private ones and stop working if this check failes. Afterwards we should
check the signature by the verified public key. I'll do so for PGP2.6.3(i)n.
The basic question is: Is it possible to create a set of public DSA
parameters which are consistent with the secret one, without knowing the
latter?
We could check if y = g**x mod p. If p and g are not trivial (check this!)
and x is assumed to be not published before this signing attempt, there
might be a chance to prevent a format modification.
OTOH, we do not relay on a modifiction anyway, the programms are free to
choose any secret key storage format the like.