Lutz Donnerhacke <lutz(_at_)iks-jena(_dot_)de> writes:
PGP2.6.3(i)n is fixed against all those types of attacks (and I had
a look on buffer overflows).
you should mention that on the ietf open pgp list.
I posted the announcement some minutes ago to the usenet.
OK. CC: ML
ftp://ftp.iks-jena.de/mitarb/lutz/crypt/software/pgp/pgp263in/
I've just decided that I won't implement a similar check for the DSA
case (actually, I've implemented it already, but I won't recommend its
use). The situation is much too murky. Maybe a relative proof of
security can be obtained, but I very much doubt it. (Peter Gutmann
told me about a different attack against unprotected DSA parameters,
the whole situation doesn't look very promising at all.) IMHO, the
problem can only be addressed in a safe way if the format is changed.
Implementations can already do this on their own, of course, but
there's still the problem that the standard is really misleading in
this area.
Unfortunately, this is not the first problem due to the attempt to
minimize the amount of data which is cryptographically protected, a
rather questionable design goal. It's not hard to spot the pattern in
the list of past problems with OpenPGP and OpenPGP-derived
protocols. :-(
BTW: With RSA keys, GnuPG is not as reliable as it could be (it
doesn't check the computed signatures and performs only a simple
consistency check), but it's not vulnerable to the described attack.
The situation is much better with RSA keys anyway because the secret
key packet contains all necessary information in the encrypted area.
I whish it were true for DSA as well. :-/
--
Florian Weimer
Florian(_dot_)Weimer(_at_)RUS(_dot_)Uni-Stuttgart(_dot_)DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898