[Top] [All Lists]

Re: paper of interest to be presented at EuroCrypt

2004-03-09 14:43:27

Mike Markowitz wrote:

Since Hal just pointed to an RSA Conference paper, I thought I'd bring attention
to an OpenPGP-related paper to be presented by Phong Nguyen at EuroCrypt in May.

A goodly post, although the paper worries
me somewhat on two points, the second of
which may be germane to OpenPGP, further

The abstract sounds like old news, but perhaps list subscribers will be 

    Abstract: More and more software use cryptography. But how can one know if
    what is implemented is good cryptography? For proprietary software, one
    cannot say much unless one proceeds to reverse-engineering, and history
    tends to show that bad cryptography is much more frequent than good
    cryptography there. Open source software thus sounds like a good solution,
    but the fact that a source code can be read does not imply that it is
    actually read, especially by cryptography experts. In this paper, we
    illustrate this point by

Having read the paper here:

(at least the non heavy-crypto parts), I
think the above half-abstract is unsupported,
and probably disproven by the existence of
the paper itself.

As the paper presents no information on
anything about "good/bad cryptography"
and/or "open source" and/or "proprietary
software" and/or "reverse engineering",
it seems an out of place comment?

(As is the first paragraph of the paper

In essence, the existence of GPG as an
open source crypto system has permitted
the author to examine the software and
find some potentially useful flaws.  That
would seem to be evidence to the contrary
of the point claimed above?

>     examining the case of a basic Internet application
    of cryptography: secure email. We analyze parts of the source code of the
    latest version of GNU Privacy Guard (GnuPG or GPG), a free open source
    alternative to the famous PGP software, compliant with the OpenPGP standard,
    and included in most GNU/Linux distributions such as Debian, MandrakeSoft,
    Red Hat and SuSE. We observe several cryptographic flaws in GPG v1.2.3. The
    most serious flaw has been present in GPG for almost four years: we show
    that as soon as one (GPG-generated) ElGamal signature of an arbitrary
    message is released, one can recover the signer's private key in less than a
    second on a PC. As a consequence, ElGamal signatures and the so-called
    ElGamal sign+encrypt keys have recently been removed from GPG. Fortunately,
    ElGamal was not GPG's default option for signing keys.

This part and the paper proper looks useful!
I recall the ElGamal signing keys are already

The paper also makes some comments concerning
OpenPGP weaknesses (sans exploits) of PKCS#1 v1.5
RSA encryption and signatures (section 4.2, 4.3).

   4.2 Encryption

   As already mentioned in Section 2, GPG implements
   RSA encryption as defined by PKCS#1 v1.5.  This is
   not state-of-the-art cryptography: like with
   ElGamel, Bleichenbacker's chosen-ciphertext [4]
   can decrypt any ciphertext.  But, as mentioned
   in 3.3, the relevance of such attacks to the email
   world is debatable, in part because of the high
   number of oracle calls.  We hope that future
   versions of the OpenPGP standard, will recommend
   better RSA encryption standards (see for instance
   PKCS#1 v2.1 [20] or NESSIE [8]).

Any comments?

Presumably it is way too late in the piece to
change these methods.  My question here would be
more along the lines of whether a warning comment
should be placed in the draft document?

(Apologies for not proposing the text for that!)


PS: definately worth posting though.

[4] D. Bleichenbacker.  Generating ElGamal signatures
without knowing the secret key. In _Proc. of Eurocrypt
'96_, volume 1070 of LNCS, pages 10-18.  IACR, Springer-
Verlag, 1996.