On Wed, Dec 28, 2005 at 04:17:40PM +0100, Daniel A. Nagy wrote:
On Wed, Dec 28, 2005 at 09:12:44AM -0500, David Shaw wrote:
What weakness in the private key format are you referring to?
The Klima-Rosa attack: the private material is not bound cryptographically
to the public material, thus by changing the public material, the attacker
can reconstruct the private material from just one (corrupted) signature,
and forge that signature to cover up the attack.
Please read the Klima-Rosa paper (poor English, but good content), for more
details.
Sure, I know about the Klima-Rosa attack, but I was under the
impression that the SHA-1 protected secret key format (S2K 254)
prevents the attack. The text in 5.5.3. Secret Key Packet Formats
certainly says so:
The reason for this is that there are some attacks on the private
key that can undetectably modify the secret key. Using a SHA-1
hash prevents this.
David