On Wed, Dec 28, 2005 at 06:33:18PM +0100, Daniel A. Nagy wrote:
On Wed, Dec 28, 2005 at 12:11:23PM -0500, David Shaw wrote:
Sure, I know about the Klima-Rosa attack, but I was under the
impression that the SHA-1 protected secret key format (S2K 254)
prevents the attack. The text in 5.5.3. Secret Key Packet Formats
certainly says so:
The reason for this is that there are some attacks on the private
key that can undetectably modify the secret key. Using a SHA-1
hash prevents this.
David
No, this is, unfortunately, not the case, as only the secret material is
hashed. In the Klima-Rosa attack, the secret material is not touched; it is
the public matereial that is altered.
There is certainly some K-R exposure in modifying the secret key, as
that is what prompted the SHA-1 protected secret key format in the
first place.
It's a shame that the hash only covers the secret material and not the
copy of the public material in the secret key.
David