search / subscribe / upload / contact












RSS-Feed Depeschen

<< ^ >>

Date: 2000-05-27

PGP: 5.x generiert unsichere Keys

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

Wer seinen PGP-Key mit einer 5-er Version generiert hat, tut
gut daran, sich einen neuen zuzulegen, anscheinend hapert
es nämlich bei diesen an der Randomness. Es ist nur eins
der vielen Paradoxa in diesen vernetzten Zeiten, dass für
Sicherheit beim Verschlüsseln der gute alte Prinzip Zufall
verantwortlich ist

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
relayed by Michael "Secure" Sicher <sicher@sicher.at>
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
---------- Forwarded message ---------- Date: Sat, 27 May 2000
12:27:13 +0200 From: support@securiteam.com To:
list@securiteam.com Subject: [NEWS] Key Generation
Security Flaw in PGP 5.0

The following security advisory is sent to the securiteam
mailing list, and can be found at the SecuriTeam web site:
http://www.securiteam.com

Key Generation Security Flaw in PGP 5.0 ----------------------------
----------------------------------------------------

SUMMARY

A flaw has been found in the randomness gathering code of
PGP 5. PGP 5 will, under certain well-defined
circumstances, generate public/private key pairs with a small
amount of randomness, or none at all. Such keys are very
insecure.

DETAILS

Vulnerable systems: The flaw has been found in the PGP
5.0i code base. It is specific to Unix systems such as Linux
or various BSD dialects with a /dev/random device.

Immune systems: Versions 2.x and 6.5 of PGP do not share
this problem. PGP versions ported to other platforms do not
share this problem. The problem does not manifest itself
under the following circumstances:

- You typed in a lot of data while generating your key,
including long user ID and pass phrase strings. - A random
seed file PGP 5 could use existed on your system before
you generated the key.

However, the problem affects you in the worst possible
manner if you started from scratch with pgp 5 on a Unix
system with a /dev/random device, and created your key pair
non-interactively with a command line like this one:

pgpk -g <DSS or RSA> <key-length> <user-id> <timeout>
<pass-phrase>

What to do? If you have generated your key non-interactively,
you may wish to revoke it, and create a new key using a
version of PGP that works correctly.

Details: In order to generate secure cryptographic keys, PGP
needs to gather random numbers from reliable sources, so
keys can't be predicted by attackers.

Randomness sources PGP generally uses include:

- A seed file with random data from previous sessions - User
input and input timing

Additionally, certain Unix systems such as OpenBSD, Linux,
and others, offer a stream of random data over a central
service typically called /dev/random or the like. If present,
this service is used by PGP as a source of random data.

PGP 5.0i's reading of these random numbers does not work.
Instead of random numbers, a stream of bytes with the value
"1" is read.

In practice, this implies two things:

1. PGP5 will generally overestimate the amount of
randomness available. It seems that the amount of
randomness gathered from input data, timing information, and
old random data will be sufficient for most applications. (See
below for a detailed estimate.)

2. In situations in which no other randomness sources are
available, PGP relies on the /dev/random service, and thus
uses predictable instead of random numbers. This is not a
flaw of the random service, but of the PGP5 implementation.

One particular example of such a situation is non-interactive
key generation with a virgin PGP 5 installation, like described
above.

Example: $ mkdir /tmp/pgp5test $ PGPPATH=/tmp/pgp5test
$ pgpk -g RSA 1024 foo@bar.com 0 "passphrase string"

In fact, RSA keys generated this way are entirely predictable,
which can easily be verified by comparing key IDs and
fingerprints.

When using DSA/ElGamal keys, the DSA signature key is
predictable, while the ElGamal encryption subkey will vary.
Note that fingerprints and key IDs of the predictable DSA
keys depend on a time stamp, and are themselves not
predictable.

Proof of concept key rings generated with PGP 5.0i are
available from <http://olymp.org/~caronni/pgpbug-
keyrings.tgz> http://olymp.org/~caronni/pgpbug-keyrings.tgz.

-.- -.-.
quintessenz wird dem/next auf einen eigenen Server
übersiedeln. Diese Tagline hilft uns dabei
http://www.fastbox.at
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by
published on: 2000-05-27
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<< ^ >>

BigBrotherAwards Eintritt zur Gala sichern ... 25. Oktober 2023 #BBA23

	related topiqs
	quintessenz



	CURRENTLY RUNNING
	q/Talk 1.Juli: The Danger of Software Users Don't Control Dr.h.c. Richard Stallman live in Wien, dem Begründer der GPL und des Free-Software-Movements

	!WATCH OUT!
	bits4free 14.Juli 2011: OpenStreetMap Erfinder Steve Coast live in Wien Wie OpenStreetMaps die Welt abbildet und was ein erfolgreiches Crowdsourcing Projekt ausmacht.