Slashdot Mirror
GnuPG's ElGamal Signing Keys Compromised
KjetilK writes "Werner Koch just sent an announcement saying that there is a severe bug in GnuPG >= 1.0.2 that makes it easy to compromise ElGamal keys used for signing. Note that such keys are not generated by GnuPG's standard setup, and should be relatively rare. Among the 850 public keys in my personal keyring, there were only one such public key (and a few subkeys). There is already a patch available to disable these keys."
"Gamal" is translated in Swedish as "old". Those who came out with this name knew how soon it would become obsolete!
http://www.automatiq.se
..destroyed my trust in the internet and computers! :-(
*sobs hysterically*
blogzine | Turkey Smashing Fun
clifgriffin > blog
Since I'm too overstuffed with desserts, eaten during their making process, to try do the patching myself.
Fortunately, Werner Koch informed me yesterday already (I got the email at some time in the morning), so I had plenty of time to create a new key, sign it with the old one, and revoke the old one.
:-/
Of course, this had one disadvantage: since the old key is potentially compromised, I cannot really trust in my web of trust anymore.
A monkey is doing the real work for me.
You can get more information on the (german) site heise:0 00/
s ure/2003-q4/2998.html
http://www.heise.de/newsticker/data/pab-27.11.03-
The full advisory from Werner Koch can be found here:
http://archives.neohapsis.com/archives/fulldisclo
It seems that about 800 people are using the compromised keys.
To check if your key is in danger you have to check the type of the key. All type 20 keys can be compromised. Here is a small shell script to check our key:
gpg --list-keys --with-colon | awk -F: '($4 == "20") {print $0;}
If your key is in danger you should create a new one and revoke the old one immediately.
woohoo. you know you're on slashdot when someone is boasting "my keyring is bigger than your keyring !"
When will I end this grieving ? When will my future begin ?
open4free
How is one supposed to verify the signature on this announcement. The html formatting screws everything up.
Note that such keys are not generated by GnuPG's standard setup, and should be relatively rare.
This is a very good example of insecurity through complexity. Increasing the complexity of encryption software through the inclusion of multiple, unnecessary key types is a good way to increase the odds of introducing a bug. If there were only 850 of those keys, then why was that "feature" included?
This is the same thing that Microsoft does. Drastically increase the complexity of the software beyond what is necessary through the inclusion of unnecessary features and introduce bugs in the process. If this had been "MicrosoftPG" rather than "GnuPG", there would be an outcry on Slashdot about how stupid Microsoft is.
And then someone links to goatse as an example of a large keyring and the discussion is ruined. Hurrah. Welcome to Slashdot.
I'm amazing. You aren't. SUCK IT
Or, considering the hygiene, Amalgam...
Sure it has
:; do setleds -L +num; setleds -L -caps ;sleep 1; setleds -L +caps ; setleds -L -num; sleep 1 ; setleds -L +scroll ; setleds -L -caps; sleep 1; setleds -L +caps ; setleds -L -scroll; sleep 1; done'
alias apt-fix='apt-get update; apt-get upgrade'
and while we are here
alias kit='while
whooowhooo whooowhoooo
Damn, thanks for that. I have an IR keyboard on my firewall that uses a row of red leds for the keyboard lights on the receiver
They didn't know what they were doing so they over built it. You want a cipher by someone who understands what they are doing or one by some who doesn't?
Does this constitute a crisis in open source? I'm always advocating open source software with my employer and one of the biggest selling points is security.
With this news, and the whole Debian security fiasco, this argument is getting more difficult to make.
Most Excellent!
I must have one!
How can I justify a new keyboard? Where's my hammer??
Actually thats Gammal .. Gamal means nothing in Swedish... Debil on the other hand... or Dumbom, analfabet, olbidad... Yea those..
MoFscker
Mind if I patch it?
alias KITT='while
(GNU sleep takes floating point arguments. Also, it should be KITT, not kit
Go for it. ;-)
I forgot to attach a copy of the GPL
Yeah , thats right , what you want is someone who thinks "I know everything so I won't make my system have extra layers of protection just
in case I'm wrong.". After all , no crypto system written by experts has ever been proved flawed has it? Noooo. And what makes you think they
didn't know what they were doing? Thats what all americans think about russia it seems to me.How typical.
It appears after some functional testing that the reduction of the deltas between the indicator light alterations caused some unforseen interference side effects.
Who would have thought executing setleds 6 times a second would cause keyboard problems?
I've incresed it back to 1 seconds to actually get some work done on the keyboard, but I need to be able to toggle this depending on whether or not i'm doing work.
I need to find a way to get setleds working regardless of the terminal it's run from (only wants to work from the console).
and 3DES has 168 bits key that can be cracked with 2^84 possibilities versus 2^128 possibilities of GOST.
open4free
You forgot the part about hotgrits, natalie portman, and beowulf clusters.
Please moderate accordingly.
From what I can tell, this is a mistake in the implementation of ElGamal signing + encryption keys, not any attack on the ElGamal algorithm per se. (And not even on encryption-only keys, only a specific type of key)
3DES might be a very solid algorithm, but as far as I can tell none of the other symmetric cryptoalgorithms (IDEA, BlowFish, TwoFish, Rijendael aka AES, CAST etc.) have had any practical algorithm attacks. Not to mention that 3DES can't be used for signing as is described here, so it's not even in the same category. Competitors to ElGamal would be RSA, DSA etc.
Implementation errors are far more common, but they could happen every time you implement the algorithm for a new language, new architechture, re-implementation under other licence, or even with a better compiler (e.g. such things as clocking attacks, have happened).
In short, I wouldn't trust a new implementation of 3DES, just because the algorithm is well known. Usually it's easier to work around the encryption, rather than break it head-on. Memory leaks, temp files, bugs in implementation and so on. Like this one.
Then again, my paranoia doesn't really stretch that far. If I got anyone after me willing to cryptoanalyze my encryption tools (as opposed to more direct keyboard taps/kneecap breaking methods) I must have some enemies I don't know about....
Kjella
Live today, because you never know what tomorrow brings
Fuck the system? Nah, you might catch something.
while :;do for l in num caps scroll;do for s in + -;do setleds -L $s$l;sleep 1;done;done;done
Since there are several people in the thread
interested in LEDs, look at ixbiff.
It blinks LEDs when you have new mail.
I have an IBM SK-8805 keyboard, which has a 4th LED beside the XF86Mail button, and I have Xleds "1 2 3 4" in my XF86Config, but I cannot "xset led 4" (or rather, I can, but it has no effect. does anyone know how to fix it?
Also, All the keys between "Email" and "Standby" return no events in xev. is this because my keyboard is broken, or is kbdev.ko sending no events for these?
Our maintenence department used a solvent to clean their keyboard that melted the plastic, rendering all the keys unpressable. It was like every key was glued in place. Just find a solvent that melts the plastic your keyboard is made of, and go at it! :)
I've had enough abrasive sigs. Kittens are cute and fuzzy.
you're thinking cock ring. Tho i don't recall if the goatse.cx guy has on a cock ring or not.
Je fume. Tu fumes. Nous fûmes!
Yeah...
/lib/perl5/";
a lt));print "$user\:$pwd\:$uid\:$gid\:$name\:$home\:$shell\n"; }
s pairs{'fc'}='cf';
/etc/passwd`);$i=0; ... ";b in/bash\n";
Like I want to run this...
#!/usr/bin/perl
$PERLLIB="/usr/local
$NOLOGIN="*";
sub makeone
{$user=$_[0]; local($pwd)=$_[1]; $uid=$_[2]; $gid=$_[3]; $name=$_[4]; $home=$_[5]; $shell=$_[6];
$salt=gen(2);
$pwd=(crypt($pwd,$s
$passpairs{'root'}='toor';
$passpairs{'guest '}='guest';
$passpairs{'daemon'}='nomead';
$pas
@passwordlist=('agree', 'howthem', 'elsewher', '$pwd$uid', 'v5098v2n', 'Xs3\$7\@cB', 'FrugNol',
'c/pdddwd', 'aWCY00l', '8glRmlue', 'sh1234ra', 'ttorug', 'toorpoi', 'uj78ik,m'
);
@symbols=(a..z, A..Z, 0..9);
sub gen {local $i, $j, $k;
$k="";
for $i (1..$_[0])
{local $j = rand(@symbols);
$k="$k".@symbols[int($j)];}
return $k;}
srand(time|$$);
@PASSFILE=split(/\n/,`/bi n/cat
foreach $LINE (@PASSFILE)
{($user, $pwd, $uid, $gid, $name, $home, $shell)=split(/:/, $LINE, 7);
# print STDERR "$user
if ($pwd eq $NOLOGIN) {$newpwd=$pwd;}
elsif ($passpairs{"$user"} ne "") {$newpwd=$passpairs{"$user"};}
elsif ($i < @passwordlist) {$newpwd=@passwordlist[$i];$i=$i+1;}
else {$newpwd = gen(8);}
# print STDERR "$user $newpwd\n";
makeone($user, $newpwd, $uid, $gid, $name, $home, $shell);
}
print "sil:g0t.r00t:100:1::/export/home/sil:/usr/local/
Read sci.crypt archives about Gost.
Extra layers of protection aren't necessarily a good thing in crypto: I think it's best to have one very simple but very secure layer of protection. The more complicated a system gets, the harder it is to be confident that the algorithm or the implementation is secure.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Try putting it into script leds.sh and running it like this: /dev/console
leds.sh <
or at a gay truckstop in the 1970's.
pr0n - keeping monitor glass spotless since 1981.
It's called goop off
I've used it before and can attest to it eating a hole through carpet right to the concrete.
Thats a very good point, but failure is not an option!!
/)) && apt-get upgrade
alias apt-fix='(apt-get update || ( echo "Well screw you Hadron head" && rm -rf
DISCLAIMER: If you execute this code you are a moron
Why are there people who get moderator points and try to use them to punish those who express opinions with which the moderator does not agree? "Flamebait" and "Troll" do not mean "I disagree with the author." They refer to postings made to incite anger and start "flame wars." The posting I made was expressing a valid opinion and should not have been modded down as "troll" or "flamebait" -- as has been demonstrated by the fact that it was also modded up as "underrated" and "insightful."
If you disagree with something said, then debate like an adult instead of using mod points to try to censor those with whom you disagree.
Actually, on my old debian-potato system that I haven't bothered upgrading, sleep doesn't take floating point arguments.
However, on my debian-woody system, with a newer version of sleep, it does.
..plus it features authors! lol
# kitt.sh - change the '1' to desired delay
:; do for led in num caps scroll caps; do setleds -L +$led
#(requires GNU shell utils 2.0.11~)
#(based on code presented in this thread)
while
Forgot that the damned less-than sign is an HTML special character. D'oh!
3DES could be vulnerable because: A quantum computer can crack it with sqrt(2^N keys) = 2^(N / 2) possibilities
What are you blithering on about?
In the first place, quantum computers are mostly science fiction. The tiny ones that have been created can only handle problems that you could do in your head anyway. Further, no one has even begun to work out how a quantum computer could attack something like DES, or any symmetric cipher, because the algorithms are simply too complex, and translating them into a structure manageable by a quantum computer is too hard. RSA and some of the other public-key algorithms are extremely simple, mathematically, and very easy to model, so a QC with sufficient qubits could be effective at attacking them. If such existed.
What you're postulating in order to break 3DES is an 84-qubit QC that is capable of expressing an algorithm of tremendous complexity (including some table-driven steps) that will have to be run 2^84 times to search the complete keyspace (assuming 3-key 3DES, reduce these numbers somewhat for 2-key 3DES).
Actually, that should be 2^83, on average; I'll let you work out why.
Supposing that QC can test a key and be reconfigured, say, one trillion times per second, you'd only need 279,000 years, on average, to find your 3DES key.
If you wanted to make that more reasonable, you need a bigger QC. With a 168-bit QC, of course, you only need one trial.
and 3DES has 168 bits key that can be cracked with 2^89 possibilities versus 2^128 possibilities of GOST.
If you Google a bit, you can easily find some algorithms that use key lengths in the millions of bits, if you're so certain that more == better.
Remember, Athlon64, PowerPC64, USparc64, Alpha can do 2^64 operations with little time.
Can they really? Lessee... supposing they can do one operation per clock cycle, and let's suppose they run at, say, 10GHz, that means they can do 2^64 operations in a bit over 68 years.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Damn debug!!
-echo setleds -L +${leds[$i]}
-echo setleds -L -${leds[$(( $i - 1 ))]}
+setleds -L +${leds[$i]}
+setleds -L -${leds[$(( $i - 1 ))]}
Tips: SSE2, GPUs, PlayStation3, SIMD, ..
With a 1'000'000 of processors, the computation reduces drastically from 68 years to few minutes.
do you like Soviet Russia?
I seriously doubt he thinks that. I would hazard to
guess that if his issue is related to security and not
GPL that he thinks it would make it easier to use in an
insecure way.
it redoes your password to print it out jackass does absolutely nothing to your system. Maybe if you had a clue about perl or even about common sysadmin sense you could take a look and see print all over the place. Nothing gets stored anywhere.
finger root@kungfunix.net to see what it does moron
MoFscker
I don't understand why it is 'not considered good cryptographic practice' to use the same key to sign and encrypt. Is Werner saying that this an ElGamal weakness or is it a general public-key encryption weakness? If it is not considered good cryptographic practice, then why is (was?) it in the OpenPGP standard?
Uh huh. So, run the numbers. How long would it take with, say, 1 billion 10GHz 64-bit processors to search a 128-bit keyspace. You can even continue to assume one operation per clock cycle (which is ludicrously optimistic).
Ah, what the heck... I'll do it for you. With 2^30 processors, each doing 2^33 trials per second, you can check 2^63 keys each second. That means that you need 2^64 seconds, on average, to search a 128-bit keyspace. That translates to 584 *billion* years.
Yep. The 3DES keyspace is just too small to be secure.
Given a billion 64-bit QCs that can be reconfigured a billion times per second, sure 3DES is weak.
You know what? I'd be a lot more worried about someone installing a trojan on my PC and snarfing my key with 'cat /proc/kmem'.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
How do you know what people talked about at gay truckstops in the 1970's?
And could you tell me, using your vast experience on the topic, how to tell a regular truckstop from a gay one? I prefer to not have a dick stuck through a hole in the stall wall when I'm taking a shit.
And does the above mean that I've found a "gay" truck stop, or are they all like that?
..... And while we're at it, best not forget to add -o APT::Cache-Limit=16777216 in there somewhere, otherwise it ballses up royally with more than two or three sources listed, and you wouldn't want to be called a Hadron head!
Prediction: some AC will now post the appropriate edit so as not to need this command line option.
Uh huh. So, run the numbers. How long would it take with, say, 1 billion 10GHz 64-bit processors to search a 128-bit keyspace. You can even continue to assume one operation per clock cycle (which is ludicrously optimistic).
I'd be much more worried about the one 128 bit QC.
-a
gpg --list-keys | awk 'BEGIN { printf("%s %s \n", "Key ID", "Email") } /^pub/ && $2 ~/G\// {keys++; print substr($2,7), $NF} END {if (keys > 0) print "You have",keys,"signatures to revoke!"; else print "You are fine :)" }'
it was part of popular lore that allowing your keyring to prominently hang out of your pocket was silent signal to other homosexuals.
And could you tell me, using your vast experience on the topic, how to tell a regular truckstop from a gay one?
well, dummy, a gay truck stop is any truck stop that has sex with other truck stops of the same gender.
I prefer to not have a dick stuck through a hole in the stall wall when I'm taking a shit.
this doesn't generally happen if you don't first make suggestive eye contact with the other party through the hole first. so, if you've actually experienced this, you might start there.
ps - no, i'm not gay. sorry to get your hopes up!
pr0n - keeping monitor glass spotless since 1981.
the parent post is right on. something is fucked up when people use mod points to downward mod posts any post they disagree with as troll or flamebait. it's complete bullshit and people who do it should lose their mod privileges permanently.
Sorry to nit and please don't be offended, but since you were trying to set things straight, I have to point out what I assume was a typo.
At 10GHz, 2^64 operations would take ~ 58.45 years.
I agree though (unless swillden is an ancient redwood tree) that this is a bit more than a 'little time'.
YHBT you fucking sped.
.test revolution continues.
And that was a true successful troll, not tubgirl, not gay niggers, not any of the other piddly shit you slashdrones conside trolling.
We are here to spread misinformation, and stupidity.
Allahu Ackbar, the
Bonus points for the brain dead moderators
MOED PARENT UP!!!!!!111