Slashdot Mirror
GnuPG's ElGamal Signing Keys Compromised
KjetilK writes "Werner Koch just sent an announcement saying that there is a severe bug in GnuPG >= 1.0.2 that makes it easy to compromise ElGamal keys used for signing. Note that such keys are not generated by GnuPG's standard setup, and should be relatively rare. Among the 850 public keys in my personal keyring, there were only one such public key (and a few subkeys). There is already a patch available to disable these keys."
You can get more information on the (german) site heise:0 00/
s ure/2003-q4/2998.html
http://www.heise.de/newsticker/data/pab-27.11.03-
The full advisory from Werner Koch can be found here:
http://archives.neohapsis.com/archives/fulldisclo
It seems that about 800 people are using the compromised keys.
To check if your key is in danger you have to check the type of the key. All type 20 keys can be compromised. Here is a small shell script to check our key:
gpg --list-keys --with-colon | awk -F: '($4 == "20") {print $0;}
If your key is in danger you should create a new one and revoke the old one immediately.
The fact that it was there in the first place was a workaround for stupid legal issues - at the time GnuPG development started, the author wasn't sure whether DSA signatures were patented, so he allowed El Gamal keys to be used for signatures as well as encryption. It turned out DSA signatures were OK, and the default for all recent versions is to use DSA signatures with El Gamal for encryption.
The other available key types (RSA+RSA, DSA+El Gamal) are there for interoperability; I think the consensus seems to be that DSA+El Gamal is probably better, but RSA+RSA needs to be there because that's what the original PGP used.
On the other hand, I agree that it sounds from the announcement as though the optimizations that caused the flaw were unwise.
There are historical reasons. Basically, when GnuPG was first written there were still questions about the patent status of DSA, so using Elgamal signatures was allowed. This is not against the OpenPGP standard, by the way, which does allow Elgamal signatures.
Once the patent issued with DSA were worked out (if I recall, the US government bought it and made it free for any use without royalties), then GnuPG started using DSA like PGP. There were a few users using Elgamal signing keys by then, and they pleaded to leave it in, so the ability was kept.
Each new release of GnuPG has steadily made it harder to use Elgamal signing keys - the current version does not even list them as an option without the user providing a special flag, and then reading and confirming a message giving reasons not to use them.
The old PGP used RSA sign-and-encrypt keys. The same key was used for both encryption and signatures. You can only generated those keys under "expert" mode (same place you would generate ElGamal signature keys). Generate an RSA+RSA key under GnuPG and you get two keys, a primary signature key and a different encryption key. Both will be RSA. But the RSA+RSA was NOT what the old PGP used. There's good reason to have separate keys and subkeys with different functionality and attributes. But that wasn't in the original PGP.
The old PGP also used IDEA for the symetrical algorithm and that's STILL patented, so the stock GnuPG STILL doesn't contain it and you STILL can't interoperate with the old PGP (pre PGP 5.0).
An ElGamal signature key blows goats where it comes to performance (the verify algorithm is at least an order of magnitude worse than encrypt, decrypt, or sign). Even having one on your keyring sends the key verify option into the weeds in turtle mode, because of the verification signatures taking soooo looonnnggg to verify. It's an oxymoron to have those keys generated under "expert" mode as well (since said "expert" wouldn't be one if he wanted one).