Slashdot Mirror

← Back to Stories (view on slashdot.org)

GnuPG's ElGamal Signing Keys Compromised

Posted by michael on from the oopsie dept.

KjetilK writes "Werner Koch just sent an announcement saying that there is a severe bug in GnuPG >= 1.0.2 that makes it easy to compromise ElGamal keys used for signing. Note that such keys are not generated by GnuPG's standard setup, and should be relatively rare. Among the 850 public keys in my personal keyring, there were only one such public key (and a few subkeys). There is already a patch available to disable these keys."

4 of 144 comments (clear)

  1. Re:Conspiracy theory by adrianbaugh · · Score: 4, Insightful

    "Old" in cryptography is generally good. It takes time for crypto systems to prove themselves in the wild (regardless of how wonderful they might be in practice). Witness the continued popularity of 3DES. I'd much rather use a well-understood 30-year-old algorithm than some young upstart algorithm that may well still have vulnerabilities.

    --
    "'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
    - JRR Tolkien.
  2. Open v. Closed by sanctimonius+hypocrt · · Score: 5, Insightful
    Here's an important point. At the end of the email, Werner Koch writes:
    Thanks ====== Phong Nguyen [4] analyzed the implementation of GnuPG's cryptographic parts and found this vulnerability. He also developed actual code to mount the attack and was so kind to give me enough time to have a look at his paper and to gather a list of known type 20 keys owners. I am really sorry for this, Werner
    Open source isn't bug-free, but we thank the guy who finds the problem, take responsibility, and fix it.
    1. Re:Open v. Closed by Anonymous Coward · · Score: 5, Insightful

      Subtitle: Instead of suing him for being smart and violating the DMCA

  3. Re:open source in crisis? by ajs318 · · Score: 4, Insightful

    Well, it depends on how you look at it. Sure ..... open source stuffs up occasionally. When we have a problem, everybody knows about it and it gets fixed. Whereas with closed source, the vendor can live in denial, pretending nothing has hapened, until the problem becomes serious enough to warrant attention.

    For some reason, things get invented in different places at roughly the same time. Vide the telephone {Alexander Graham Bell, SCO and Elisha Gray, USA}; the electric light bulb {Joseph Swan, ENG and Thomas Edison, USA} and the gramophone / phonograph {Emil Berliner, DBR and Thomas Edison, USA}. There are other examples, and I'm sure other countries have their own versions of who invented what.

    Also realise that, despite what the mass media are fond of telling you, good guys actually outnumber bad guys by one hell of a margin.

    Now, if both these principles - parallel invention and criminals in the minority - are true, then not only would the probability of a particular open source software vulnerability being discovered by a good guy be greater than the probability of it being discovered by a bad guy, but it is quite likely that if a bad guy were to discover a vulnerability, then a good guy also would discover it around the same time. Well, parallel invention has been proven throughout history, and good guys really do outnumber bad.

    Never judge someone on the basis of corrected mistakes. Most people don't get things right first time, and it's better to admit to a mistake and show how you fixed it than to pretend you never make mistakes.

    --
    Je fume. Tu fumes. Nous fûmes!