Slashdot Mirror

← Back to Stories (view on slashdot.org)

GnuPG's ElGamal Signing Keys Compromised

Posted by michael on Thursday November 27, 2003 @02:47AM from the oopsie dept.

KjetilK writes "Werner Koch just sent an announcement saying that there is a severe bug in GnuPG >= 1.0.2 that makes it easy to compromise ElGamal keys used for signing. Note that such keys are not generated by GnuPG's standard setup, and should be relatively rare. Among the 850 public keys in my personal keyring, there were only one such public key (and a few subkeys). There is already a patch available to disable these keys."

2 of 144 comments (clear)

Min score:

Reason:

Sort:

Open v. Closed by sanctimonius+hypocrt · 2003-11-27 03:28 · Score: 5, Insightful

Here's an important point. At the end of the email, Werner Koch writes:
Thanks ====== Phong Nguyen [4] analyzed the implementation of GnuPG's cryptographic parts and found this vulnerability. He also developed actual code to mount the attack and was so kind to give me enough time to have a look at his paper and to gather a list of known type 20 keys owners. I am really sorry for this, Werner
Open source isn't bug-free, but we thank the guy who finds the problem, take responsibility, and fix it.
1. Re:Open v. Closed by Anonymous Coward · 2003-11-27 03:49 · Score: 5, Insightful
  
  Subtitle: Instead of suing him for being smart and violating the DMCA