GnuPG's ElGamal Signing Keys Compromised

KjetilK writes "Werner Koch just sent an announcement saying that there is a severe bug in GnuPG >= 1.0.2 that makes it easy to compromise ElGamal keys used for signing. Note that such keys are not generated by GnuPG's standard setup, and should be relatively rare. Among the 850 public keys in my personal keyring, there were only one such public key (and a few subkeys). There is already a patch available to disable these keys."

Re:Conspiracy theory

[Chainsaw]

Actually, the correct word would be "vanvardat kolli pa aldreboende" if you are to believe recent news.

My key was one of the 850 keys

[quigonn]

Fortunately, Werner Koch informed me yesterday already (I got the email at some time in the morning), so I had plenty of time to create a new key, sign it with the old one, and revoke the old one.

Of course, this had one disadvantage: since the old key is potentially compromised, I cannot really trust in my web of trust anymore. :-/

Re:My key was one of the 850 keys

[Jon_MrJR]

from the annoucement:

"According to the keyserver statistics, there are 848 primary ElGamal signing keys which are affected. These are a mere 0.04 percent of all primary keys on the keyservers"

percentage of slashdot readers among those ? you'd need to specifically want ElGamal (thus know what it is) to prefer it to other algos..

Re:My key was one of the 850 keys

[quigonn]

Well, I didn't exactly know what it is, I simply chose it because I founded the name pretty cool (don't laugh).

Re:Conspiracy theory

[adrianbaugh]

"Old" in cryptography is generally good. It takes time for crypto systems to prove themselves in the wild (regardless of how wonderful they might be in practice). Witness the continued popularity of 3DES. I'd much rather use a well-understood 30-year-old algorithm than some young upstart algorithm that may well still have vulnerabilities.

More information

[Vario]

You can get more information on the (german) site heise:
http://www.heise.de/newsticker/data/pab-27.11.03-0 00/

The full advisory from Werner Koch can be found here:
http://archives.neohapsis.com/archives/fulldisclos ure/2003-q4/2998.html

It seems that about 800 people are using the compromised keys.

To check if your key is in danger you have to check the type of the key. All type 20 keys can be compromised. Here is a small shell script to check our key:

gpg --list-keys --with-colon | awk -F: '($4 == "20") {print $0;}

If your key is in danger you should create a new one and revoke the old one immediately.

Among the 850 public keys in my personal keyring..

[selderrr]

woohoo. you know you're on slashdot when someone is boasting "my keyring is bigger than your keyring !"

Open v. Closed

[sanctimonius+hypocrt]

Here's an important point. At the end of the email, Werner Koch writes:

Thanks ====== Phong Nguyen [4] analyzed the implementation of GnuPG's cryptographic parts and found this vulnerability. He also developed actual code to mount the attack and was so kind to give me enough time to have a look at his paper and to gather a list of known type 20 keys owners. I am really sorry for this, Werner

Open source isn't bug-free, but we thank the guy who finds the problem, take responsibility, and fix it.

Re:Open v. Closed

Subtitle: Instead of suing him for being smart and violating the DMCA

Re:Security and Complexity

[smcv]

The fact that it was there in the first place was a workaround for stupid legal issues - at the time GnuPG development started, the author wasn't sure whether DSA signatures were patented, so he allowed El Gamal keys to be used for signatures as well as encryption. It turned out DSA signatures were OK, and the default for all recent versions is to use DSA signatures with El Gamal for encryption.

The other available key types (RSA+RSA, DSA+El Gamal) are there for interoperability; I think the consensus seems to be that DSA+El Gamal is probably better, but RSA+RSA needs to be there because that's what the original PGP used.

On the other hand, I agree that it sounds from the announcement as though the optimizations that caused the flaw were unwise.

Re:Security and Complexity

[Gemini]

There are historical reasons. Basically, when GnuPG was first written there were still questions about the patent status of DSA, so using Elgamal signatures was allowed. This is not against the OpenPGP standard, by the way, which does allow Elgamal signatures.

Once the patent issued with DSA were worked out (if I recall, the US government bought it and made it free for any use without royalties), then GnuPG started using DSA like PGP. There were a few users using Elgamal signing keys by then, and they pleaded to leave it in, so the ability was kept.

Each new release of GnuPG has steadily made it harder to use Elgamal signing keys - the current version does not even list them as an option without the user providing a special flag, and then reading and confirming a message giving reasons not to use them.

Re:open source in crisis?

[ajs318]

Well, it depends on how you look at it. Sure ..... open source stuffs up occasionally. When we have a problem, everybody knows about it and it gets fixed. Whereas with closed source, the vendor can live in denial, pretending nothing has hapened, until the problem becomes serious enough to warrant attention.

For some reason, things get invented in different places at roughly the same time. Vide the telephone {Alexander Graham Bell, SCO and Elisha Gray, USA}; the electric light bulb {Joseph Swan, ENG and Thomas Edison, USA} and the gramophone / phonograph {Emil Berliner, DBR and Thomas Edison, USA}. There are other examples, and I'm sure other countries have their own versions of who invented what.

Also realise that, despite what the mass media are fond of telling you, good guys actually outnumber bad guys by one hell of a margin.

Now, if both these principles - parallel invention and criminals in the minority - are true, then not only would the probability of a particular open source software vulnerability being discovered by a good guy be greater than the probability of it being discovered by a bad guy, but it is quite likely that if a bad guy were to discover a vulnerability, then a good guy also would discover it around the same time. Well, parallel invention has been proven throughout history, and good guys really do outnumber bad.

Never judge someone on the basis of corrected mistakes. Most people don't get things right first time, and it's better to admit to a mistake and show how you fixed it than to pretend you never make mistakes.

Re:Security and Complexity

[Olmy's+Jart]

It's more complex than that.

The old PGP used RSA sign-and-encrypt keys. The same key was used for both encryption and signatures. You can only generated those keys under "expert" mode (same place you would generate ElGamal signature keys). Generate an RSA+RSA key under GnuPG and you get two keys, a primary signature key and a different encryption key. Both will be RSA. But the RSA+RSA was NOT what the old PGP used. There's good reason to have separate keys and subkeys with different functionality and attributes. But that wasn't in the original PGP.

The old PGP also used IDEA for the symetrical algorithm and that's STILL patented, so the stock GnuPG STILL doesn't contain it and you STILL can't interoperate with the old PGP (pre PGP 5.0).

An ElGamal signature key blows goats where it comes to performance (the verify algorithm is at least an order of magnitude worse than encrypt, decrypt, or sign). Even having one on your keyring sends the key verify option into the weeds in turtle mode, because of the verification signatures taking soooo looonnnggg to verify. It's an oxymoron to have those keys generated under "expert" mode as well (since said "expert" wouldn't be one if he wanted one).

Re:Security and Complexity

[Gemini]

This wasn't so much experimental code as it was an experimental feature. The code worked fine. It was the algorithm itself which was exploited.

It's the other way around. The Elgamal algorithm is fine. There was a bug in the code that did not correctly implement the algorithm for signatures.

Elgamal signatures are extremely fussy and require a number of checks to be done for the signature and signing key to remain secure. Elgamal encryption, on the other hand, is simpler.

Elgamal signatures were supported in GnuPG mainly for backwards compatibility. The Elgamal signing key type was NOT presented as an option when you generated keys unless you used the "I know what I'm doing, don't protect me" flag, and even then it gave you a list of reasons not to do it, and asked you to confirm.

Re:Conspiracy theory of Standard Organization

[swillden]

3DES could be vulnerable because: A quantum computer can crack it with sqrt(2^N keys) = 2^(N / 2) possibilities

What are you blithering on about?

In the first place, quantum computers are mostly science fiction. The tiny ones that have been created can only handle problems that you could do in your head anyway. Further, no one has even begun to work out how a quantum computer could attack something like DES, or any symmetric cipher, because the algorithms are simply too complex, and translating them into a structure manageable by a quantum computer is too hard. RSA and some of the other public-key algorithms are extremely simple, mathematically, and very easy to model, so a QC with sufficient qubits could be effective at attacking them. If such existed.

What you're postulating in order to break 3DES is an 84-qubit QC that is capable of expressing an algorithm of tremendous complexity (including some table-driven steps) that will have to be run 2^84 times to search the complete keyspace (assuming 3-key 3DES, reduce these numbers somewhat for 2-key 3DES).

Actually, that should be 2^83, on average; I'll let you work out why.

Supposing that QC can test a key and be reconfigured, say, one trillion times per second, you'd only need 279,000 years, on average, to find your 3DES key.

If you wanted to make that more reasonable, you need a bigger QC. With a 168-bit QC, of course, you only need one trial.

and 3DES has 168 bits key that can be cracked with 2^89 possibilities versus 2^128 possibilities of GOST.

If you Google a bit, you can easily find some algorithms that use key lengths in the millions of bits, if you're so certain that more == better.

Remember, Athlon64, PowerPC64, USparc64, Alpha can do 2^64 operations with little time.

Can they really? Lessee... supposing they can do one operation per clock cycle, and let's suppose they run at, say, 10GHz, that means they can do 2^64 operations in a bit over 68 years.

Re:Sign and encrypt keys

[Gemini]

I don't understand why it is 'not considered good cryptographic practice' to use the same key to sign and encrypt. Is Werner saying that this an ElGamal weakness or is it a general public-key encryption weakness? If it is not considered good cryptographic practice, then why is (was?) it in the OpenPGP standard?

This is a general public key cryptography thing. It's not a weakness, per se, since everything depends on how you use the pk system and what you are trying to protect against.

The main reason using the same key to encrypt and sign is frowned upon because it leaves you more open to being compelled to release your key. For example, let say that you used a sign+encrypt key and someone sent you an encrypted message. The government demands your key so they can decrypt the message. Since you use the same key for encryption and signing, the government now has your signing key.

Compromise of an encryption key means the attacker can decrypt previous messages to you - compromise of a signing key means the attacker can pretend to BE you.

Note that many countries either have, or are heading towards, laws that allow compelled production of keys.

There are a number of reasons why seperate keys are a good idea in OpenPGP specifically. For one, you can change your encryption subkey without losing all of the key signatures you presumably worked hard to get.