Gyre
2003-11-27 06:20:58 UTC
-----Original Message-----
From: Werner Koch <wk-84+***@public.gmane.org>
To: gyre-***@public.gmane.org
Date: Wed, 26 Nov 2003 21:33:03 +0100
Subject: GnuPG ElGamal keys compromised [update]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Short update on the GnuPG's ElGamal signing key problem
=========================================================
It has been suggested to explain better how to check whether a key is
actually compromised.
How to figure out ElGamal type20 keys:
======================================
We have to distinguish between two cases: primary key is ElGamal and a
subkey is an ElGamal sign+encrypt key.
The first case requires immediate attention, like this one:
$ gpg --list-keys xxxxxxxx
pub 2048G/xxxxxxxx 2001-xx-xx Mallory <mallory-***@public.gmane.org>
such a key might be followed with additional "uid", "sig" or "sub"
lines. Here an Elgamal sign+encrypt key is used and very likely
created with GnuPG >= 1.0.2. REVOKE such a key immediately.
The second case is about subkeys. Here is an example:
$ gpg --list-keys 621CC013
pub 1024D/621CC013 1998-07-07 Werner Koch <wk-***@public.gmane.org>
uid Werner Koch <werner.koch-***@public.gmane.org>
uid Werner Koch <wk-***@public.gmane.org>
sub 1536g/ADF6A6E1 1999-02-20 [expires: 2002-11-01]
sub 1536G/B5A18FF4 1998-07-07 [expires: 2002-07-06]
sub 1536R/23D2A63D 2002-07-30 [expires: 2003-12-31]
This my usual working key, which is a standard GnuPG key with some
additional subkeys added ober the time. It is a good example because
one subkey was created as type 20 signing and encrypt ElGamal key.
It is the second subkey:
sub 1536G/B5A18FF4 1998-07-07 [expires: 2002-07-06]
The capital G denotes such an possible comprimised subkey whereas the
first subkey:
sub 1536g/ADF6A6E1 1999-02-20 [expires: 2002-11-01]
is a standard encryption-only subkey as indicated by the small g.
That key is not affected.
The keys denoted with this capital G should be REVOKED if they have
not yet expired or you are sure this subkey was never sued to create a
signature with GnuPG >= 1.0.2:
To revoke a subkey, use gpg's edit command like this:
$ gpg --edit-key xyzxyzxy
The key listing is shown. Now select the subkey you want to revoke,
using the command "key 2" (or whatever) and then enter the command
"revkey" and follow the prompts.
How many keys are affected?
===========================
I can't tell for sure. According to the keyserver statistics, there
are 848 primary ElGamal signing keys which are affected. This are a
mere 0.04 percent of all primary keys on the keyservers. There are
324 vulnerable subkeys on the keyservers, too. While sending the
advisory to those keys, I got several hundred bounces - thus not all of
the keys are anymore activley used.
Some of the subkey might have never been used for signing (e.g. mine
one above) because for some time in the past GnuPG created the
encryption key as type 20 but didn't used it for signing because the
DSA primary key was used instead. It is better to revoke such keys
nevertheless.
Note, that the standard configuration of GnuPG does not allow to
create such vulnerable sign+encrypt ElGamal keys and that neither DSA
(type 17), RSA (type 1) nor ElGamal encgrypt keys (type 16)
The public advisory
===================
It seems that one of the mail addresses I sent the advisory to is a
small mailing list and as such the information spreaded faster than
expected. I have to publicly disclose this problem tomorrow and not
in a 3 days as orginally planned.
Thanks and my apologies again.
Werner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/xQzCaLeriVdUjc0RAuWUAJ92+Lsbx/mEcekGfuiR637XxtGDWgCfQPqy
imBfa/0HKPphA+yIqQeHndE=
=QQeY
-----END PGP SIGNATURE-----
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark
Printer at MyInks.com. Free s/h on orders $50 or more to the US & Canada.
http://www.c1tracking.com/l.asp?cid=5511
http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/MFQulB/TM
---------------------------------------------------------------------~->
----------------- COMMUNITY ADDRESSES -------------------------~->
Post message: PGP-n-GPG-***@public.gmane.org
Moderators: PGP-n-GPG-owner-***@public.gmane.org
News: news://news.gmane.org/gmane.comp.security.pgp-n-gpg
Off-Topic List: PGP-n-GPG-Off-Topic-subscribe-***@public.gmane.org
Unsubscribe: PGP-n-GPG-unsubscribe-***@public.gmane.org
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
From: Werner Koch <wk-84+***@public.gmane.org>
To: gyre-***@public.gmane.org
Date: Wed, 26 Nov 2003 21:33:03 +0100
Subject: GnuPG ElGamal keys compromised [update]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Short update on the GnuPG's ElGamal signing key problem
=========================================================
It has been suggested to explain better how to check whether a key is
actually compromised.
How to figure out ElGamal type20 keys:
======================================
We have to distinguish between two cases: primary key is ElGamal and a
subkey is an ElGamal sign+encrypt key.
The first case requires immediate attention, like this one:
$ gpg --list-keys xxxxxxxx
pub 2048G/xxxxxxxx 2001-xx-xx Mallory <mallory-***@public.gmane.org>
such a key might be followed with additional "uid", "sig" or "sub"
lines. Here an Elgamal sign+encrypt key is used and very likely
created with GnuPG >= 1.0.2. REVOKE such a key immediately.
The second case is about subkeys. Here is an example:
$ gpg --list-keys 621CC013
pub 1024D/621CC013 1998-07-07 Werner Koch <wk-***@public.gmane.org>
uid Werner Koch <werner.koch-***@public.gmane.org>
uid Werner Koch <wk-***@public.gmane.org>
sub 1536g/ADF6A6E1 1999-02-20 [expires: 2002-11-01]
sub 1536G/B5A18FF4 1998-07-07 [expires: 2002-07-06]
sub 1536R/23D2A63D 2002-07-30 [expires: 2003-12-31]
This my usual working key, which is a standard GnuPG key with some
additional subkeys added ober the time. It is a good example because
one subkey was created as type 20 signing and encrypt ElGamal key.
It is the second subkey:
sub 1536G/B5A18FF4 1998-07-07 [expires: 2002-07-06]
The capital G denotes such an possible comprimised subkey whereas the
first subkey:
sub 1536g/ADF6A6E1 1999-02-20 [expires: 2002-11-01]
is a standard encryption-only subkey as indicated by the small g.
That key is not affected.
The keys denoted with this capital G should be REVOKED if they have
not yet expired or you are sure this subkey was never sued to create a
signature with GnuPG >= 1.0.2:
To revoke a subkey, use gpg's edit command like this:
$ gpg --edit-key xyzxyzxy
The key listing is shown. Now select the subkey you want to revoke,
using the command "key 2" (or whatever) and then enter the command
"revkey" and follow the prompts.
How many keys are affected?
===========================
I can't tell for sure. According to the keyserver statistics, there
are 848 primary ElGamal signing keys which are affected. This are a
mere 0.04 percent of all primary keys on the keyservers. There are
324 vulnerable subkeys on the keyservers, too. While sending the
advisory to those keys, I got several hundred bounces - thus not all of
the keys are anymore activley used.
Some of the subkey might have never been used for signing (e.g. mine
one above) because for some time in the past GnuPG created the
encryption key as type 20 but didn't used it for signing because the
DSA primary key was used instead. It is better to revoke such keys
nevertheless.
Note, that the standard configuration of GnuPG does not allow to
create such vulnerable sign+encrypt ElGamal keys and that neither DSA
(type 17), RSA (type 1) nor ElGamal encgrypt keys (type 16)
The public advisory
===================
It seems that one of the mail addresses I sent the advisory to is a
small mailing list and as such the information spreaded faster than
expected. I have to publicly disclose this problem tomorrow and not
in a 3 days as orginally planned.
Thanks and my apologies again.
Werner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/xQzCaLeriVdUjc0RAuWUAJ92+Lsbx/mEcekGfuiR637XxtGDWgCfQPqy
imBfa/0HKPphA+yIqQeHndE=
=QQeY
-----END PGP SIGNATURE-----
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark
Printer at MyInks.com. Free s/h on orders $50 or more to the US & Canada.
http://www.c1tracking.com/l.asp?cid=5511
http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/MFQulB/TM
---------------------------------------------------------------------~->
----------------- COMMUNITY ADDRESSES -------------------------~->
Post message: PGP-n-GPG-***@public.gmane.org
Moderators: PGP-n-GPG-owner-***@public.gmane.org
News: news://news.gmane.org/gmane.comp.security.pgp-n-gpg
Off-Topic List: PGP-n-GPG-Off-Topic-subscribe-***@public.gmane.org
Unsubscribe: PGP-n-GPG-unsubscribe-***@public.gmane.org
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/