In article <99b89r$lgd$1@abraham.cs.berkeley.edu>, Ian Goldberg wrote:

If p is wrong, the result S' will be correct mod q but incorrect mod p. so S' ^ e mod q = M mod q, but S' ^ e mod p != M mod p.

Therefore GCD(S' ^ e mod n, M) = q, and we're done.

I think you meant GCD((S'^e mod n)-M, n) = q. I don't think what you said is true, since q does not necessarily divide M. - Nikita

In article <20010321133551.B2386@cluebot.com>, Declan McCullagh wrote:

Pretty Good Privacy that permits digital signatures to be forged in some situations.

Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists.

ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature.

A "vulnerability" that requires the opponent to have write access to your private key in order to exploit? Okay. What was PGP's threat model again? I'd have sworn that this was squarely outside it. As far as I can tell, *NOBODY* offers security tools that offer real protection in the event your opponent has physical access to the machine. Bear

"...As far as I can tell, *NOBODY* offers security tools that offer real protection in the event your opponent has physical access to the machine... Bear" I completely agree. Even if they didn't have access to the machine, losing the private key is a huge problem. I should point out a similar problem exists with microsoft's crypto api (capi). by replacing rsaenh.dll (and one other i could name later...details are on my research laptop and not on this machine) one could dummy down encryption or eliminate encryption control across all crypto api-compliant applications (like ms outlook, explorer, etc.) in fact this 'crack' is simiar to the 'upgrade' ms offers users to go from 56 to 128 bit encryption. interestingly, in order to gain export assurance for a crypto product, it's usually enough to state that your product's crypto relies on the MS crypto api. this is because the ms crypto api architecture has already received an "ok" for export (with caveats re: 128 bit encryption.) i've been through this process so I know the 'crack' and the export license information is correct (as of one year ago anyway). the most significant problem with pki, imho, is the fact one can't verify the publisher of the key. the public key could have been stolen/modified, or the issuer of the key may not have verified the true identity of the requestor. i could, right now, buy for $14.95, a digital cert from verisign claiming I'm napoleon bonaparte. and it would be published in their digital cert. directory as true. ya know, i'm going to do that right now. anyway, as many have already echoed here, gaining access to an adversary's machine provides more interesting possibilities than simply modifying a user's secret key. i would hope the cnsa would try to be more creative than that. phillip In article <20010321133551.B2386@cluebot.com>, Declan McCullagh wrote:

Pretty Good Privacy that permits digital signatures to be forged in some situations.

Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists.

ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature.

A "vulnerability" that requires the opponent to have write access to your private key in order to exploit? Okay. What was PGP's threat model again? I'd have sworn that this was squarely outside it. As far as I can tell, *NOBODY* offers security tools that offer real protection in the event your opponent has physical access to the machine. Bear