In article <20010321133551.B2386@cluebot.com>, Declan McCullagh wrote:

http://www.wired.com/news/politics/0,1283,42553,00.html

Your E-Hancock Can Be Forged by Declan McCullagh (declan@wired.com) 10:20 a.m. Mar. 21, 2001 PST

WASHINGTON -- A Czech information security firm has found a flaw in Pretty Good Privacy that permits digital signatures to be forged in some situations.

Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists.

ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature.

Of course, if someone can modify your private keyring, I'd suspect your TCB is toast. (Unless you're in the habit of shipping your private keyring around the Internet.) For the interested, this is my guess at the attack. Modify the encrypted value of p, somewhere near the middle. When decrypted, depending on the chaining mode, it's possible that only a couple of blocks of p will be mangled, and the remainder of the private key file will decrypt successfully. Here's where PGP fails to do a MAC to verify integrity of the data. Then, it behaves just like DFA (Differential Fault Analysis). The idea is that to calculate a signature M^d mod n, we calculate M^d mod p and M^d mod q, and use the CRT to combine them to S = M^d mod n. If p is wrong, the result S' will be correct mod q but incorrect mod p. so S' ^ e mod q = M mod q, but S' ^ e mod p != M mod p. Therefore GCD(S' ^ e mod n, M) = q, and we're done. - Ian