PGP flaw found by Czech firm allows dig sig to be forged

Ian Goldberg iang at cs.berkeley.edu
Wed Mar 21 14:45:03 PST 2001


In article <20010321133551.B2386 at cluebot.com>,
Declan McCullagh  <declan at well.com> wrote:
>
>
>http://www.wired.com/news/politics/0,1283,42553,00.html
>   
>   Your E-Hancock Can Be Forged
>   by Declan McCullagh (declan at wired.com)
>   10:20 a.m. Mar. 21, 2001 PST
>   
>   WASHINGTON -- A Czech information security firm has found a flaw in
>   Pretty Good Privacy that permits digital signatures to be forged in
>   some situations.
>   
>   Phil Zimmermann, the PGP inventor who's now the director of the
>   OpenPGP Consortium, said on Wednesday that he and a Network Associates
>   (NETA) engineer verified that the vulnerability exists.
>   
>   ICZ, a Prague company with 450 employees, said that two of its
>   cryptologists unearthed a bug in the OpenPGP format that allows an
>   adversary who breaks into your computer to forge your e-mail
>   signature.

Of course, if someone can modify your private keyring, I'd suspect your
TCB is toast.  (Unless you're in the habit of shipping your private keyring
around the Internet.)

For the interested, this is my guess at the attack.

Modify the encrypted value of p, somewhere near the middle.
When decrypted, depending on the chaining mode, it's possible that
only a couple of blocks of p will be mangled, and the remainder
of the private key file will decrypt successfully.  Here's where
PGP fails to do a MAC to verify integrity of the data.

Then, it behaves just like DFA (Differential Fault Analysis).
The idea is that to calculate a signature M^d mod n, we calculate
M^d mod p and M^d mod q, and use the CRT to combine them to S = M^d mod n.

If p is wrong, the result S' will be correct mod q but incorrect mod p.
so S' ^ e mod q = M mod q, but S' ^ e mod p != M mod p.

Therefore GCD(S' ^ e mod n, M) = q, and we're done.

   - Ian






More information about the cypherpunks-legacy mailing list