PGP flaw found by Czech firm allows dig sig to be forged
Phillip H. Zakas
pzakas at toucancapital.com
Thu Mar 22 10:56:56 PST 2001
"...As far as I can tell, *NOBODY* offers security tools that offer real
protection in the event your opponent has physical access to the
machine... Bear"
I completely agree. Even if they didn't have access to the machine, losing
the private key is a huge problem.
I should point out a similar problem exists with microsoft's crypto api
(capi). by replacing rsaenh.dll (and one other i could name later...details
are on my research laptop and not on this machine) one could dummy down
encryption or eliminate encryption control across all crypto api-compliant
applications (like ms outlook, explorer, etc.) in fact this 'crack' is
simiar to the 'upgrade' ms offers users to go from 56 to 128 bit encryption.
interestingly, in order to gain export assurance for a crypto product, it's
usually enough to state that your product's crypto relies on the MS crypto
api. this is because the ms crypto api architecture has already received an
"ok" for export (with caveats re: 128 bit encryption.) i've been through
this process so I know the 'crack' and the export license information is
correct (as of one year ago anyway).
the most significant problem with pki, imho, is the fact one can't verify
the publisher of the key. the public key could have been stolen/modified,
or the issuer of the key may not have verified the true identity of the
requestor. i could, right now, buy for $14.95, a digital cert from verisign
claiming I'm napoleon bonaparte. and it would be published in their digital
cert. directory as true. ya know, i'm going to do that right now.
anyway, as many have already echoed here, gaining access to an adversary's
machine provides more interesting possibilities than simply modifying a
user's secret key. i would hope the cnsa would try to be more creative than
that.
phillip
In article <20010321133551.B2386 at cluebot.com>,
Declan McCullagh <declan at well.com> wrote:
> Pretty Good Privacy that permits digital signatures to be forged in
> some situations.
>
> Phil Zimmermann, the PGP inventor who's now the director of the
> OpenPGP Consortium, said on Wednesday that he and a Network Associates
> (NETA) engineer verified that the vulnerability exists.
>
> ICZ, a Prague company with 450 employees, said that two of its
> cryptologists unearthed a bug in the OpenPGP format that allows an
> adversary who breaks into your computer to forge your e-mail
> signature.
A "vulnerability" that requires the opponent to have write access
to your private key in order to exploit?
Okay. What was PGP's threat model again? I'd have sworn that this
was squarely outside it.
As far as I can tell, *NOBODY* offers security tools that offer real
protection in the event your opponent has physical access to the
machine.
Bear
More information about the cypherpunks-legacy
mailing list